Bug 241022 (CVE-2007-2799)

Summary: CVE-2007-2799 file integer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mbacovsk
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-14 16:52:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 241026, 241027, 241034    
Bug Blocks:    

Description Josh Bressers 2007-05-23 18:18:57 UTC 
Colin Percival discovered that the fix for CVE-2007-1536 created an integer
overflow flaw in file.  This new flaw has been assigned CVE-2007-2799.

Here is the information from Colin:

+       len = ms->o.size - ms->o.left;
+       /* * 4 is for octal representation, + 1 is for NUL */
+       psize = len * 4 + 1;
+       assert(psize > len);

On a 32-bit system, if len is 1.35GB, len * 4 + 1 = 5.4GB == 1.4GB, so
the assert will pass.  The buffer will then be overflowed (by as much
as the attacker wants, although of course he'll run into unwriteable
addresses eventually).  This looks pretty exploitable...

I think the right solution is to apply
-       assert(psize > len);
+       if (len > (SIZE_T_MAX - 1) / 4) {
+               file_oomem(ms);
+               return NULL;
+       }
and add
#include <limits.h> to the top (in place of the #include <assert.h> which
the earlier patch adds).
Comment 1 Josh Bressers 2007-05-23 18:59:10 UTC 
Martin,

Can you ensure this fix makes it upstream?  They have not been told of this yet.
Comment 2 Martin Bacovsky 2007-05-24 15:21:55 UTC 
Upstream was notified.
Comment 5 Martin Bacovsky 2007-05-25 16:45:03 UTC 
RHEL 4.5.z and 5.0.z packages are built, rpmdiff tests are in progress. Upstream
released file-4.21, to which I probably update in fc6, fc7 and devel.
Comment 8 Red Hat Product Security 2008-01-14 16:52:45 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0391.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0836