Vulnerability Development mailing list archives
Re: [Fwd: Help needed with bufferoverflow in cvs]
From: Tollef Fog Heen <tollef () add no>
Date: 21 Feb 2002 10:44:11 +0100
* (Larry Jones) | > it seems that cvs (version 1.10.7 from Debians stable repos) has a | > bufferoverflow but I'm but sure if it's exploitable | [...] | > cvs diff -C`perl -e "print 'a' x 300"` tables.sql | [...] | > Segmentation fault (core dumped) | | It's not a buffer overflow (-Cx will produce the same result), it's an | improperly initialized global variable (the code calls longjmp() with a | global jmp_buf that was never initialized by setjmp() and thus is all | zeros). It's not exploitable and it was fixed long ago in CVS 1.10.8. I am not too sure about that, please see the strace output from the server: [snip] [pid 6325] write(8, "diff -Caaaaaaaaaaaaaaaaaaaaaaaaa"..., 320) = 320 [pid 6325] write(8, "\0\0\0\0", 4 <unfinished ...> [pid 6294] write(1, "M Index: a\nM ==================="..., 114 <unfinished ...> [pid 6325] <... write resumed> ) = 4 [pid 6325] write(8, "\0\0\0\0", 4) = 4 [pid 6325] write(8, "\0\0\0\0", 4) = 4 [pid 6325] write(8, "\0\0\0\0", 4) = 4 [pid 6325] write(8, "\0\0\0\0", 4) = 4 [pid 6325] write(8, "\0\0\0\0", 4) = 4 [pid 6325] write(8, ".\0\0\0", 4) = 4 [pid 6325] write(8, "E ", 2) = 2 [pid 6325] write(8, "cvs server: invalid context leng"..., 44) = 44 [pid 6325] --- SIGSEGV (Segmentation fault) --- [pid 6294] <... write resumed> ) = 114 [pid 6294] --- SIGCHLD (Child exited) --- [pid 6294] write(1, "M retrieving revision 1.1.1.1\n", 30) = 30 [pid 6294] select(8, [3 5 7], [], NULL, NULL) = 3 (in [3 5 7]) [pid 6294] read(3, "", 4096) = 0 [pid 6294] read(5, "", 4096) = 0 [pid 6294] read(7, "\0\0\0\0\0\0\0\0\0\0\0\0B\1\0\0M diff -Caaaaaaa"..., 4096) = 412 [pid 6294] write(1, "M diff -Caaaaaaaaaaaaaaaaaaaaaaa"..., 322) = 322 [pid 6294] write(1, "E cvs server: invalid context le"..., 46) = 46 [pid 6294] select(8, [7], [], NULL, NULL) = 1 (in [7]) [pid 6294] read(7, "", 4096) = 0 [pid 6294] wait4(6325, [WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV], 0, NULL) = 6325 [pid 6294] fcntl(1, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK) [pid 6294] fcntl(1, F_SETFL, O_RDWR) = 0 [pid 6294] write(1, "E Terminated with fatal signal 1"..., 34) = 34 [pid 6294] write(1, "error \n", 8) = 8 [pid 6294] read(0, "", 4096) = 0 [pid 6294] chdir("/tmp") = 0 [snip] This is 1.10.7-7; do you have the patch for this problem handy? -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are.
Current thread:
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Tollef Fog Heen (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Turbo Fredriksson (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Crist J. Clark (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Donald Sharp (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Crist J. Clark (Feb 23)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Tollef Fog Heen (Feb 21)