Vulnerability Development mailing list archives
Re: [Fwd: Help needed with bufferoverflow in cvs]
From: larry.jones () sdrc com (Larry Jones)
Date: Thu, 21 Feb 2002 10:21:05 -0500 (EST)
Tollef Fog Heen writes:
* (Larry Jones) | | It's not a buffer overflow (-Cx will produce the same result), it's an | improperly initialized global variable (the code calls longjmp() with a | global jmp_buf that was never initialized by setjmp() and thus is all | zeros). It's not exploitable and it was fixed long ago in CVS 1.10.8. I am not too sure about that, please see the strace output from the server:
You're not too sure about *what*, that it's not a buffer overflow, that it's caused by calling longjmp() with an all-zero jmp_buf, that it's not exploitable, or that it was fixed long ago?!?
This is 1.10.7-7; do you have the patch for this problem handy?
The best fix is to upgrade to a reasonably current release of CVS, which you can get from www.cvshome.org. The current release is 1.11.1p1. If you insist on patching an obsolete version: Index: diff.c =================================================================== RCS file: /cvs/ccvs/diff/diff.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- diff.c 29 Apr 1999 21:08:13 -0000 1.9 +++ diff.c 15 Sep 1999 21:11:31 -0000 1.10 @@ -247,11 +247,21 @@ /* Do our initializations. */ initialize_main (&argc, &argv); - - /* Decode the options. */ - optind_old = optind; optind = 0; + + /* Set the jump buffer, so that diff may abort execution without + terminating the process. */ + val = setjmp (diff_abort_buf); + if (val != 0) + { + optind = optind_old; + if (opened_file) + fclose (outfile); + return val; + } + + /* Decode the options. */ while ((c = getopt_long (argc, argv, "0123456789abBcC:dD:efF:hHiI:lL:nNpPqrsS:tTuU:vwW:x:X:y", longopts, 0)) != EOF) @@ -684,17 +694,6 @@ } opened_file = 1; } - } - - /* Set the jump buffer, so that diff may abort execution without - terminating the process. */ - val = setjmp (diff_abort_buf); - if (val != 0) - { - optind = optind_old; - if (opened_file) - fclose (outfile); - return val; } val = compare_files (0, argv[optind], 0, argv[optind + 1], 0); -Larry Jones It's like SOMEthing... I just can't think of it. -- Calvin
Current thread:
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Tollef Fog Heen (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Turbo Fredriksson (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Crist J. Clark (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Donald Sharp (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Crist J. Clark (Feb 23)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Tollef Fog Heen (Feb 21)