Bug 19351
| Summary: | MANSECT and -S overflow | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Tim <tim_r> |
| Component: | man | Assignee: | Bernhard Rosenkraenzer <bero> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Aaron Brown <abrown> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | dr |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2000-10-19 12:05:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Looking into it Ok, fixed in 1.5h1-14, passing it on to QA. |
From my post to the mailing list security-audit: ...I found another more interesting bug in the way the MANSECT environment variable and the -S command line option are parsed. get_section_list() is called on the contents of both of these variables to split the ':'- separated lists into arrays. The array that the split off pieces are put in is defined as: static char *tmp_section_list[100]; The check tries to stop get_section_list() writing past the 100th element is flawed: if (end == NULL || i+1 == sizeof(tmp_section_list)) On my system, sizeof(tmp_section_list) is 400; 100 4-byte pointers. Clearly, the test expression should be something like this: sizeof(tmp_section_list)/sizeof(tmp_section_list[0]) I haven't had much time to play with it, but I know what by supplying more than 100 ':'-separated items, _something_ gets clobbered and strange things happen eg. invoking apropos and whatis when I didn't ask for them. I'm not an exploit writer, so I'm not sure how exploitable the bug is, but it looks like there would be a way if you could make use of the return values of strdup().