zoo contains exploitable buffer overflows
Hans de Goede
j.w.r.degoede at hhs.nl
Mon Feb 27 08:25:33 UTC 2006
Josh Bressers wrote:
>> As the FE zoo maintainer I've applied the security patch suggested on=20
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D183109
>>
>> I'm not sure the security analysis here is right, but since the patch
>> seems harmless and zoo is exposed to external input via mail filters
>> such as amavisd-new I preferred to err on the side of caution.
>
> The issue seems to exist. You can get cause zoo to segfault upon archive
> creation (this is a new and different issue) by creating a very long
> directory path.
>
> mkdir `perl -e 'print "A"x254'`
> cd `perl -e 'print "A"x254'`
> mkdir `perl -e 'print "A"x254'`
> cd `perl -e 'print "A"x254'`
> touch feh
> cd ../..
> zoo a arch.zoo `perl -e 'print "A"x254 . "/" . "A"x254 . "/feh"'`
>
> This causes zoo to crash here:
>
> void parse (path_st, fname)
> register struct path_st *path_st;
> char *fname;
> {
> char tempname[LFNAMESIZE]; /* working copy of supplied fname */
> char *namep; /* points to relevant part of tempname */
>
> char *p;
> strcpy (tempname, fname); <== Buffer overflow
>
> This points out that zoo is a very poorly written program. Luckily with
> the new changes to gcc and glibc, these horrible stack buffer overflows are
> non issues. Run the above commands, you'll see on FC5 it doesn't crash,
> libc catches it.
>
>
>> If some people could review the alert and the patch I'd be grateful.
>> To my knowledge other distributions have not acted on the alert yet
>> (it's been published on many security lists in the last days).
>
> The patch attached to the mail (in bugzilla) looks pretty hokey. I would
> either malloc however much space is needed, or verify the path won't
> overflow the static space. Adding more space to a static buffer doesn't
> help, it should still be possible to overflow the buffer. The only good
> way to fix this I can see is modify the combine() function to either accept
> a maximum string length, or malloc the space itself.
>
> If you pass a length to combine(), you have the issue of uncleanly exiting.
> The code I see has no nice way to report potential errors, which means
> you'll have to exit() inside combine(), which will leave things in an
> unknown state.
>
> Fixing zoo is probably never going to happen, this is just one of the
> things that is horribly broken by design. From my quick look through the
> source, it's pretty bad. There are going to be countless similar problems
>
Please add this to the relevant bugzilla entry for tracking.
Thanks,
Hans
More information about the Fedora-maintainers
mailing list