oss-sec mailing list archives
Re: hardlink(1) has buffer overflows, is unsafe on changing trees
From: Josh Bressers <bressers () redhat com>
Date: Thu, 20 Oct 2011 10:57:29 -0400 (EDT)
----- Original Message -----
Hi, The hardlink(1) program from Fedora is susceptible to buffer overflows of fixed-size nambuf1 and nambuf2 buffers when run on a tree with deeply nested directories and/or with long directory or file names. I was able to reproduce the problem (got a segfault) by running the program on a directory containing 20 nested directories with 250-character names. Another problem is that the program uses full pathnames. It neither changes the current directory, nor uses openat(2). Thus, if a pathname component is replaced with a symlink while the program is running, this may result in processing of directories/files outside of the intended directory tree. I fixed the buffer overflows (by (re)allocating the buffers dynamically) in the copy that I committed into Owl today: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/hardlink/
Based on the above commits, I'm giving this three IDs. CVE-2011-3630 hardlink buffer overflows https://bugzilla.redhat.com/show_bug.cgi?id=746709 CVE-2011-3631 hardlink integer overflows https://bugzilla.redhat.com/show_bug.cgi?id=746710 CVE-2011-3632 hardlink symlink attacks https://bugzilla.redhat.com/show_bug.cgi?id=746713 The Red Hat bugs have more details and links. Thanks. -- JB
Current thread:
- hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 15)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Josh Bressers (Oct 20)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Huzaifa Sidhpurwala (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Huzaifa Sidhpurwala (Oct 23)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Huzaifa Sidhpurwala (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Josh Bressers (Oct 20)