Bug 190822 - cfengine 2.1.20 buffer overflow when using ipv6
Summary: cfengine 2.1.20 buffer overflow when using ipv6
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: cfengine
Version: 5
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Jeff Sheltren
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-05 15:10 UTC by Martin Wyser
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2007-03-14 21:17:44 UTC


Attachments (Terms of Use)
patch (changes to file item.c only) to rebuild the rpm (849 bytes, patch)
2006-05-05 15:10 UTC, Martin Wyser
no flags Details | Diff

Description Martin Wyser 2006-05-05 15:10:34 UTC
Description of problem: cfengine 2.1.20 has a buffer overflow problem related to
IP V6 interfaces and certain constructs in the configuration files of cfengine
itself.  The problem gets detected by the stack-protector feature of gcc 4.1.
Details below, have reported problem, it is fixed upstream.


Version-Release number of selected component (if applicable): 2.1.20-1.fc5


How reproducible:


Steps to Reproduce:
1. Install cfengine.
2. Into /var/cfengine/inputs/cfagent.conf, put a classes: x = (
IPRange(10.0.0.1-3) )
3. Make sure you machine has an IPv6 interface
4. cfagent --no-splay -v
  
Actual results: Stack smashing detected: cfagent terminated

Expected results: Complete run of cfengine


Additional info: The bug is a buffer overflow problem, where a (long) IPv6
address does not fit into a buffer set to be too small.  The problem was fixed
by Mark Burgess with revision 240 of file item.c.  The isolated diff to revision
207 of item.c is attached as a patch, I have rebuilt the package, installed and
verified successfully.
The patch contains only changes to item.c between revisions 207 and 240.
The problem is somewhat urgent as cfengine in a non-trivial setup will not run.
For my upstream bug report, see
http://cfengine.org/pipermail/bug-cfengine/2006-April/000011.html

Comment 1 Martin Wyser 2006-05-05 15:10:35 UTC
Created attachment 128658 [details]
patch (changes to file item.c only) to rebuild the rpm

Comment 2 Jeff Sheltren 2006-05-05 15:20:25 UTC
Martin, thanks for the patch.  I will work on updated packages shortly.

Comment 3 Jeff Sheltren 2007-03-14 21:17:44 UTC
Sorry - I never closed this when I pushed out the updated packages.  This was
fixed in 2.1.20-3.


Note You need to log in before you can comment on or make changes to this bug.