Bug 462584 – CVE-2008-3916 ed: Heap-based buffer overflow (arb. code execution)

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 462584 - (CVE-2008-3916) CVE-2008-3916 ed: Heap-based buffer overflow (arb. code execution)

Summary:	CVE-2008-3916 ed: Heap-based buffer overflow (arb. code execution)

Status:	CLOSED ERRATA

Aliases:	CVE-2008-3916

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	source=osssecurity,reported=20080831,...
Keywords:	Security

Depends On:	466094 466095 466096 466097 466098 466099 466100 466101 466102 833891
Blocks:
	Show dependency tree / graph

Reported:	2008-09-17 06:52 EDT by Jan Lieskovsky
Modified:	2016-03-04 06:56 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-03-29 05:40:25 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Proposed patch to resolve the ed heap overflow issue. (673 bytes, patch) 2008-10-08 06:23 EDT, Jan Lieskovsky	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0946	normal	SHIPPED_LIVE	Moderate: ed security update	2008-10-21 11:13:21 EDT

Groups: None (edit)

Description Jan Lieskovsky 2008-09-17 06:52:09 EDT

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3916 to
the following vulnerability:

Heap-based buffer overflow in the strip_escapes function in signal.c
in GNU ed before 1.0 allows context-dependent or user-assisted
attackers to execute arbitrary code via a long filename.  NOTE: since
ed itself does not typically run with special privileges, this issue
only crosses privilege boundaries when ed is invoked as a third-party
component.


References:

http://lists.gnu.org/archive/html/bug-ed/2008-08/msg00000.html
http://marc.info/?l=oss-security&m=122018171619930&w=4
http://www.openwall.com/lists/oss-security/2008/08/31/1
http://www.openwall.com/lists/oss-security/2008/09/01/2
http://www.openwall.com/lists/oss-security/2008/09/01/3
http://www.openwall.com/lists/oss-security/2008/09/04/21
http://www.openwall.com/lists/oss-security/2008/09/04/22
http://www.openwall.com/lists/oss-security/2008/09/04/24

Comment 1 Jan Lieskovsky 2008-09-17 06:53:16 EDT

This issue affects all versions of the ed package, as shipped with Red Hat
Enterprise Linux 2.1, 3, 4 and 5 and all versions of the ed packages, as
shipped within Fedora releases of 8, 9 and 10.

Comment 3 Jan Lieskovsky 2008-10-08 06:23:46 EDT

Created attachment 319740 [details]
Proposed patch to resolve the ed heap overflow issue.

Proposed patch (it was generated by comparing changes in signal.c between
0.9 and 1.0 versions of ed. Please ensure, no additional changes (i.e.
changes in "resize_buffer" function) are needed to resolve this issue).

Comment 7 Tomas Hoger 2010-03-29 05:40:25 EDT

https://www.redhat.com/security/data/cve/CVE-2008-3916.html

Note You need to log in before you can comment on or make changes to this bug.