Red Hat Bugzilla – Bug 442314
Buffer overflow when SElinux enabled.
Last modified: 2008-04-15 12:41:47 EDT
+++ This bug was initially created as a clone of Bug #436345 +++
Description of problem:
selinux-label patch adds code that does not compute buffer size correctly (a
typical off-by-one error). This will at best corrupt heap whenever the code is
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. have selinux enabled.
2. try transferring a file from a local directory so that path does not start
3. watch heap being corrupted (MALLOC_CHECK_=2 helps to see it already at the
Patch is attached to original report. Bug has been fixed in F8 already in
*** This bug has been marked as a duplicate of 426085 ***
One question, why hasn't there been an update for this released for RedHat Enterprise 5.* yet?
- the dates on the main report indicate the fix was made *months* ago
- the problem is a "simple off by one" according to the report
- the fix has been field tested in fc8 (which exdplains why my fc8 machine did not have the problem)
- heap corruption can in general be a serious issue
- it is impacting Redhat Enterprise 5 clients in the field as we speak
Just wondering, why it has taken months to see an update.
I realize you can't control when it is released but this one sure seems like it should have already been
out there given it can't make things any worse than the sigabort we are seeing now.
The fix is currently slated for inclusion in the upcoming update release. The
corruption in this case doesn't look at all server-influenced, so it hasn't been
bumped to a higher priority.