Re: Old cscope buffer overflow

[Tomas Hoger <thoger () redhat com>]

On Wed, 6 May 2009 11:49:14 -0400 (EDT) "Steven M. Christey"
<coley () linus mitre org> wrote:

> > If you're preparing cscope updates for CVE-2009-0148 and you may
> > still be shipping packages based on 15.5, you may want to have a
> > look at:
> >
> >   https://bugzilla.redhat.com/show_bug.cgi?id=499174
> >
> > Steve, as the first public report for this is from 2006:
> >
> >   https://bugzilla.redhat.com/show_bug.cgi?id=189666
> >
> > I believe 2006 CVE id is needed here.
>
> We recently updated CVE-2009-0148 for overflows in cscope before
> 15.7a. Is this the same issue, or do we need a different one?
>
> This seems to be distinct from CVE-2006-4262 as well...

Different from both.  CVE-2009-0148 is more of a dupe / re-occurrence /
incomplete fix of even older CVE-2004-2541.  Some vendors originally
addressed that via sprintf -> snprintf across whole sources.  Upstream
instead preferred to use "%.*s" with bit of length math to avoid
overflow and not harm portability.  Though the math could int
underflow, still allowing buffer overflow.

BZ#189666 issue was fixed upstream in 15.6.

-- 
Tomas Hoger / Red Hat Security Response Team