Bug 2221437

Summary: alternatives --altdir ALTERNATEPATH causes "buffer overflow detected" and fails
Product: [Fedora] Fedora Reporter: Martin <martinrsssf>
Component: chkconfigAssignee: Lukáš Nykrýn <lnykryn>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 38CC: jamacku, lnykryn, msekleta
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: chkconfig-1.25-1.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-05 01:38:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin 2023-07-09 01:30:31 UTC 
alternatives with command-line option --altdir SOMEPATH causes buffer overflow detected and fails.

Reproducible: Always

Steps to Reproduce:
1. umask 22; mkdir /etc/alternatives/opt/app2
2. alternatives --altdir /etc/alternatives/opt/app2 --list
3.
Actual Results:  
*** buffer overflow detected ***: terminated
Aborted (core dumped)


Expected Results:  
Show list of commands with symlink to alternative paths

gdb alternatives
gdb> set args --altdir /etc/alternatives/opt/app2 --list
gdb> run
gdb> bt

#0  0x00007ffff7e32844 in __pthread_kill_implementation ()
   from /lib64/libc.so.6
#1  0x00007ffff7de1abe in raise () from /lib64/libc.so.6
#2  0x00007ffff7dca87f in abort () from /lib64/libc.so.6
#3  0x00007ffff7dcb60f in __libc_message.cold () from /lib64/libc.so.6
#4  0x00007ffff7ec6979 in __fortify_fail () from /lib64/libc.so.6
#5  0x00007ffff7ec51b4 in __chk_fail () from /lib64/libc.so.6
#6  0x00007ffff7dfa222 in __printf_buffer_flush () from /lib64/libc.so.6
#7  0x00007ffff7dfa689 in __printf_buffer_write () from /lib64/libc.so.6
#8  0x00007ffff7e029e8 in __printf_buffer () from /lib64/libc.so.6
#9  0x00007ffff7e1dd22 in __vsprintf_internal () from /lib64/libc.so.6
#10 0x00007ffff7ec4c7f in __sprintf_chk () from /lib64/libc.so.6
#11 0x0000555555558a64 in readConfig ()
#12 0x00005555555571da in main ()

Looking at the source alternatives.c function readConfig(), the 2nd call sprintf(path,..) seems to be the problem: First call had allocated path with specific length, and second sprintf(path,..) may not fit the new string.
Comment 1 Lukáš Nykrýn 2023-07-24 14:12:15 UTC 
Thanks for report!

https://github.com/fedora-sysv/chkconfig/pull/112

It seems that this issue existed for such a long time, that now it can legally drink alcohol in the US.
Comment 2 Fedora Update System 2023-08-02 12:11:23 UTC 
FEDORA-2023-a974677a2a has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a974677a2a
Comment 3 Fedora Update System 2023-08-03 01:21:36 UTC 
FEDORA-2023-a974677a2a has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a974677a2a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a974677a2a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2023-08-05 01:38:19 UTC 
FEDORA-2023-a974677a2a has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.