Bug 812552 - dtach: Memory portion (random stack data) disclosure to the client by unclean client disconnect [rhel-6.2]
dtach: Memory portion (random stack data) disclosure to the client by unclean...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: dtach (Show other bugs)
6.2
Unspecified Unspecified
low Severity low
: rc
: ---
Assigned To: Lon Hohberger
BaseOS QE - Apps
:
Depends On: 812551
Blocks: CVE-2012-3368
  Show dependency treegraph
 
Reported: 2012-04-14 15:18 EDT by Enrico Scholz
Modified: 2014-08-18 12:15 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 812551
Environment:
Last Closed: 2014-08-18 12:15:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2012-04-14 15:18:18 EDT
+++ This bug was initially created as a clone of Bug #812551 +++

Description of problem:

When client disconnects uncleanly, it might happen that an underlying
read() operation returns with an error.  This error was interpreted
wrongly because the negative return value was assigned to a variable
of unsigned type and being checked for <= 0. As this condition does
not hold in error case, a packet with wrong len (255) was sent instead
of aborting the client:

| read(0, 0x7fffa6dcfb12, 8) = -1 EIO (Input/output error)
| write(3, "\0\377\0\0\0\0\0\0\0\0", 10) = 10


The server accepts this broken packet and puts random data (stack
content) to the program:

| read(5, "\0\377\0\0\0\0\0\0\0\0", 10) = 10
| write(4, "\0\0\0\0\0\0\0\0\177~\377~\0\0\31\v|\352\377\177\0\0u\250C\335\347Hu\252\0E"..., 255) = 255


For reference, the 'pkt' is defined as

| struct packet
| {
| 	unsigned char type;
| 	unsigned char len;
| ...
| }


Version:

dtach-0.8-5.fc15.x86_64

--- Additional comment from enrico.scholz@informatik.tu-chemnitz.de on 2012-04-14 15:16:22 EDT ---

Upstream:

https://sourceforge.net/tracker/?func=detail&aid=3517812&group_id=36489&atid=417357
Comment 2 RHEL Product and Program Management 2012-09-07 01:14:11 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 4 RHEL Product and Program Management 2013-10-13 20:42:43 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 7 RHEL Product and Program Management 2014-08-18 12:15:49 EDT
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.