113756 – mc vulnerable to buffer exploit in vfs from archive files

Bug 113756 - mc vulnerable to buffer exploit in vfs from archive files

Summary: mc vulnerable to buffer exploit in vfs from archive files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mc
Sub Component:
Version:	1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-01-17 07:22 UTC by Seth Vidal
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-03-11 13:42:59 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
mc.spec.patch (1.88 KB, patch) 2004-01-17 12:20 UTC, Warren Togami	no flags	Details \| Diff
View All

Description Seth Vidal 2004-01-17 07:22:52 UTC

Description of problem:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023

Version-Release number of selected component (if applicable):
mc-4.6.0-6

How reproducible:
every time

download link from here:
http://mail.edunet.ru/Lists/bugtraq.securityfocus.com/Message/326.html


run mc, select that file.
mc in fc1 or rhl9 or rhl8 crashes
shouldn't crash - the crash is the overflow.
apply patch from here:
http://linux.duke.edu/~skvidal/RPMS/fedoralegacy/mc/mc-vfs-tar-symlink.patch

presto, it works.

I'll attach the patch and the spec file change.

Comment 1 Seth Vidal 2004-01-17 07:26:30 UTC

not attaching to bugzilla - easier to link to the srpm
http://linux.duke.edu/~skvidal/RPMS/fedoralegacy/mc/mc-4.6.0-7.src.rpm

Comment 2 Warren Togami 2004-01-17 12:20:44 UTC

Created attachment 97071 [details]
mc.spec.patch

Package cleanups including Seth's work.  This is mainly to serve as an example
of package cleanup for the benefit of other packagers.

Comment 3 Seth Vidal 2004-01-17 14:42:05 UTC

1. is it normal to remove someone else's changelog entries?
2. this practice of adding the version number at the end of your name
on the changelog line is completely ridiculous no matter who does it.

 the reason, rpm headers have 3 fields: changelogname, changelogtime,
changelogtext.

when you put the version at the end of your name the version is put
into changelogname.

If you want to include the version it should be in changelogtext not
in changelogname.

Comment 4 Warren Togami 2004-01-17 21:05:14 UTC

> 1. is it normal to remove someone else's changelog entries?

For RH packages yes it has been when importing external changes in the
past.  I was careful to keep your name as part of the credits.  In the
future I suppose that needs to change because external contributions
will become the norm.

I personally changed it mainly to reduce the amount of new stuff going
into that changelog. 

> 2. this practice of adding the version number at the end of your 
> name on the changelog line is completely ridiculous no matter who
> does it.

Discuss it on the list.  fedora.us has been requiring that for the
past year, while RH has doing it in most cases.  I am not about to
change now unless the entire group agrees on it.

Comment 5 Seth Vidal 2004-01-17 22:35:57 UTC

1. Boy that seems odd to me given that my name is all over the vsftpd
changelog. rpm -q --changelog vsftpd and tell me what you see.

2. I will.

Comment 6 Warren Togami 2004-01-18 01:33:10 UTC

1. It wasn't a policy.  I just noticed it was done to me a dozen times
in various packages.

Comment 7 Miloslav Trmac 2004-03-11 13:42:59 UTC

Fixed in FEDORA-2004-058.

Note You need to log in before you can comment on or make changes to this bug.