Bug 145527 - CAN-2005-0086 less crashes on scrolling of binary files
Summary: CAN-2005-0086 less crashes on scrolling of binary files
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: less   
(Show other bugs)
Version: 3.0
Hardware: i386 Linux
medium
high
Target Milestone: ---
Assignee: Jindrich Novy
QA Contact:
URL:
Whiteboard: impact=important,public=20050119
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-19 12:15 UTC by Victor Ashik
Modified: 2013-07-02 23:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-26 15:40:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Binary file consists of 1036 '\0x81' chars - testcase for less segfault (1.01 KB, application/octet-stream)
2005-01-20 14:14 UTC, Victor Ashik
no flags Details
Expand charset[] buffer with expanding of other buffers (962 bytes, patch)
2005-01-21 11:39 UTC, Victor Ashik
no flags Details | Diff
Corrected patch for expading charset[] buffer with expanding of other buffers (971 bytes, patch)
2005-01-21 12:52 UTC, Victor Ashik
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:068 low SHIPPED_LIVE Important: less security update 2005-01-26 05:00:00 UTC

Description Victor Ashik 2005-01-19 12:15:08 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
Scrolling of hdlist2 causes less to segfault.

Version-Release number of selected component (if applicable):
less-378-11

How reproducible:
Always

Steps to Reproduce:
1. Mount any RHEL3 CD1 on /mnt/cdrom and do
2. less -f /mnt/cdrom/RedHat/base/hdlist2
3. Press and hold spacebar.

Actual Results:  It will cause a segmentation fault.


Expected Results:  Scrolling till the end of file.

Additional info:

I think it is the failed assertion in first line of buffering_multi.

Comment 1 Suzanne Hillman 2005-01-19 22:34:38 UTC
Why are you trying to run less on a binary file?

Comment 2 Victor Ashik 2005-01-20 11:24:46 UTC
Because I like it ;-)

It may be a security problem, because after some digging with debugger
it looks like a buffer overflow.

Vulnerable pager is a very, very bad thing.
I am sorry for not giving it SECURITY flag yesterday. Giving it now.
Please, fix it.

Hint1: buffer overflows in a UTF-8 locale on a line of 0x81 bytes
longer than 1028.
Hint2: overflow seems to overwrite MULBUF* mp in multi.c

Comment 3 Victor Ashik 2005-01-20 14:12:38 UTC
Update: in en_US.UTF-8 locale Hint1 requires more than 1035 bytes.

Comment 4 Victor Ashik 2005-01-20 14:14:26 UTC
Created attachment 110010 [details]
Binary file consists of 1036 '\0x81' chars - testcase for less segfault

Comment 6 Josh Bressers 2005-01-20 14:40:20 UTC
This issue could be dangerous.  Ideally this issue would be best fixed in the
next round of quarterly updates.

Comment 8 Victor Ashik 2005-01-21 11:39:58 UTC
Created attachment 110046 [details]
Expand charset[] buffer with expanding of other buffers

Found the error. We are expanding linebuf[] and attr[] buffers in
expand_linebuf(), line.c:90, but forgetting to expand charset[] buffer.

Comment 9 Victor Ashik 2005-01-21 12:49:46 UTC
Comment on attachment 110046 [details]
Expand charset[] buffer with expanding of other buffers

The patch is not perfect.

calloc for charset should allocate sizeof(CHARSET) blocks and returned pointer
sould be converted to (CHARSET*)

Comment 10 Victor Ashik 2005-01-21 12:52:13 UTC
Created attachment 110048 [details]
Corrected patch for expading charset[] buffer with expanding of other buffers

Corrected types in calloc line. Now it works.

Comment 11 Jindrich Novy 2005-01-24 10:18:51 UTC
Victor, thanks for the patch. The fix is confirmed and patch is now added to CVS.

Comment 12 Victor Ashik 2005-01-24 10:24:29 UTC
Thanks for a job well done.

Comment 15 Josh Bressers 2005-01-25 14:27:50 UTC
I've done some investigating on this issue.  This problem is caused by
a patch we apply to the RHEL3 less.  It does not affect the original
version, or any upstream versions I've tried.

Comment 16 Josh Bressers 2005-01-26 15:40:20 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-068.html



Note You need to log in before you can comment on or make changes to this bug.