Bug 249884 - CVE-2007-0235 Stack overflow libgtop when pathname of mmap()-ed file is too long
CVE-2007-0235 Stack overflow libgtop when pathname of mmap()-ed file is too long
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: libgtop2 (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Søren Sandmann Pedersen
: Security
Depends On:
  Show dependency treegraph
Reported: 2007-07-27 12:47 EDT by Lubomir Kundrak
Modified: 2014-06-18 05:09 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2007-0765
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-07 15:24:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0765 normal SHIPPED_LIVE Moderate: libgtop2 security update 2008-01-07 17:55:26 EST

  None (edit)
Description Lubomir Kundrak 2007-07-27 12:47:41 EDT
+++ This bug was initially created as a clone of Bug #222637 +++

Description of problem:

Stack based buffer overflow occurs, when gnome-system monitor is launched
while process that has a file with too long filename mapped in its address
space (visible via /proc/$PID/maps), and could potentially lead to arbitrary
code execution (mitigated by SSP).

Version-Release number of selected component (if applicable):

At least FC6 and RHEL5 libgtop2.

How reproducible:


Steps to Reproduce:

# Create a file with too long pathname. Some filesystems limit filenames
# to 255 characters, so use a deep directory hierarchy instead
export dir=$(perl -e " print 's/'x1000;")
mkdir -p $dir

# Copy a binary image thata will get mapped upon execution there and run it.
# Sleep will harmlessly run for some time...
cp /bin/sleep $dir
$dir/sleep 100 &

# Run system monitor while the program is running

Actual results:

*** stack smashing detected ***: gnome-system-monitor terminated

Expected results:

Gnome-system-monitor should help us on our way to salvation,
eternal and everlasting love and peace.

Additional info:

Patch from upstream is available, see the upstream BTS:

-- Additional comment from lkundrak@redhat.com on 2007-01-15 08:30 EST --
Created an attachment (id=145571)
Patch for Gnome bug #396477 libgtop buffer overflow

-- Additional comment from bressers@redhat.com on 2007-01-25 14:19 EST --
This flaw also affects FC5
Comment 6 Red Hat Bugzilla 2007-08-07 15:24:04 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.