Bug 1165296 - afpfs-ng crashes because of incorrect paramater (bogus patch)
Summary: afpfs-ng crashes because of incorrect paramater (bogus patch)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: afpfs-ng
Version: 21
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Lubomir Rintel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-18 18:51 UTC by Hubert Figuiere
Modified: 2015-01-07 01:26 UTC (History)
1 user (show)

Fixed In Version: afpfs-ng-0.8.1-13.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-07 01:25:18 UTC


Attachments (Terms of Use)
afpfs-ng-0.8.1-formatsec.patch (5.08 KB, patch)
2014-11-24 20:56 UTC, Hubert Figuiere
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1036982 None None None Never

Description Hubert Figuiere 2014-11-18 18:51:05 UTC
See bug 1036982 for the source of the problem

Description of problem:
mount_afp crashes.

Version-Release number of selected component (if applicable):
0.8.1-17.fc21

How reproducible:
All the time

Steps to Reproduce:
1. $ mount_afp afp://foo/Music Music

Actual results:

zsh: segmentation fault (core dumped)  mount_afp afp://foo/Music Music

Expected results:

no crash

Additional info:

http://pkgs.fedoraproject.org/cgit/afpfs-ng.git/tree/afpfs-ng-0.8.1-formatsec.patch#n111

replace snprintf by strncat without checking the paramaters are in order.

solution
snprintf(..., ...., "%s", ...) instead of strncat().

Had you tested it you'd know.

Comment 1 Hubert Figuiere 2014-11-18 18:55:51 UTC
strncpy() would work too.

And if you really want to be secure, the size parameter is supposed to be the size of the destination, not the size from the source.

Comment 2 Hubert Figuiere 2014-11-18 19:06:06 UTC
Also it should be noted that you ignored the compiler warnings too:

 gcc -DHAVE_CONFIG_H -I. -I.. -D_FILE_OFFSET_BITS=64 -I../include -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -c status.c  -fPIC -DPIC -o .libs/libafpclient_la-status.o
afp_url.c: In function 'afp_parse_url':
afp_url.c:236:2: warning: passing argument 2 of 'strncat' makes pointer from integer without a cast
  strncat(url->servername,strlen(p)+1,p);


from
https://kojipkgs.fedoraproject.org//packages/afpfs-ng/0.8.1/17.fc21/data/logs/x86_64/build.log

Comment 3 Hubert Figuiere 2014-11-24 20:56:54 UTC
Created attachment 960937 [details]
afpfs-ng-0.8.1-formatsec.patch

Here the fixed version of the patch (not of a diff of the patch but just afpfs-ng-0.8.1-formatsec.patch as found in SOURCES).

It fixes what the other patch broke. There is plenty of other things upstream that should be fixed too.

Please apply this urgently.

Comment 4 Fedora Update System 2014-11-25 23:10:33 UTC
afpfs-ng-0.8.1-18.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/afpfs-ng-0.8.1-18.fc21

Comment 5 Fedora Update System 2014-11-25 23:11:44 UTC
afpfs-ng-0.8.1-13.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/afpfs-ng-0.8.1-13.fc20

Comment 6 Hubert Figuiere 2014-11-25 23:31:45 UTC
Thank you kindly.

Comment 7 Fedora Update System 2014-11-27 08:36:52 UTC
Package afpfs-ng-0.8.1-13.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing afpfs-ng-0.8.1-13.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15823/afpfs-ng-0.8.1-13.fc20
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2015-01-07 01:25:18 UTC
afpfs-ng-0.8.1-18.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-01-07 01:26:27 UTC
afpfs-ng-0.8.1-13.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.