Bug 454483 - CVE-2008-3252 newsx: Stack overflow with lines with leading '.'
Summary: CVE-2008-3252 newsx: Stack overflow with lines with leading '.'
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: newsx
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Dominik 'Rathann' Mierzejewski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-08 18:59 UTC by Enrico Scholz
Modified: 2008-07-22 07:03 UTC (History)
0 users

Fixed In Version: 1.6-8.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-15 12:14:45 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
patch to fix the issue (603 bytes, patch)
2008-07-12 20:59 UTC, Dominik 'Rathann' Mierzejewski
no flags Details | Diff
patch to fix the issue (678 bytes, patch)
2008-07-12 21:10 UTC, Dominik 'Rathann' Mierzejewski
no flags Details | Diff

Description Enrico Scholz 2008-07-08 18:59:34 UTC
Description of problem:

Runnings newsx to fetch
http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/109986
generates an

| *** stack smashing detected ***: newsx(news.gmane.org) gmane.mail.spam.spamassassin.general 109996 terminated

abort. This is caused by

--- src/getarticle.c ---
static int
read_article(long where,char *group)
{
    char linebuf[MAX_HEADER_SIZE+1], *line;
    ...
    line=linebuf;
    ...
    for (;;) {
        if (!get_server_msg(line, MAX_HEADER_SIZE)) {
	...
                if (line[1]=='.') {             /* escape-period, remove it */
                    line++;
                    len--;

	
-------------


i.e. 'line' grows and grows when a line starts with '.'.  Having
hundreds of such lines make 'linebuf[]' overflow and it is possible to
place arbitrary data on stack.


Fix would be probably

| -        if (!get_server_msg(line, MAX_HEADER_SIZE)) {
| +        if (!get_server_msg(linebuf, MAX_HEADER_SIZE)) {

but is untested.


Stack-smash detection protects against remote code execution. Nevertheless,
it causes lot of traffic (newsx fetches articles but aborts before updating
'active' file)



Version-Release number of selected component (if applicable):

newsx-1.6-8.fc9.x86_64


How reproducible:

100%

Comment 1 Enrico Scholz 2008-07-08 19:06:26 UTC
mmh... it's too late and no coffee...  Proposed fix won't work; instead of the

| line=linebuf

must be moved into the loop.

Comment 2 Dominik 'Rathann' Mierzejewski 2008-07-12 16:00:25 UTC
I believe your analysis is incorrect. line pointer gets reset in

        if (!get_server_msg(line, MAX_HEADER_SIZE)) {
            /* timeout: simply give up */
            return 0;
        }

I'll try to reproduce the crash and see what I can do about it.


Comment 3 Dominik 'Rathann' Mierzejewski 2008-07-12 18:54:45 UTC
... or it actually doesn't get reset. After running it through gdb I can see
that what you described is actually happening. I'll have a fixed build after
I've tested the fix.

Comment 4 Dominik 'Rathann' Mierzejewski 2008-07-12 20:59:22 UTC
Created attachment 311653 [details]
patch to fix the issue

Attached patch fixes the issue. Updated build will be available shortly.

Comment 5 Dominik 'Rathann' Mierzejewski 2008-07-12 21:10:33 UTC
Created attachment 311654 [details]
patch to fix the issue

Obviously the previous patch is wrong. We can't access line[N] before it's
initialised.

Comment 6 Fedora Update System 2008-07-12 22:59:32 UTC
newsx-1.6-9.fc9 has been submitted as an update for Fedora 9

Comment 7 Fedora Update System 2008-07-12 23:00:19 UTC
newsx-1.6-8.fc8 has been submitted as an update for Fedora 8

Comment 8 Fedora Update System 2008-07-15 12:14:43 UTC
newsx-1.6-8.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-07-15 12:20:27 UTC
newsx-1.6-9.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2008-07-22 07:03:19 UTC
CVE id CVE-2008-3252 was allocated for this issue:

Stack-based buffer overflow in the read_article function in
getarticle.c in newsx 1.6 allows remote attackers to execute arbitrary
code via a news article containing a large number of lines starting
with a period.


Note You need to log in before you can comment on or make changes to this bug.