2221437 – alternatives --altdir ALTERNATEPATH causes "buffer overflow detected" and fails

Bug 2221437 - alternatives --altdir ALTERNATEPATH causes "buffer overflow detected" and fails

Summary: alternatives --altdir ALTERNATEPATH causes "buffer overflow detected" and fails

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	chkconfig
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukáš Nykrýn
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-09 01:30 UTC by Martin
Modified:	2023-08-05 01:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:	chkconfig-1.25-1.fc38
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-05 01:38:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin 2023-07-09 01:30:31 UTC

alternatives with command-line option --altdir SOMEPATH causes buffer overflow detected and fails.

Reproducible: Always

Steps to Reproduce:
1. umask 22; mkdir /etc/alternatives/opt/app2
2. alternatives --altdir /etc/alternatives/opt/app2 --list
3.
Actual Results:  
*** buffer overflow detected ***: terminated
Aborted (core dumped)


Expected Results:  
Show list of commands with symlink to alternative paths

gdb alternatives
gdb> set args --altdir /etc/alternatives/opt/app2 --list
gdb> run
gdb> bt

#0  0x00007ffff7e32844 in __pthread_kill_implementation ()
   from /lib64/libc.so.6
#1  0x00007ffff7de1abe in raise () from /lib64/libc.so.6
#2  0x00007ffff7dca87f in abort () from /lib64/libc.so.6
#3  0x00007ffff7dcb60f in __libc_message.cold () from /lib64/libc.so.6
#4  0x00007ffff7ec6979 in __fortify_fail () from /lib64/libc.so.6
#5  0x00007ffff7ec51b4 in __chk_fail () from /lib64/libc.so.6
#6  0x00007ffff7dfa222 in __printf_buffer_flush () from /lib64/libc.so.6
#7  0x00007ffff7dfa689 in __printf_buffer_write () from /lib64/libc.so.6
#8  0x00007ffff7e029e8 in __printf_buffer () from /lib64/libc.so.6
#9  0x00007ffff7e1dd22 in __vsprintf_internal () from /lib64/libc.so.6
#10 0x00007ffff7ec4c7f in __sprintf_chk () from /lib64/libc.so.6
#11 0x0000555555558a64 in readConfig ()
#12 0x00005555555571da in main ()

Looking at the source alternatives.c function readConfig(), the 2nd call sprintf(path,..) seems to be the problem: First call had allocated path with specific length, and second sprintf(path,..) may not fit the new string.

Comment 1 Lukáš Nykrýn 2023-07-24 14:12:15 UTC

Thanks for report!

https://github.com/fedora-sysv/chkconfig/pull/112

It seems that this issue existed for such a long time, that now it can legally drink alcohol in the US.

Comment 2 Fedora Update System 2023-08-02 12:11:23 UTC

FEDORA-2023-a974677a2a has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a974677a2a

Comment 3 Fedora Update System 2023-08-03 01:21:36 UTC

FEDORA-2023-a974677a2a has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a974677a2a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a974677a2a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2023-08-05 01:38:19 UTC

FEDORA-2023-a974677a2a has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.