This is an email we at <secnotice> received the other day. It appears to be relevant to the version(s) of zoo that are maintained by Fedora Extras: zoo-2.10-2 for FC3 and zoo-2.10-3 for FC4. ----------------------------------------------------------- Date: Wed, 22 Feb 2006 22:54:58 -0500 From: "=?ISO-8859-1?Q?Jean-S=E9bastien_Guay-Leroux?=" <jean-sebastien> To: jean-sebastien Message-id: <43FD3212.8080103> Subject: zoo contains exploitable buffer overflows Topic: zoo contains exploitable buffer overflows Announced: 2006-02-22 Product: zoo Category: Applications/Archiving Impact: Remote code execution Credits: Jean-Sébastien Guay-Leroux I. BACKGROUND zoo is a file archiving utility for maintaining collections of files. It uses Lempel-Ziv compression to provide space savings in the range of 20 to 80 percent depending on the type of data. Written by Rahul Dhesi, and posted to the USENET newsgroup comp.sources.misc. II. PROBLEM DESCRIPTION When feeding zoo a specially crafted archive, an attacker may be able to trigger a stack overflow and seize control of the program. fullpath()/misc.c accepts a pointer to a directory entry and returns the combined directory name and filename. fullpath() calls the function combine()/misc.c, and assume that the length of the string returned is never longer than 256 bytes. In fact, the string returned can be made a little longer than 512 bytes. If the string is in fact longer than 256 bytes, a static variable can be overflowed in the function fullpath()/misc.c . This string is later used in a strcpy() on a destination buffer of 256 bytes on the stack. It is then easy to overwrite EIP and take control of the program. III. PATCH diff -u -r -r zoo-2.10.old/misc.c zoo-2.10.orig/misc.c --- zoo-2.10.old/misc.c 1991-07-05 12:00:00.000000000 -0400 +++ zoo-2.10.orig/misc.c 2006-01-29 17:20:35.000000000 -0500 @@ -135,11 +135,16 @@ char *fullpath (direntry) struct direntry *direntry; { - static char result[PATHSIZE]; + static char result[PATHSIZE+PATHSIZE+12]; // Room for enough space combine (result, direntry->dirlen != 0 ? direntry->dirname : "", (direntry->namlen != 0) ? direntry->lfname : direntry->fname ); + + if (strlen (result) >= PATHSIZE) { + prterror ('f', "Combined dirname and filename too long\n"); + } + return (result); } IV. CREDITS Bug found by Jean-Sébastien Guay-Leroux To contact me, visit http://www.guay-leroux.com/
Since the patch does not seem dangerous I'll err on the side of caution and apply it even though I'd rather have a confirmation by a security team I trust. If a better patch emerges or the alert proves a dud please ping me
I usually won't be doing FC-3 updates at this time but since the alert come through legacy I'll do everyone a flower and update it toot
Packages have been pushed to FC-3, FC-4 & devel Not closing the boog till the problem & patch are confirmed
Seems like a real issue and sane fix to me. Except for the prt error, but still returning the buffer, that doesnot seem so good.
*** Bug 183426 has been marked as a duplicate of this bug. ***