Bug 169791 - prozilla: CAN-2005-2961 (remotely exploitable)
prozilla: CAN-2005-2961 (remotely exploitable)
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: prozilla (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dams
Fedora Extras Quality Assurance
http://secunia.com/advisories/17021/
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-03 13:15 EDT by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-20 07:38:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch fixing the reported problems (1.61 KB, patch)
2006-01-05 06:14 EST, Hans de Goede
no flags Details | Diff

  None (edit)
Comment 1 Hans de Goede 2006-01-05 06:00:57 EST
I've backported the fix for this in newer versions of prozilla to 1.3.7.4
(prozilla is not maintained by my, so I  don't want to move to a newer version).

When backporting I noticed that the fix was not correct, it strncpy's up to
out_size bytes and then does out[out_size] = 0; 

Say out_size is 512 then the code does out[512] = 0; iow it writes a 0 to the
513th place of the array. This is a typical of by one error, and a
bufferoverflow (if only for one char).

I'v also checked the other uses of strncpy in ftpsearch.c , the one other piece
of code using strncpy passes the resulting string to strlen before making sure
its 0 terminated (bad).

Last I've cleaned up the code by using sizeof(buf)/sizeof(char) instead of just
sizeof(buf) as sizeof(char) is not always 1.

I've send the fixes to the fix upstream and I'll attach a patch against 1.3.7.4
fixing all this.
Comment 2 Hans de Goede 2006-01-05 06:14:12 EST
Created attachment 122812 [details]
patch fixing the reported problems

Anvil,

I know you're very busy and I have CVS access myself shall I include this patch
bump the release and push through a build?
Comment 3 Hans de Goede 2006-01-14 05:09:32 EST
Repeating myself:

Anvil,

I know you're very busy and I have CVS access myself shall I include THE patch
bump the release and push through a build?

Comment 4 Hans de Goede 2006-01-17 03:40:55 EST
pinggggggggg?
Comment 5 Ville Skyttä 2006-01-17 12:38:02 EST
In my opinion, this bug has been open for (far) more than enough time without
the maintainer replying to it, so I think it's fair to just go ahead if you have
the fix handy.
Comment 6 Hans de Goede 2006-01-17 13:25:43 EST
I'll give it another day or 2 and then push trough the patch.
Comment 7 Hans de Goede 2006-01-20 07:38:47 EST
I've commited my changes / fix and done a sucessfull rebuild for FC-3, 4 and devel.

Note You need to log in before you can comment on or make changes to this bug.