Bug 226979 - Buffer overflow in bzip2's bzip2recover
Buffer overflow in bzip2's bzip2recover
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: bzip2 (Show other bugs)
6
All Linux
low Severity low
: ---
: ---
Assigned To: Ivana Varekova
Ben Levenson
impact=none
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-02 08:39 EST by Lubomir Kundrak
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-06 10:00:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-02-02 08:39:31 EST
Description of problem:

bzip2-1.0.3/bzip2recover.c copies argv[0] to a statically sized buffer
progName which is declared as:

 92 #define BZ_MAX_FILENAME 2000
 93
 94 Char inFileName[BZ_MAX_FILENAME];
 95 Char outFileName[BZ_MAX_FILENAME];
 96 Char progName[BZ_MAX_FILENAME];

here, in main():

344    strcpy ( progName, argv[0] );

If we trick argv[0] into being more than 2000 characters long, we can
overwrite arbitrary locations in heap following the progName[] buffer.
If compiler put buffers that store file names after this location,
the exploitation of the flaw could lead to arbitrary file overwrite,
however this does not happen.

Version-Release number of selected component (if applicable):

At least FC-6 and RHEL-5 bzip2recover. Seems like the code originates from
mid-90's, so it likely affects other releases.

How reproducible:

Allways.

Steps to Reproduce:

$ DIR=$(perl -e 'print ((("x" x 200)."/") x 20)')
$ mkdir -p $DIR
$ ln -s $(which bzip2recover) $DIR
$ $DIR/bzip2recover
*** buffer overflow detected ***
  
Actual results:

In releases with FORTIFY_SOURCE, glibc catches the bug.
In other cases a random corruption on heap occurs, possibly causing
the program to receive a SIGSEGV signal.

Additional info:

This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.
Comment 1 Ivana Varekova 2007-02-05 06:31:31 EST
Fixed in bzip2-1.0.4-2.fc7 (bzip2-1.0.3-4.fc6  in fc6 branch).
Comment 3 Ivana Varekova 2007-02-06 09:59:22 EST
Fixed in bzip2-1.0.4-3.fc7 (bzip2-1.0.3-6.fc6  in fc6 branch).


Note You need to log in before you can comment on or make changes to this bug.