+++ This bug was initially created as a clone of Bug #438840 +++ From Bugzilla Helper: User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2; en-us) AppleWebKit/525.13 (KHTML, like Gecko) Version/3.1 Safari/525.13 Description of problem: [joe@rawhide src2]$ sudo yum -c repos/build-yum.conf localinstall Linux_i386/BUILD/repo/*rpm *** buffer overflow detected ***: sudo terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x48)[0x29e768] /lib/libc.so.6[0x29c880] /lib/libc.so.6(__strcpy_chk+0x44)[0x29bb54] /lib/libaudit.so.0(audit_log_user_command+0x1f8)[0x319f68] sudo[0xb7f2da4d] sudo(main+0x882)[0xb7f20fa2] /lib/libc.so.6(__libc_start_main+0xe6)[0x1bb606] sudo[0xb7f19d31] ======= Memory map: ======== 00110000-0012f000 r-xp 00000000 08:02 6128329 /lib/ld-2.7.90.so 0012f000-00130000 r--p 0001e000 08:02 6128329 /lib/ld-2.7.90.so 00130000-00131000 rw-p 0001f000 08:02 6128329 /lib/ld-2.7.90.so 00131000-00132000 r-xp 00131000 00:00 0 [vdso] 00132000-0014c000 r-xp 00000000 08:02 6128112 /lib/libselinux.so.1 0014c000-0014d000 r--p 00019000 08:02 6128112 /lib/libselinux.so.1 0014d000-0014e000 rw-p 0001a000 08:02 6128112 /lib/libselinux.so.1 0014e000-00151000 r-xp 00000000 08:02 6128347 /lib/libcap.so.2.06 00151000-00152000 rw-p 00003000 08:02 6128347 /lib/libcap.so.2.06 00152000-0015d000 r-xp 00000000 08:02 6127799 /lib/libpam.so.0.81.10 0015d000-0015e000 rw-p 0000a000 08:02 6127799 /lib/libpam.so.0.81.10 0015e000-00161000 r-xp 00000000 08:02 6128333 /lib/libdl-2.7.90.so 00161000-00162000 r--p 00002000 08:02 6128333 /lib/libdl-2.7.90.so 00162000-00163000 rw-p 00003000 08:02 6128333 /lib/libdl-2.7.90.so 00163000-001a3000 r-xp 00000000 08:02 23068816 /usr/lib/libldap-2.4.so.2.0.4 001a3000-001a5000 rw-p 0003f000 08:02 23068816 /usr/lib/libldap-2.4.so.2.0.4 001a5000-0030f000 r-xp 00000000 08:02 6128330 /lib/libc-2.7.90.so 0030f000-00311000 r--p 0016a000 08:02 6128330 /lib/libc-2.7.90.so 00311000-00312000 rw-p 0016c000 08:02 6128330 /lib/libc-2.7.90.so 00312000-00315000 rw-p 00312000 00:00 0 00315000-00329000 r-xp 00000000 08:02 6127769 /lib/libaudit.so.0.0.0 00329000-0032a000 r--p 00013000 08:02 6127769 /lib/libaudit.so.0.0.0 0032a000-0032b000 rw-p 00014000 08:02 6127769 /lib/libaudit.so.0.0.0 0032b000-00339000 r-xp 00000000 08:02 20717071 /usr/lib/liblber-2.4.so.2.0.4 00339000-0033a000 rw-p 0000d000 08:02 20717071 /usr/lib/liblber-2.4.so.2.0.4 0033a000-0034b000 r-xp 00000000 08:02 6128331 /lib/libresolv-2.7.90.so 0034b000-0034c000 r--p 00010000 08:02 6128331 /lib/libresolv-2.7.90.so 0034c000-0034d000 rw-p 00011000 08:02 6128331 /lib/libresolv-2.7.90.so 0034d000-0034f000 rw-p 0034d000 00:00 0 0034f000-00367000 r-xp 00000000 08:02 20717024 /usr/lib/libsasl2.so.2.0.22 00367000-00368000 rw-p 00017000 08:02 20717024 /usr/lib/libsasl2.so.2.0.22 00368000-003af000 r-xp 00000000 08:02 6128205 /lib/libssl.so.0.9.8g 003af000-003b3000 rw-p 00046000 08:02 6128205 /lib/libssl.so.0.9.8g 003b3000-004ea000 r-xp 00000000 08:02 6127727 /lib/libcrypto.so.0.9.8g 004ea000-004fe000 rw-p 00136000 08:02 6127727 /lib/libcrypto.so.0.9.8g 004fe000-00501000 rw-p 004fe000 00:00 0 00501000-0050b000 r-xp 00000000 08:02 6128335 /lib/libcrypt-2.7.90.so 0050b000-0050c000 r--p 00009000 08:02 6128335 /lib/libcrypt-2.7.90.so 0050c000-0050d000 rw-p 0000a000 08:02 6128335 /lib/libcrypt-2.7.90.so 0050d000-00534000 rw-p 0050d000 00:00 0 00534000-00561000 r-xp 00000000 08:02 23068795 /usr/lib/libgssapi_krb5.so.2.2 00561000-00563000 rw-p 0002d000 08:02 23068795 /usr/lib/libgssapi_krb5.so.2.2 00563000-00600000 r-xp 00000000 08:02 23068794 /usr/lib/libkrb5.so.3.3 00600000-00603000 rw-p 0009c000 08:02 23068794 /usr/lib/libkrb5.so.3.3 00603000-00605000 r-xp 00000000 08:02 6128204 /lib/libcom_err.so.2.1 00605000-00606000 rw-p 00001000 08:02 6128204 /lib/libcom_err.so.2.1 00606000-0062a000 r-xp 00000000 08:02 23068793 /usr/lib/libk5crypto.so.3.1 0062a000-0062b000 rw-p 00024000 08:02 23068793 /usr/lib/libk5crypto.so.3.1 0062b000-0063e000 r-xp 00000000 08:02 6127832 /lib/libz.so.1.2.3 0063e000-0063f000 rw-p 00012000 08:02 6127832 /lib/libz.so.1.2.3 0063f000-00647000 r-xp 00000000 08:02 23068792 /usr/lib/libkrb5support.so.0.1 00647000-00648000 rw-p 00007000 08:02 23068792 /usr/lib/libkrb5support.so.0.1 00648000-0064a000 r-xp 00000000 08:02 6128349 /lib/libkeyutils-1.2.so 0064a000-0064b000 rw-p 00001000 08:02 6128349 /lib/libkeyutils-1.2.so 0064b000-00656000 r-xp 00000000 08:02 6127737 /lib/libnss_files-2.7.90.so 00656000-00657000 r--p 0000a000 08:02 6127737 /lib/libnss_files-2.7.90.so 00657000-00658000 rw-p 0000b000 08:02 6127737 /lib/libnss_files-2.7.90.so 00658000-00665000 r-xp 00000000 08:02 6128116 /lib/libgcc_s-4.3.0-20080314.so.1 00665000-00666000 rw-p 0000c000 08:02 6128116 /lib/libgcc_s-4.3.0-20080314.so.1 b7cff000-b7eff000 r--p 00000000 08:02 20715806 /usr/lib/locale/locale-archive b7eff000-b7f05000 rw-p b7eff000 00:00 0 b7f0f000-b7f16000 r--s 00000000 08:02 20744117 /usr/lib/gconv/gconv-modules.cache b7f16000-b7f39000 r-xp 00000000 08:02 20720623 /usr/bin/sudo b7f39000-b7f3a000 rw-p 00023000 08:02 20720623 /usr/bin/sudo b7f3a000-b7f3d000 rw-p b7f3a000 00:00 0 b9949000-b996a000 rw-p b9949000 00:00 0 [heap] bfd20000-bfd38000 rw-p bffe8000 00:00 0 [stack] Aborted [joe@rawhide src2]$ Version-Release number of selected component (if applicable): audit-libs-devel-1.6.9-1.fc9.i386 How reproducible: Always Steps to Reproduce: sudo yum -c repos/build-yum.conf localinstall Linux_i386/BUILD/repo/*rpm with a few hundred rpms Actual Results: Backtrace Expected Results: rpm install Additional info: New behavior. Big update last night that did not include any audit components. Prior to the update, this was not happening. Prior rawhide sync was on the 20th, after which this problem did not occur. sudo-1.6.9p13-3.fc9.i386 was installed last night. Perhaps the change was there. -- Additional comment from sgrubb on 2008-03-25 11:37 EST -- Sudo was recently updated to log actions run. It looks like the number of args exceeded what was expected. I'll add the fix in a new version of audit that I'm working on right now.
A problem was reported with the fix on this bug.
The fix for this bug is incomplete. It does not overflow anymore, but its not right. As it currently is, if there are no spaces in the command, meaning no arguments given, then it records the cwd rather than the command. I have a patch that corrects this.
Confirming issue mentioned in comment #10. Running the command without arguments, sets tu cwd to cmd. And this is not good, the command is lost. # rpm -q audit sudo audit-1.6.5-8.el5.x86_64 sudo-1.6.8p12-12.el5.x86_64 # sudo ls ... # sudo ls -l ... # ausearch --start recent -m USER_CMD -i ---- type=USER_CMD msg=audit(04/18/2008 06:59:41.953:18958) : user pid=18081 uid=root auid=root subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='cwd=/mnt/qa/scratch/x86-64-5s-1-m1/2008:8029/tps cmd=/mnt/qa/scratch/x86-64-5s-1-m1/2008:8029/tps (terminal=pts/13 res=success)' ---- type=USER_CMD msg=audit(04/18/2008 07:00:07.471:18974) : user pid=18093 uid=root auid=root subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='cwd=/mnt/qa/scratch/x86-64-5s-1-m1/2008:8029/tps cmd=/bin/ls -l (terminal=pts/13 res=success)'
audit-1.6.5-9.el5 was built to re-address this problem.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2008-0358.html