Bug 249884 - CVE-2007-0235 Stack overflow libgtop when pathname of mmap()-ed file is too long
Summary: CVE-2007-0235 Stack overflow libgtop when pathname of mmap()-ed file is too long
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: libgtop2   
(Show other bugs)
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Søren Sandmann Pedersen
QA Contact: desktop-bugs@redhat.com
URL: https://launchpad.net/ubuntu/+source/...
Whiteboard: impact=moderate,source=gentoo,reporte...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2007-07-27 16:47 UTC by Lubomir Kundrak
Modified: 2014-06-18 09:09 UTC (History)
1 user (show)

Fixed In Version: RHSA-2007-0765
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-07 19:24:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0765 normal SHIPPED_LIVE Moderate: libgtop2 security update 2008-01-07 22:55:26 UTC

Description Lubomir Kundrak 2007-07-27 16:47:41 UTC
+++ This bug was initially created as a clone of Bug #222637 +++

Description of problem:

Stack based buffer overflow occurs, when gnome-system monitor is launched
while process that has a file with too long filename mapped in its address
space (visible via /proc/$PID/maps), and could potentially lead to arbitrary
code execution (mitigated by SSP).

Version-Release number of selected component (if applicable):

At least FC6 and RHEL5 libgtop2.

How reproducible:


Steps to Reproduce:

# Create a file with too long pathname. Some filesystems limit filenames
# to 255 characters, so use a deep directory hierarchy instead
export dir=$(perl -e " print 's/'x1000;")
mkdir -p $dir

# Copy a binary image thata will get mapped upon execution there and run it.
# Sleep will harmlessly run for some time...
cp /bin/sleep $dir
$dir/sleep 100 &

# Run system monitor while the program is running

Actual results:

*** stack smashing detected ***: gnome-system-monitor terminated

Expected results:

Gnome-system-monitor should help us on our way to salvation,
eternal and everlasting love and peace.

Additional info:

Patch from upstream is available, see the upstream BTS:

-- Additional comment from lkundrak@redhat.com on 2007-01-15 08:30 EST --
Created an attachment (id=145571)
Patch for Gnome bug #396477 libgtop buffer overflow

-- Additional comment from bressers@redhat.com on 2007-01-25 14:19 EST --
This flaw also affects FC5

Comment 6 Red Hat Bugzilla 2007-08-07 19:24:04 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.