Bug 454483

Summary: CVE-2008-3252 newsx: Stack overflow with lines with leading '.'
Product: [Fedora] Fedora Reporter: Enrico Scholz <rh-bugzilla>
Component: newsxAssignee: Dominik 'Rathann' Mierzejewski <dominik>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.6-8.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-15 12:14:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to fix the issue
none
patch to fix the issue none

Description Enrico Scholz 2008-07-08 18:59:34 UTC 
Description of problem:

Runnings newsx to fetch
http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/109986
generates an

| *** stack smashing detected ***: newsx(news.gmane.org) gmane.mail.spam.spamassassin.general 109996 terminated

abort. This is caused by

--- src/getarticle.c ---
static int
read_article(long where,char *group)
{
    char linebuf[MAX_HEADER_SIZE+1], *line;
    ...
    line=linebuf;
    ...
    for (;;) {
        if (!get_server_msg(line, MAX_HEADER_SIZE)) {
	...
                if (line[1]=='.') {             /* escape-period, remove it */
                    line++;
                    len--;

	
-------------


i.e. 'line' grows and grows when a line starts with '.'.  Having
hundreds of such lines make 'linebuf[]' overflow and it is possible to
place arbitrary data on stack.


Fix would be probably

| -        if (!get_server_msg(line, MAX_HEADER_SIZE)) {
| +        if (!get_server_msg(linebuf, MAX_HEADER_SIZE)) {

but is untested.


Stack-smash detection protects against remote code execution. Nevertheless,
it causes lot of traffic (newsx fetches articles but aborts before updating
'active' file)



Version-Release number of selected component (if applicable):

newsx-1.6-8.fc9.x86_64


How reproducible:

100%
Comment 1 Enrico Scholz 2008-07-08 19:06:26 UTC 
mmh... it's too late and no coffee...  Proposed fix won't work; instead of the

| line=linebuf

must be moved into the loop.
Comment 2 Dominik 'Rathann' Mierzejewski 2008-07-12 16:00:25 UTC 
I believe your analysis is incorrect. line pointer gets reset in

        if (!get_server_msg(line, MAX_HEADER_SIZE)) {
            /* timeout: simply give up */
            return 0;
        }

I'll try to reproduce the crash and see what I can do about it.
Comment 3 Dominik 'Rathann' Mierzejewski 2008-07-12 18:54:45 UTC 
... or it actually doesn't get reset. After running it through gdb I can see
that what you described is actually happening. I'll have a fixed build after
I've tested the fix.
Comment 4 Dominik 'Rathann' Mierzejewski 2008-07-12 20:59:22 UTC 
Created attachment 311653 [details]
patch to fix the issue

Attached patch fixes the issue. Updated build will be available shortly.
Comment 5 Dominik 'Rathann' Mierzejewski 2008-07-12 21:10:33 UTC 
Created attachment 311654 [details]
patch to fix the issue

Obviously the previous patch is wrong. We can't access line[N] before it's
initialised.
Comment 6 Fedora Update System 2008-07-12 22:59:32 UTC 
newsx-1.6-9.fc9 has been submitted as an update for Fedora 9
Comment 7 Fedora Update System 2008-07-12 23:00:19 UTC 
newsx-1.6-8.fc8 has been submitted as an update for Fedora 8
Comment 8 Fedora Update System 2008-07-15 12:14:43 UTC 
newsx-1.6-8.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-07-15 12:20:27 UTC 
newsx-1.6-9.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2008-07-22 07:03:19 UTC 
CVE id CVE-2008-3252 was allocated for this issue:

Stack-based buffer overflow in the read_article function in
getarticle.c in newsx 1.6 allows remote attackers to execute arbitrary
code via a news article containing a large number of lines starting
with a period.