Bug 241022 - (CVE-2007-2799) CVE-2007-2799 file integer overflow
CVE-2007-2799 file integer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=vendorsec,repo...
:
Depends On: 241026 241027 241034
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-23 14:18 EDT by Josh Bressers
Modified: 2016-03-04 06:09 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-14 11:52:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-05-23 14:18:57 EDT
Colin Percival discovered that the fix for CVE-2007-1536 created an integer
overflow flaw in file.  This new flaw has been assigned CVE-2007-2799.

Here is the information from Colin:

+       len = ms->o.size - ms->o.left;
+       /* * 4 is for octal representation, + 1 is for NUL */
+       psize = len * 4 + 1;
+       assert(psize > len);

On a 32-bit system, if len is 1.35GB, len * 4 + 1 = 5.4GB == 1.4GB, so
the assert will pass.  The buffer will then be overflowed (by as much
as the attacker wants, although of course he'll run into unwriteable
addresses eventually).  This looks pretty exploitable...

I think the right solution is to apply
-       assert(psize > len);
+       if (len > (SIZE_T_MAX - 1) / 4) {
+               file_oomem(ms);
+               return NULL;
+       }
and add
#include <limits.h> to the top (in place of the #include <assert.h> which
the earlier patch adds).
Comment 1 Josh Bressers 2007-05-23 14:59:10 EDT
Martin,

Can you ensure this fix makes it upstream?  They have not been told of this yet.
Comment 2 Martin Bacovsky 2007-05-24 11:21:55 EDT
Upstream was notified.
Comment 5 Martin Bacovsky 2007-05-25 12:45:03 EDT
RHEL 4.5.z and 5.0.z packages are built, rpmdiff tests are in progress. Upstream
released file-4.21, to which I probably update in fc6, fc7 and devel.
Comment 8 Red Hat Product Security 2008-01-14 11:52:45 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0391.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0836


Note You need to log in before you can comment on or make changes to this bug.