oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: hardlink(1) has buffer overflows, is unsafe on changing trees

From: Josh Bressers <bressers () redhat com>
Date: Thu, 20 Oct 2011 10:57:29 -0400 (EDT)


----- Original Message -----

Hi,

The hardlink(1) program from Fedora is susceptible to buffer overflows of
fixed-size nambuf1 and nambuf2 buffers when run on a tree with deeply
nested directories and/or with long directory or file names.  I was able
to reproduce the problem (got a segfault) by running the program on a
directory containing 20 nested directories with 250-character names.

Another problem is that the program uses full pathnames.  It neither
changes the current directory, nor uses openat(2).  Thus, if a pathname
component is replaced with a symlink while the program is running, this
may result in processing of directories/files outside of the intended
directory tree.

I fixed the buffer overflows (by (re)allocating the buffers dynamically)
in the copy that I committed into Owl today:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/hardlink/



Based on the above commits, I'm giving this three IDs.

CVE-2011-3630 hardlink buffer overflows
https://bugzilla.redhat.com/show_bug.cgi?id=746709

CVE-2011-3631 hardlink integer overflows
https://bugzilla.redhat.com/show_bug.cgi?id=746710

CVE-2011-3632 hardlink symlink attacks
https://bugzilla.redhat.com/show_bug.cgi?id=746713

The Red Hat bugs have more details and links.

Thanks.

-- 
    JB
Previous By Date Next
Previous By Thread Next

Current thread: