Red Hat Bugzilla – Bug 152909
Remote buffer overflow in the digestmd5.c
Last modified: 2008-05-01 11:38:06 EDT
Patch for 2.1.18 can be found at
A patch for 1.5.28 should be created from this patch.
------- Additional Comments From firstname.lastname@example.org 2005-02-27 13:41:21 ----
Looks to me like the buffer overflow was introduced in:
and fixed in:
So, this is only a problem in 2.1.18 AFAICT.
It shouldn't affect rh73, rh9 or FC1.
Can someone else make sure?
------- Additional Comments From email@example.com 2005-02-28 10:55:21 ----
Where exactly is the overflow introduced according to you?
------- Additional Comments From firstname.lastname@example.org 2005-02-28 12:05:50 ----
* plugins/digestmd5.c: Fix potential buffer overflow, call
add_to_challenge in 2 more places (Alexey Melnikov
So indeed the issue seems to be the sprintf(text->outbuf)s, not the quoting.
I'll verify whether this issue exists in 1.5.
------- Additional Comments From email@example.com 2005-02-28 12:58:03 ----
This is the offending code:
it puts the value it just quoted back into the original location, without making
the original location bigger.
------- Additional Comments From firstname.lastname@example.org 2005-02-28 13:26:30 ----
------- Additional Comments From email@example.com 2005-03-01 12:04:34 ----
Alexey Melnikov verified that this issue only exists in rev 1.170 of
digestmd5.c. Official releases are hence not vulnerable.
Closing INVALID (NOTABUG).
------- Bug moved to this database by firstname.lastname@example.org 2005-03-30 18:31 -------
This bug previously known as bug 2441 at https://bugzilla.fedora.us/
Originally filed under the Fedora Legacy product and Package request component.
Unknown priority P1. Setting to default priority "normal".
Unknown severity critical. Setting to default severity "normal".
The original reporter of this bug does not have
an account here. Reassigning to the person who moved
it here, email@example.com.
Previous reporter was firstname.lastname@example.org.
Setting qa contact to the default for this product.
This bug either had no qa contact or an invalid one.