Description of problem: The ChangeLog states this: 2007-02-08 17:30 Christos Zoulas <christos> * fix integer underflow in file_printf which can lead to to exploitable heap overflow (Jean-Sebastien Guay-Lero) Christos clarifies further: The crux of the problem is here: - if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) { - file_oomem(ms, len + 1024); + size = (ms->o.size - ms->o.left) + len + 1024; + if ((buf = realloc(ms->o.buf, size)) == NULL) { Instead of allocating len + 1024 bytes on top of the previous size, before the fix we allocated just len + 1024 bytes. So if the buffer was let's say 4K, and we printed a string of len < 3K in this pass, then we effectively decreased the size of the string instead of growing it because of the realloc(). christos Version-Release number of selected component (if applicable): file-3.* is not affected. RHEL-3, RHEL-4, RHEL-5, FC-5, FC-6 How reproducible: No reproducer available.
The upstream patch can be found here: http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/dist/file/src/funcs.c.diff?r1=1.1.1.10&r2=1.1.1.11&f=h
Created attachment 150541 [details] Patch supplied from Ubuntu I've not looked to see the differences from the upstream commit. It's possible this is a more complete patch.
I was wrong stating that RHEL-3 isaffected. It ships -3 version.
Note from Steven Christey from Mitre: "The original vendor disclosure credited "Jean-Sebastien Guay-Lero," and this cascaded everywhere. But it's most likely "Jean-Sebastien Guay-Leroux," who's reported a few issues in the past."
This issue should be fixed in file-4.10-3. The fix is based on ubuntu patch.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0124.html