From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 Description of problem: There is a buffer overflow in genkdmconf. I've already reported the bug to security but the rpm should be fixed. I discovered it by simply rebuilding the kdebase srpm. In %install stage I got this error: ./genkdmconf --in /var/tmp/kdebase-3.4.1-0.fc4.1.kwinshadows-buildroot/usr/share/config/kdm --face-src ./pics Information: reading old kdmrc /usr/share/config/kdm/kdmrc (from kde >= 2.2.x) Information: dropping key SessionTypes from section [X-*-Greeter] Information: old kdmrc is from kde 3.0 *** buffer overflow detected ***: ./genkdmconf terminated ======= Backtrace: ========= /lib/libc.so.6(__chk_fail+0x41)[0x635565] /lib/libc.so.6[0x63502f] /lib/libc.so.6(__snprintf_chk+0x37)[0x634f23] ./genkdmconf[0x804d846] /lib/libc.so.6(__libc_start_main+0xc6)[0x56bde6] ./genkdmconf[0x8048fd1] ======= Memory map: ======== 00171000-00172000 r-xp 00171000 00:00 0 00535000-0054f000 r-xp 00000000 03:06 51868689 /lib/ld-2.3.5.so 0054f000-00550000 r-xp 00019000 03:06 51868689 /lib/ld-2.3.5.so 00550000-00551000 rwxp 0001a000 03:06 51868689 /lib/ld-2.3.5.so 00557000-0067b000 r-xp 00000000 03:06 51872972 /lib/libc-2.3.5.so 0067b000-0067d000 r-xp 00124000 03:06 51872972 /lib/libc-2.3.5.so 0067d000-0067f000 rwxp 00126000 03:06 51872972 /lib/libc-2.3.5.so 0067f000-00681000 rwxp 0067f000 00:00 0 006a9000-006ab000 r-xp 00000000 03:06 51872974 /lib/libdl-2.3.5.so 006ab000-006ac000 r-xp 00001000 03:06 51872974 /lib/libdl-2.3.5.so 006ac000-006ad000 rwxp 00002000 03:06 51872974 /lib/libdl-2.3.5.so 008e8000-008f1000 r-xp 00000000 03:06 51872976 /lib/libgcc_s-4.0.0-20050520.so.1 008f1000-008f2000 rwxp 00009000 03:06 51872976 /lib/libgcc_s-4.0.0-20050520.so.1 009c2000-00a92000 r-xp 00000000 03:06 235041898 /usr/X11R6/lib/libX11.so.6.2 00a92000-00a96000 rwxp 000cf000 03:06 235041898 /usr/X11R6/lib/libX11.so.6.2 08048000-08058000 r-xp 00000000 03:06 2915703 /usr/src/redhat/BUILD/kdebase-3.4.1/kdm/kfrontend/genkdmconf 08058000-0805a000 rw-p 0000f000 03:06 2915703 /usr/src/redhat/BUILD/kdebase-3.4.1/kdm/kfrontend/genkdmconf 09364000-09385000 rw-p 09364000 00:00 0 [heap] b7fc8000-b7fc9000 rw-p b7fc8000 00:00 0 b7ff5000-b7ff7000 rw-p b7ff5000 00:00 0 bfce1000-bfcf7000 rw-p bfce1000 00:00 0 [stack] The bug is in line 2804 of kdm/kfrontend/genkdmconf.c file: sprintf( nname, "%s/README", newdir ); Regards Version-Release number of selected component (if applicable): 3.4.1-0.fc4.1 How reproducible: Always Steps to Reproduce: 1. Recompile the kdebase srpm 2. or compile and install kdebase sources 3. get the buffer overflow error Actual Results: get the *** buffer overflow detected *** error and all the backtrace while the installation calls genkdmconf Expected Results: no buffer overflow in genkdmconf Additional info:
*** Bug 161752 has been marked as a duplicate of this bug. ***
Created attachment 116007 [details] fix for genkdmconf.c
As you can see by the attachment, nname shouldn't be of a fixed size cos if it installs its README in a very long pathname there will be the buffer overflow. This happened to me because I was rebuilding the srpm and the $DESTDIR was very long
ooops! please correct that + nname=malloc(sizeof(char)*strlen(newdir)+8); //strlen doesn't count the final nul in + nname=malloc(sizeof(char)*(strlen(newdir)+8)); //strlen doesn't count the final nul
I think, it is better to use ASPrintf. the fix is: --- kdebase-3.4.1/kdm/kfrontend/genkdmconf.c.tn 2005-06-27 13:30:11.000000000 +0200 +++ kdebase-3.4.1/kdm/kfrontend/genkdmconf.c 2005-06-27 13:52:40.000000000 +0200 @@ -2560,7 +2560,7 @@ int i, ap, newer, locals, foreigns; int no_old_xdm = 0, no_old_kde = 0; struct stat st; - char nname[80]; + char *nname; for (ap = 1; ap < argc; ap++) { if (!strcmp( argv[ap], "--help" )) { @@ -2801,7 +2801,7 @@ wrconf( f ); fclose( f ); - sprintf( nname, "%s/README", newdir ); + ASPrintf( &nname, "%s/README", newdir ); f = Create( nname, 0644 ); fprintf( f, "This automatically generated configuration consists of the following files:\n" ); The next kde rebuild (KDE-3.4.2) will include the fix. Many thanks for your report and bugfix.