Multiple stack-based buffer overflows were found in the way OBEX interactive test client/server used to handle file transfer requests and and file path setting for remote files. Local attacker could issue a file transfer / remote file path setting request with a specially-crafted filename, leading to a denial of service (obex_test crash) or, potentially, to arbitrary code execution with the privileges of the OBEX interactive test client/server.
Created attachment 365477 [details] Possible fix (patch against version 1.4) Far from being perfect, but may be sufficient for test application.
Created attachment 366870 [details] Fix, 2nd try Change to first patch is rather minimal. This only makes sure that EOL is reached before reading next command, so the long file / path names will no longer be interpreted as commands. It's still possible to specify command arguments on one line with command.
The Red Hat Security Response Team does not consider this to be a security vulnerability. The obex_test program is a testing program that is unlikely to be used in production. As well, in order to exploit this issue, an attacker must coerce a local user to run the application and feed it a long filename. Upstream has been informed of the issue and do not feel this is a security issue at all because this application should not be used for anything other than testing. This is, however, a bug that affects existing Fedora releases. We have a patch that corrects the flaw; it should be applied in Fedora (as a regular bug fix). Moving this from a security response bug to a normal Fedora bug.
openobex-apps comes from openobex source. Affects F13 openobex-1.4-4.fc12.
Vincent, did the upstream respond to you? I would like to propose the patch again and if that fails, I will drop the obex_test app in Fedora, as it hasn't been done so far. Seems like upstream is still active: http://git.kernel.org/?p=bluetooth/openobex.git;a=shortlog
Hi, upstream did respond; their response is noted in comment #29: "Upstream has been informed of the issue and do not feel this is a security issue at all because this application should not be used for anything other than testing." You want to propose the patch to upstream? Please, feel free to do so. If the patch sufficiently works and causes no regressions, you could probably patch Fedora despite upstream. If for some reason that isn't viable (patch is incomplete or causes regressions, etc.) then I would opt for dropping the obex_test program or putting it somewhere, or noting somehow, that it is clearly a testing application that has problems.
Thanks for the explanation, Vincent. I think I will just drop obex_test program, as it is just for testing purposes..
That works for me and would solve the problem. Thanks!
openobex-1.5-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/openobex-1.5-3.fc15
openobex-1.5-2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/openobex-1.5-2.fc14
openobex-1.4-6.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/openobex-1.4-6.fc13
Maybe it's just me finding it weird to throw the whole thing away for the bug that's not worth calling security and after all the effort that was put into this... Hence I went ahead, re-diffed my patch against upstream git and proposed the fix in upstream trac: http://dev.zuckschwerdt.org/openobex/ticket/46
Tomas, thank you. I was going to do the same (propose the changes upstream), as I didn't want to waste the effort put into the patch. But as stated above, obex_test is just testing program and I don't find any reason why to ship it with openobex-apps package. It should be used just for testing purposes while built from sources.
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Vojtech, do you want to keep this open while waiting for resolution of the upstream ticket?
Tomas, I think we can close this bugzilla, as we dropped obex_test program completely. Imho, the resolution of the upstream ticket is not relevant to Fedora right now.. Is it ok for you?
Your package, your decision is the final one. I don't a strong preference.
Closing the bug.
openobex-1.5-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
openobex-1.5-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.