Bug 122345 - CAN-2003-0856 busybox also contains netlink flaw
Summary: CAN-2003-0856 busybox also contains netlink flaw
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: busybox   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-05-03 15:23 UTC by Steve Grubb
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-31 16:19:11 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch that addresses the problems. (1.92 KB, patch)
2004-05-03 15:25 UTC, Steve Grubb
no flags Details | Diff
Revised patch (1.92 KB, patch)
2004-05-06 12:42 UTC, Steve Grubb
no flags Details | Diff

Description Steve Grubb 2004-05-03 15:23:25 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Gecko/20040308

Description of problem:
Last November a bug was found in iproute, CAN-2003-0856. Busybox has
taken the same code from iproute-2.4.7 libnetlink.c and adjusted its
error message functions. The code in busybox was never updated when
the libnetlink vulnerability was discovered. Therefore it might be
susceptable to the same kind of attack.

There is also 2 other programming bugs. One being a potential buffer
overflow in dos2unix.c.

Version-Release number of selected component (if applicable):
busybox-1.00.pre8

How reproducible:
Didn't try

Steps to Reproduce:
Found during code review.

Additional info:

I will attach a patch to this bug report.

Comment 1 Steve Grubb 2004-05-03 15:25:09 UTC
Created attachment 99913 [details]
Patch that addresses the problems.

Please apply and test.

Comment 2 Steve Grubb 2004-05-06 12:42:57 UTC
Created attachment 100039 [details]
Revised patch

I re-reviewed the patch and found that the buffer overflow was not completely
handled. It needed to check for BUFSIZE-3. BUFSIZE-1 is the last addressable
byte, the loop increments the index by 2. That is why it needed to be
BUFSIZE-3. This revised patch has been accepted by the upstream author.

Comment 3 Daniel Walsh 2004-07-20 13:38:18 UTC
Upgrading to busybox-1.0.0.rc1  should fix this problem.
Will be in Rawhide tomorrow.


Note You need to log in before you can comment on or make changes to this bug.