Bug 210304

This also affects FC3.


+++ This bug was initially created as a clone of Bug #203645 +++

Will Drewry of the Google Security Team discovered several minor buffer overflow
flaws in cscope.  His advisory is below:


cscope Multiple Vulnerabilities
-------------------------------


Summary
-------

Multiple vulnerabilities have been discovered in cscope that allow
for the execution of arbitrary code.


Background
----------

>From cscope.sourceforge.net:
 cscope is a developer's tool for browsing source code. It has an impeccable
 Unix pedigree, having been originally developed at Bell Labs back in the days
 of the PDP-11. Cscope was part of the official AT&T Unix distribution for
 many years, and has been used to manage projects involving 20 million lines
 of code!


Impact
------

A successful exploit would resulting the execution of arbitrary code
immediately after executing cscope.  In some environments, cscope may be
executed automatically on start up of the user's text editor or IDE.


Workaround
----------

When using cscope,
- ensure that there are no unexpected `cscope.files'.
- ensure that any source trees do not have full paths that exceed 250
  characters or look particularly out of place.
- ensure that any source trees do not have directory or file names
  with embedded newline or `$' characters.


Discussion
----------

Multiple exploitable stack buffer overflows have been found in cscope due to
the unchecked use of strcpy() and *scanf():

* Use of fscanf() and sscanf() without enforced field maximum widths during
  file list parsing

This results in an exploitable condition which may be triggered in a number of
ways:
- specially crafted cscope.files may be placed in a shared working directory
- specially crafted directory and file names in a source tree, or archive.

In the first case, an attacker may leave a `cscope.files' file in a directory
where the victim is likely to run cscope.  This is particularly dangerous
because some text editors will automatically execute it cscope on start-up.

In the second case, an attacker may modify a shared source tree or supply a
prepackaged source archive with specially crafted file and directory names. The
victim would then need to run cscope over a list of this source tree's files.
If the resulting list contained any specially crafted paths, and it would
resultin an overflow condition. As with the first case, some editors will
automatically generate this file list and execute cscope on it. This would
result in the attack occurring in the background, unbeknownst to the victim.

In both cases, the resulting file list will have a path to a file that exceeds
250 characters. E.g.,

  $ bash -c 'D=$(ruby -e "print \"A\" * 255;"); for i in $(seq 1 15); do
             mkdir $D; cd $D; touch A; done;'
  $ find ./ -type f > cscope.files
  $ cscope


* Multiple unchecked uses of strcpy() during path variable expansion

cscope allows users to specify limited arguments in addition to files in the
`cscope.files' file list. When using the `-I' option, the subsequent paths will
have variable expansion performed prior to use.  The '~' character is
expanded to the caller's `HOME' environment variable, and any occurrence of the
`$' character followed by a string will be expanded to the value of that
particular environment variable. e.g., "-I $SHELL" may become "-I /bin/bash".
These cases result in two separate crash conditions due to the unchecked
use of strcpy().

Tilde expansion may result in a stack buffer overflow if and only if the
victim's `HOME' environment variable is changed to exceed the maximum allocated
space for expansion:

  $ export HOME=$(ruby -e "print 'A'*2048")
  $ echo "-I~/foo.c" > cscope.files
  $ cscope


However, general environment variable expansion is much more dangerous.  This
attack allows a similar attack to the *scanf() attacks which can be triggered
using similar mechanisms.  A specially crafted file list will result in the
execution of arbitrary code.  The difference is that maximum field width
checking does not mitigate this attack. The specially crafted directory and
file names may contain environment variable references which expand to much
longer strings than the environment variable's name.

Because of this, more knowledge of the victim's environment is required in
order to create an effective exploit.   However, some assumptions can be made
about common environment variables, such as `SHELL' and `LS_COLORS', that
make this attack viable.

  # This directory may exist in a given source tree:
  $ mkdir '^J-I$LS_COLORS'
  $ touch '^J-I$LS_COLORS/payload_here'

  # The end user may run this to build a filelist
  $ find ./ -type -f > cscope.files
  $ cscope

(Note, ^J represents the key combination "Ctrl+j".)


* Unchecked use of strcpy() during command line argument parsing

This results in a command line based overflow attack.  The impact of this
attack is minimal given that cscope is not normally run setuid, and the
attacker would need to have some control over the call to cscope. The overflow
occurs when cscope strcpy()s the `reffile` argument value over the statically
allocated stack buffer for `reffile'.

  $ cscope -f `ruby -e 'print "A"*500'`

-- Additional comment from bressers on 2006-08-22 16:21 EST --
The patches (from upstream can be found here:
http://sourceforge.net/mailarchive/forum.php?thread_id=30266760&forum_id=33500
http://sourceforge.net/mailarchive/forum.php?thread_id=30266761&forum_id=33500