Bug 241022 (CVE-2007-2799) - CVE-2007-2799 file integer overflow
Summary: CVE-2007-2799 file integer overflow
Status: CLOSED ERRATA
Alias: CVE-2007-2799
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,source=vendorsec,repo...
Keywords:
Depends On: 241026 241027 241034
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-23 18:18 UTC by Josh Bressers
Modified: 2019-06-08 12:20 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-01-14 16:52:45 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0391 normal SHIPPED_LIVE Moderate: file security update 2008-01-07 21:45:02 UTC

Description Josh Bressers 2007-05-23 18:18:57 UTC
Colin Percival discovered that the fix for CVE-2007-1536 created an integer
overflow flaw in file.  This new flaw has been assigned CVE-2007-2799.

Here is the information from Colin:

+       len = ms->o.size - ms->o.left;
+       /* * 4 is for octal representation, + 1 is for NUL */
+       psize = len * 4 + 1;
+       assert(psize > len);

On a 32-bit system, if len is 1.35GB, len * 4 + 1 = 5.4GB == 1.4GB, so
the assert will pass.  The buffer will then be overflowed (by as much
as the attacker wants, although of course he'll run into unwriteable
addresses eventually).  This looks pretty exploitable...

I think the right solution is to apply
-       assert(psize > len);
+       if (len > (SIZE_T_MAX - 1) / 4) {
+               file_oomem(ms);
+               return NULL;
+       }
and add
#include <limits.h> to the top (in place of the #include <assert.h> which
the earlier patch adds).

Comment 1 Josh Bressers 2007-05-23 18:59:10 UTC
Martin,

Can you ensure this fix makes it upstream?  They have not been told of this yet.

Comment 2 Martin Bacovsky 2007-05-24 15:21:55 UTC
Upstream was notified.

Comment 5 Martin Bacovsky 2007-05-25 16:45:03 UTC
RHEL 4.5.z and 5.0.z packages are built, rpmdiff tests are in progress. Upstream
released file-4.21, to which I probably update in fc6, fc7 and devel.

Comment 8 Red Hat Product Security 2008-01-14 16:52:45 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0391.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0836




Note You need to log in before you can comment on or make changes to this bug.