Bug 123230 - Buffer overflow in handling of -o option
Buffer overflow in handling of -o option
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: sharutils (Show other bugs)
1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-14 12:09 EDT by Leonard den Ottolander
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-21 11:01:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Option -o patch (2.23 KB, patch)
2004-05-14 12:15 EDT, Leonard den Ottolander
no flags Details | Diff

  None (edit)
Description Leonard den Ottolander 2004-05-14 12:09:40 EDT
Shaun Colley discovered a buffer overflow in sharutils <= 2.5.5 when
using the -o option.

See http://www.spinics.net/lists/bugtraq/msg11869.html and
http://www.spinics.net/lists/bugtraq/msg11898.html for details.
Comment 1 Leonard den Ottolander 2004-05-14 12:12:58 EDT
Oops. That must be sharutils <= 4.2.1. Must have gotten 2.5.5. from
another package that I was looking at earlier.
Comment 2 Leonard den Ottolander 2004-05-14 12:15:28 EDT
Created attachment 100229 [details]
Option -o patch

Patch taken from SuSE 9.0 sharutils-4.2c-718.src.rpm. Modified header so it
patches using -p1 instead of -p0.

Note that the patch in the original announcement
(http://www.spinics.net/lists/bugtraq/msg11869.html) is incorrect (see
http://www.spinics.net/lists/bugtraq/msg11898.html).
Comment 3 Mark J. Cox (Product Security) 2004-05-17 07:50:23 EDT
Downgrading severity; buffer overflow in non setuid/gid program.
Comment 4 Leonard den Ottolander 2004-05-18 08:26:59 EDT
I am not aware of the criteria you use for this. Are these described
somewhere? They seem to be different from the explanation of
"Severity" in the bugzilla form help.

I must say that if this can be (remotely) exploited to gain a shell it
might be used as a stepping stone to exploit an unplugged local root
exploit. It should be fixed asap.
Comment 5 Ngo Than 2004-05-21 11:01:52 EDT
it's now fixed in sharutils-4_2_1-19, which will be showed up in
rawhide soon
Comment 6 Leonard den Ottolander 2004-05-21 15:14:44 EDT
What kind of version is that, 4_2_1? Are the underscores here to stay?

With rawhide you also mean FC1 testing? Or are you just releasing it
for FC2?

Note You need to log in before you can comment on or make changes to this bug.