Red Hat Bugzilla – Bug 226979
Buffer overflow in bzip2's bzip2recover
Last modified: 2007-11-30 17:11:56 EST
Description of problem:
bzip2-1.0.3/bzip2recover.c copies argv to a statically sized buffer
progName which is declared as:
92 #define BZ_MAX_FILENAME 2000
94 Char inFileName[BZ_MAX_FILENAME];
95 Char outFileName[BZ_MAX_FILENAME];
96 Char progName[BZ_MAX_FILENAME];
here, in main():
344 strcpy ( progName, argv );
If we trick argv into being more than 2000 characters long, we can
overwrite arbitrary locations in heap following the progName buffer.
If compiler put buffers that store file names after this location,
the exploitation of the flaw could lead to arbitrary file overwrite,
however this does not happen.
Version-Release number of selected component (if applicable):
At least FC-6 and RHEL-5 bzip2recover. Seems like the code originates from
mid-90's, so it likely affects other releases.
Steps to Reproduce:
$ DIR=$(perl -e 'print ((("x" x 200)."/") x 20)')
$ mkdir -p $DIR
$ ln -s $(which bzip2recover) $DIR
*** buffer overflow detected ***
In releases with FORTIFY_SOURCE, glibc catches the bug.
In other cases a random corruption on heap occurs, possibly causing
the program to receive a SIGSEGV signal.
This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.
Fixed in bzip2-1.0.4-2.fc7 (bzip2-1.0.3-4.fc6 in fc6 branch).
Fixed in bzip2-1.0.4-3.fc7 (bzip2-1.0.3-6.fc6 in fc6 branch).