Bug 454483 - CVE-2008-3252 newsx: Stack overflow with lines with leading '.'
CVE-2008-3252 newsx: Stack overflow with lines with leading '.'
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: newsx (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Dominik 'Rathann' Mierzejewski
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-08 14:59 EDT by Enrico Scholz
Modified: 2008-07-22 03:03 EDT (History)
0 users

See Also:
Fixed In Version: 1.6-8.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-15 08:14:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch to fix the issue (603 bytes, patch)
2008-07-12 16:59 EDT, Dominik 'Rathann' Mierzejewski
no flags Details | Diff
patch to fix the issue (678 bytes, patch)
2008-07-12 17:10 EDT, Dominik 'Rathann' Mierzejewski
no flags Details | Diff

  None (edit)
Description Enrico Scholz 2008-07-08 14:59:34 EDT
Description of problem:

Runnings newsx to fetch
http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/109986
generates an

| *** stack smashing detected ***: newsx(news.gmane.org) gmane.mail.spam.spamassassin.general 109996 terminated

abort. This is caused by

--- src/getarticle.c ---
static int
read_article(long where,char *group)
{
    char linebuf[MAX_HEADER_SIZE+1], *line;
    ...
    line=linebuf;
    ...
    for (;;) {
        if (!get_server_msg(line, MAX_HEADER_SIZE)) {
	...
                if (line[1]=='.') {             /* escape-period, remove it */
                    line++;
                    len--;

	
-------------


i.e. 'line' grows and grows when a line starts with '.'.  Having
hundreds of such lines make 'linebuf[]' overflow and it is possible to
place arbitrary data on stack.


Fix would be probably

| -        if (!get_server_msg(line, MAX_HEADER_SIZE)) {
| +        if (!get_server_msg(linebuf, MAX_HEADER_SIZE)) {

but is untested.


Stack-smash detection protects against remote code execution. Nevertheless,
it causes lot of traffic (newsx fetches articles but aborts before updating
'active' file)



Version-Release number of selected component (if applicable):

newsx-1.6-8.fc9.x86_64


How reproducible:

100%
Comment 1 Enrico Scholz 2008-07-08 15:06:26 EDT
mmh... it's too late and no coffee...  Proposed fix won't work; instead of the

| line=linebuf

must be moved into the loop.
Comment 2 Dominik 'Rathann' Mierzejewski 2008-07-12 12:00:25 EDT
I believe your analysis is incorrect. line pointer gets reset in

        if (!get_server_msg(line, MAX_HEADER_SIZE)) {
            /* timeout: simply give up */
            return 0;
        }

I'll try to reproduce the crash and see what I can do about it.
Comment 3 Dominik 'Rathann' Mierzejewski 2008-07-12 14:54:45 EDT
... or it actually doesn't get reset. After running it through gdb I can see
that what you described is actually happening. I'll have a fixed build after
I've tested the fix.
Comment 4 Dominik 'Rathann' Mierzejewski 2008-07-12 16:59:22 EDT
Created attachment 311653 [details]
patch to fix the issue

Attached patch fixes the issue. Updated build will be available shortly.
Comment 5 Dominik 'Rathann' Mierzejewski 2008-07-12 17:10:33 EDT
Created attachment 311654 [details]
patch to fix the issue

Obviously the previous patch is wrong. We can't access line[N] before it's
initialised.
Comment 6 Fedora Update System 2008-07-12 18:59:32 EDT
newsx-1.6-9.fc9 has been submitted as an update for Fedora 9
Comment 7 Fedora Update System 2008-07-12 19:00:19 EDT
newsx-1.6-8.fc8 has been submitted as an update for Fedora 8
Comment 8 Fedora Update System 2008-07-15 08:14:43 EDT
newsx-1.6-8.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-07-15 08:20:27 EDT
newsx-1.6-9.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2008-07-22 03:03:19 EDT
CVE id CVE-2008-3252 was allocated for this issue:

Stack-based buffer overflow in the read_article function in
getarticle.c in newsx 1.6 allows remote attackers to execute arbitrary
code via a news article containing a large number of lines starting
with a period.

Note You need to log in before you can comment on or make changes to this bug.