Bug 183109 - zoo contains exploitable buffer overflows
zoo contains exploitable buffer overflows
Product: Fedora
Classification: Fedora
Component: zoo (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nicolas Mailhot
Fedora Extras Quality Assurance
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-02-26 07:16 EST by David Eisenstein
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-04 08:41:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Eisenstein 2006-02-26 07:16:15 EST
This is an email we at <secnotice@fedoralegacy.org> received the other day.

It appears to be relevant to the version(s) of zoo that are maintained
by Fedora Extras: zoo-2.10-2 for FC3 and zoo-2.10-3 for FC4.

Date: Wed, 22 Feb 2006 22:54:58 -0500
From: "=?ISO-8859-1?Q?Jean-S=E9bastien_Guay-Leroux?="
To: jean-sebastien@guay-leroux.com
Message-id: <43FD3212.8080103@guay-leroux.com>
Subject: zoo contains exploitable buffer overflows

Topic: zoo contains exploitable buffer overflows

Announced:      2006-02-22
Product:        zoo
Category:       Applications/Archiving
Impact:         Remote code execution
Credits:        Jean-Sébastien Guay-Leroux


zoo is a file archiving utility for maintaining collections of files.
It uses Lempel-Ziv compression to provide space savings in the
range of 20 to 80 percent depending on the type of data. Written by
Rahul Dhesi, and posted to the USENET newsgroup comp.sources.misc.


When feeding zoo a specially crafted archive, an attacker may be able
to trigger a stack overflow and seize control of the program.

fullpath()/misc.c accepts a pointer to a directory entry and returns the
combined directory name and filename.  fullpath() calls the function
combine()/misc.c, and assume that the length of the string returned is never
longer than 256 bytes.  In fact, the string returned can be made a little
longer than 512 bytes.

If the string is in fact longer than 256 bytes, a static variable can be
overflowed in the function fullpath()/misc.c .  This string is later used
in a strcpy() on a destination buffer of 256 bytes on the stack.

It is then easy to overwrite EIP and take control of the program.


diff -u -r -r zoo-2.10.old/misc.c zoo-2.10.orig/misc.c
--- zoo-2.10.old/misc.c 1991-07-05 12:00:00.000000000 -0400
+++ zoo-2.10.orig/misc.c        2006-01-29 17:20:35.000000000 -0500
@@ -135,11 +135,16 @@
 char *fullpath (direntry)
 struct direntry *direntry;
-       static char result[PATHSIZE];
+       static char result[PATHSIZE+PATHSIZE+12]; // Room for enough space
        combine (result,
                                direntry->dirlen != 0 ? 
direntry->dirname : "",
                                (direntry->namlen != 0) ? direntry->lfname :
+       if (strlen (result) >= PATHSIZE) {
+               prterror ('f', "Combined dirname and filename too long\n");
+       }
        return (result);


Bug found by Jean-Sébastien Guay-Leroux

To contact me, visit http://www.guay-leroux.com/
Comment 1 Nicolas Mailhot 2006-02-26 17:15:08 EST
Since the patch does not seem dangerous I'll err on the side of caution and
apply it even though I'd rather have a confirmation by a security team I trust.

If a better patch emerges or the alert proves a dud please ping me
Comment 2 Nicolas Mailhot 2006-02-26 17:38:25 EST
I usually won't be doing FC-3 updates at this time but since the alert come
through legacy I'll do everyone a flower and update it toot
Comment 3 Nicolas Mailhot 2006-02-26 17:55:15 EST
Packages have been pushed to FC-3, FC-4 & devel
Not closing the boog till the problem & patch are confirmed
Comment 4 Hans de Goede 2006-02-27 02:48:16 EST
Seems like a real issue and sane fix to me. Except for the prt error, but still
returning the buffer, that doesnot seem so good.
Comment 5 Nicolas Mailhot 2006-02-28 18:56:00 EST
*** Bug 183426 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.