Bug 152909 - Remote buffer overflow in the digestmd5.c
Summary: Remote buffer overflow in the digestmd5.c
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: Package request
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://www.cve.mitre.org/cgi-bin/cven...
Whiteboard: 1, LEGACY, rh73, rh90
Depends On:
TreeView+ depends on / blocked
Reported: 2005-02-27 10:37 UTC by David Lawrence
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:31:44 UTC
Patch for 2.1.18 can be found at

A patch for 1.5.28 should be created from this patch.

------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-27 13:41:21 ----

Looks to me like the buffer overflow was introduced in:

and fixed in:

So, this is only a problem in 2.1.18 AFAICT.

It shouldn't affect rh73, rh9 or FC1.

Can someone else make sure?

------- Additional Comments From leonard@den.ottolander.nl 2005-02-28 10:55:21 ----

Where exactly is the overflow introduced according to you?

------- Additional Comments From leonard@den.ottolander.nl 2005-02-28 12:05:50 ----


        * plugins/digestmd5.c: Fix potential buffer overflow, call
          add_to_challenge in 2 more places (Alexey Melnikov

So indeed the issue seems to be the sprintf(text->outbuf)s, not the quoting.

I'll verify whether this issue exists in 1.5.

------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-28 12:58:03 ----

This is the offending code:
strcat(*str, quoted);

it puts the value it just quoted back into the original location, without making
the original location bigger.

------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-28 13:26:30 ----





------- Additional Comments From leonard@den.ottolander.nl 2005-03-01 12:04:34 ----

Alexey Melnikov verified that this issue only exists in rev 1.170 of
digestmd5.c. Official releases are hence not vulnerable.


------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2441 at https://bugzilla.fedora.us/
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P1. Setting to default priority "normal".
Unknown severity critical. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was leonard@den.ottolander.nl.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Note You need to log in before you can comment on or make changes to this bug.