Bug 123230 - Buffer overflow in handling of -o option
Summary: Buffer overflow in handling of -o option
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: sharutils
Version: 1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-05-14 16:09 UTC by Leonard den Ottolander
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2004-05-21 15:01:52 UTC


Attachments (Terms of Use)
Option -o patch (2.23 KB, patch)
2004-05-14 16:15 UTC, Leonard den Ottolander
no flags Details | Diff

Description Leonard den Ottolander 2004-05-14 16:09:40 UTC
Shaun Colley discovered a buffer overflow in sharutils <= 2.5.5 when
using the -o option.

See http://www.spinics.net/lists/bugtraq/msg11869.html and
http://www.spinics.net/lists/bugtraq/msg11898.html for details.

Comment 1 Leonard den Ottolander 2004-05-14 16:12:58 UTC
Oops. That must be sharutils <= 4.2.1. Must have gotten 2.5.5. from
another package that I was looking at earlier.

Comment 2 Leonard den Ottolander 2004-05-14 16:15:28 UTC
Created attachment 100229 [details]
Option -o patch

Patch taken from SuSE 9.0 sharutils-4.2c-718.src.rpm. Modified header so it
patches using -p1 instead of -p0.

Note that the patch in the original announcement
(http://www.spinics.net/lists/bugtraq/msg11869.html) is incorrect (see
http://www.spinics.net/lists/bugtraq/msg11898.html).

Comment 3 Mark J. Cox 2004-05-17 11:50:23 UTC
Downgrading severity; buffer overflow in non setuid/gid program.

Comment 4 Leonard den Ottolander 2004-05-18 12:26:59 UTC
I am not aware of the criteria you use for this. Are these described
somewhere? They seem to be different from the explanation of
"Severity" in the bugzilla form help.

I must say that if this can be (remotely) exploited to gain a shell it
might be used as a stepping stone to exploit an unplugged local root
exploit. It should be fixed asap.


Comment 5 Ngo Than 2004-05-21 15:01:52 UTC
it's now fixed in sharutils-4_2_1-19, which will be showed up in
rawhide soon

Comment 6 Leonard den Ottolander 2004-05-21 19:14:44 UTC
What kind of version is that, 4_2_1? Are the underscores here to stay?

With rawhide you also mean FC1 testing? Or are you just releasing it
for FC2?



Note You need to log in before you can comment on or make changes to this bug.