Bug 226979 - Buffer overflow in bzip2's bzip2recover
Summary: Buffer overflow in bzip2's bzip2recover
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: bzip2   
(Show other bugs)
Version: 6
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Ivana Varekova
QA Contact: Ben Levenson
URL:
Whiteboard: impact=none
Keywords: Reopened
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-02 13:39 UTC by Lubomir Kundrak
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-06 15:00:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Lubomir Kundrak 2007-02-02 13:39:31 UTC
Description of problem:

bzip2-1.0.3/bzip2recover.c copies argv[0] to a statically sized buffer
progName which is declared as:

 92 #define BZ_MAX_FILENAME 2000
 93
 94 Char inFileName[BZ_MAX_FILENAME];
 95 Char outFileName[BZ_MAX_FILENAME];
 96 Char progName[BZ_MAX_FILENAME];

here, in main():

344    strcpy ( progName, argv[0] );

If we trick argv[0] into being more than 2000 characters long, we can
overwrite arbitrary locations in heap following the progName[] buffer.
If compiler put buffers that store file names after this location,
the exploitation of the flaw could lead to arbitrary file overwrite,
however this does not happen.

Version-Release number of selected component (if applicable):

At least FC-6 and RHEL-5 bzip2recover. Seems like the code originates from
mid-90's, so it likely affects other releases.

How reproducible:

Allways.

Steps to Reproduce:

$ DIR=$(perl -e 'print ((("x" x 200)."/") x 20)')
$ mkdir -p $DIR
$ ln -s $(which bzip2recover) $DIR
$ $DIR/bzip2recover
*** buffer overflow detected ***
  
Actual results:

In releases with FORTIFY_SOURCE, glibc catches the bug.
In other cases a random corruption on heap occurs, possibly causing
the program to receive a SIGSEGV signal.

Additional info:

This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.

Comment 1 Ivana Varekova 2007-02-05 11:31:31 UTC
Fixed in bzip2-1.0.4-2.fc7 (bzip2-1.0.3-4.fc6  in fc6 branch).

Comment 3 Ivana Varekova 2007-02-06 14:59:22 UTC
Fixed in bzip2-1.0.4-3.fc7 (bzip2-1.0.3-6.fc6  in fc6 branch).




Note You need to log in before you can comment on or make changes to this bug.