Bug 161172 - /usr/lib/amanda/chg-scsi causes buffer overflow
/usr/lib/amanda/chg-scsi causes buffer overflow
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: amanda (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Brich
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-20 20:45 EDT by Burn Alting
Modified: 2008-03-06 04:29 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-06 04:29:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Burn Alting 2005-06-20 20:45:56 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
When executing chg-scsi, a buffer overflow occurs when opening a scsi device. The problem is in changer-src/scsi-changer-driver.c:OpenDevice().

A temporary variable, tmpstr is declared with just 15 bytes, and is first used in
      sprintf(&tmpstr[0],"%s_%s","generic",pDev[0].type);
If the string 'pDev[0].type' is greater than 15 - 8 - 1 = 6 characters, and in my execution of chg-scsi it is the string 'changer', we get a buffer overflow.

Suggest increasing the size of the variable as a temporary measure.

Version-Release number of selected component (if applicable):
amanda-2.4.5-2

How reproducible:
Always

Steps to Reproduce:
1. Configure amanda to usr chg-scsi
2. run /usr/lib/amanda/cgh-scsi -info
3.
  

Actual Results:  # /usr/lib/amanda/chg-scsi -info
*** buffer overflow detected ***: /usr/lib/amanda/chg-scsi terminated
======= Backtrace: =========
...

Expected Results:  No buffer overflow

Additional info:
Comment 1 Stephen Walton 2005-11-05 13:21:07 EST
I have the same problem as the reporter but am not certain the diagnosis is
correct.  I just installed FC4 on a system which was previously running FC1, and
decided to try the Fedora amanda RPMS.  But, I have a copy of Amanda 2.4.4p3
which I compiled myself on FC1.  The source I used to build contains the same
declaration of tmpstr, and yet the unmodified chg-scsi executable from that FC1
build works fine on FC4.
Comment 2 Arjan van de Ven 2005-11-07 04:16:05 EST
FC4 has more extensive buffer overflow checks than FC1; these get put in by the
compiler so binaries compiled on FC1 just silently overflow the buffer while
binaries built on FC4 detect this bug.
Comment 3 Christian Iseli 2007-01-22 05:11:01 EST
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 4 Burn Alting 2007-02-20 01:08:08 EST
Bug still present in FC6 as it's using amanda 2.5.0. The bug has been fixed in a
later release of amanda - it's certainaly fixed in amanda-2.5.1p3
Comment 5 Radek Brich 2008-03-06 04:29:51 EST
FC6 is EOL, closing as WONTFIX
although the fix is in dist CVS, the rpm can't get into repo now...

Note You need to log in before you can comment on or make changes to this bug.