Bug 640940
| Summary: | Buffer overflow in open_tty() | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Petr Pisar <ppisar> | ||||
| Component: | mingetty | Assignee: | Petr Pisar <ppisar> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Martin Cermak <mcermak> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.0 | CC: | azelinka, mcermak, ovasik, pkovar, rrakus | ||||
| Target Milestone: | rc | Keywords: | Patch | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | mingetty-1.08-5.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Prior to this update, when invoking mingetty with a TTY name (a non-option position argument) that was longer than 39 ASCII characters, a buffer overflow occurred and the mingetty stack content could have become corrupted. This bug has been fixed in this update so that only the first 39 bytes (34 bytes in case of a relative path) from the TTY name are now copied.
|
Story Points: | --- | ||||
| Clone Of: | 551754 | Environment: | |||||
| Last Closed: | 2011-08-18 07:46:44 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Petr Pisar
2010-10-07 09:47:58 UTC
Created attachment 455811 [details]
Proposed fix
This issue was proposed for RHEL 6.1 FasTrack but did not get resolved in time. It has been moved to RHEL 6.2 FasTrack.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause
Invoking mingetty with TTY name (non-option position
argument) longer than 39 ASCII characters.
Please note default configuration uses much shorter names
(e.g. "tty1").
Consequence
Buffer overflow occurs and mingetty stack content can
become corrupted.
Fix
Only first 39 (34 in case of relative path) bytes from
the TTY name is copied.
Result
Only secure beginning of TTY name argument is considered
by mingetty. This is not real issue as TTY names are short
enough.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,15 +1 @@
-Cause
+Prior to this update, when invoking mingetty with a TTY name (a non-option position argument) that was longer than 39 ASCII characters, a buffer overflow occurred and the mingetty stack content could have become corrupted. This bug has been fixed in this update so that only the first 39 bytes (34 bytes in case of a relative path) from the TTY name are now copied.- Invoking mingetty with TTY name (non-option position
- argument) longer than 39 ASCII characters.
- Please note default configuration uses much shorter names
- (e.g. "tty1").
-Consequence
- Buffer overflow occurs and mingetty stack content can
- become corrupted.
-Fix
- Only first 39 (34 in case of relative path) bytes from
- the TTY name is copied.
-Result
- Only secure beginning of TTY name argument is considered
- by mingetty. This is not real issue as TTY names are short
- enough.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1177.html |