Bug 118642 - Coreutils 'dir' integer overflow vulnerability.
Coreutils 'dir' integer overflow vulnerability.
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: coreutils (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
Depends On:
  Show dependency treegraph
Reported: 2004-03-18 10:57 EST by Igor
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-09 11:31:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Igor 2004-03-18 10:57:12 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Gecko/20031007 Firebird/0.7

Description of problem:
Bug: DoS / possible arbitrary code execution.
Impact: Attacker's can cause MASS consumption of CPU utilisation and
usage of memory, by corrupting the stack. Possible code execution.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Just run in shell$ dir -w 1073741828

Actual Results:  mass CPU utilisation will be used

Additional info:

If invoked via a debugging tool such as 'Valgrind', one can see the
consequences of the integer overflow taking place
Comment 1 Tim Waugh 2004-03-18 11:24:04 EST
Well, you are already in a shell there.

Perhaps you are thinking of an exploit via an FTP server?  vsftpd uses
its own internal ls.

Or is there a different vector you are thinking of?
Comment 2 Igor 2004-03-19 01:30:17 EST
I can create simple php script, for example, post it to a hosting
site, and hang the server if it not limit resources. Most admins of
the small ISP hosting sites don't limit memory and cpy resources. :)
Comment 3 Mark J. Cox (Product Security) 2004-03-25 05:43:47 EST
If an ISP allows you to run arbitrary php scripts then there are many
other ways you can cause similar effects even without this flaw being

Note You need to log in before you can comment on or make changes to this bug.