Bug 169791 - prozilla: CAN-2005-2961 (remotely exploitable)
Summary: prozilla: CAN-2005-2961 (remotely exploitable)
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: prozilla
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Dams
QA Contact: Fedora Extras Quality Assurance
URL: http://secunia.com/advisories/17021/
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-03 17:15 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-01-20 12:38:47 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
patch fixing the reported problems (1.61 KB, patch)
2006-01-05 11:14 UTC, Hans de Goede
no flags Details | Diff

Comment 1 Hans de Goede 2006-01-05 11:00:57 UTC
I've backported the fix for this in newer versions of prozilla to 1.3.7.4
(prozilla is not maintained by my, so I  don't want to move to a newer version).

When backporting I noticed that the fix was not correct, it strncpy's up to
out_size bytes and then does out[out_size] = 0; 

Say out_size is 512 then the code does out[512] = 0; iow it writes a 0 to the
513th place of the array. This is a typical of by one error, and a
bufferoverflow (if only for one char).

I'v also checked the other uses of strncpy in ftpsearch.c , the one other piece
of code using strncpy passes the resulting string to strlen before making sure
its 0 terminated (bad).

Last I've cleaned up the code by using sizeof(buf)/sizeof(char) instead of just
sizeof(buf) as sizeof(char) is not always 1.

I've send the fixes to the fix upstream and I'll attach a patch against 1.3.7.4
fixing all this.


Comment 2 Hans de Goede 2006-01-05 11:14:12 UTC
Created attachment 122812 [details]
patch fixing the reported problems

Anvil,

I know you're very busy and I have CVS access myself shall I include this patch
bump the release and push through a build?

Comment 3 Hans de Goede 2006-01-14 10:09:32 UTC
Repeating myself:

Anvil,

I know you're very busy and I have CVS access myself shall I include THE patch
bump the release and push through a build?



Comment 4 Hans de Goede 2006-01-17 08:40:55 UTC
pinggggggggg?


Comment 5 Ville Skyttä 2006-01-17 17:38:02 UTC
In my opinion, this bug has been open for (far) more than enough time without
the maintainer replying to it, so I think it's fair to just go ahead if you have
the fix handy.

Comment 6 Hans de Goede 2006-01-17 18:25:43 UTC
I'll give it another day or 2 and then push trough the patch.


Comment 7 Hans de Goede 2006-01-20 12:38:47 UTC
I've commited my changes / fix and done a sucessfull rebuild for FC-3, 4 and devel.



Note You need to log in before you can comment on or make changes to this bug.