Bug 462584 (CVE-2008-3916)

Summary: CVE-2008-3916 ed: Heap-based buffer overflow (arb. code execution)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: karsten, kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 09:40:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 466094, 466095, 466096, 466097, 466098, 466099, 466100, 466101, 466102, 833891    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch to resolve the ed heap overflow issue. none

Description Jan Lieskovsky 2008-09-17 10:52:09 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3916 to
the following vulnerability:

Heap-based buffer overflow in the strip_escapes function in signal.c
in GNU ed before 1.0 allows context-dependent or user-assisted
attackers to execute arbitrary code via a long filename.  NOTE: since
ed itself does not typically run with special privileges, this issue
only crosses privilege boundaries when ed is invoked as a third-party
component.


References:

http://lists.gnu.org/archive/html/bug-ed/2008-08/msg00000.html
http://marc.info/?l=oss-security&m=122018171619930&w=4
http://www.openwall.com/lists/oss-security/2008/08/31/1
http://www.openwall.com/lists/oss-security/2008/09/01/2
http://www.openwall.com/lists/oss-security/2008/09/01/3
http://www.openwall.com/lists/oss-security/2008/09/04/21
http://www.openwall.com/lists/oss-security/2008/09/04/22
http://www.openwall.com/lists/oss-security/2008/09/04/24
Comment 1 Jan Lieskovsky 2008-09-17 10:53:16 UTC 
This issue affects all versions of the ed package, as shipped with Red Hat
Enterprise Linux 2.1, 3, 4 and 5 and all versions of the ed packages, as
shipped within Fedora releases of 8, 9 and 10.
Comment 3 Jan Lieskovsky 2008-10-08 10:23:46 UTC 
Created attachment 319740 [details]
Proposed patch to resolve the ed heap overflow issue.

Proposed patch (it was generated by comparing changes in signal.c between
0.9 and 1.0 versions of ed. Please ensure, no additional changes (i.e.
changes in "resize_buffer" function) are needed to resolve this issue).
Comment 7 Tomas Hoger 2010-03-29 09:40:25 UTC 
https://www.redhat.com/security/data/cve/CVE-2008-3916.html