From fc1998822fd8bc2de455e504f0f27bec4ba2039f Mon Sep 17 00:00:00 2001 From: Petr Písař Date: Feb 22 2018 16:12:28 +0000 Subject: Fix a heap buffer overflow in find_archive() --- diff --git a/sharutils-4.15.2-Fix-a-heap-buffer-overflow-in-find_archive.patch b/sharutils-4.15.2-Fix-a-heap-buffer-overflow-in-find_archive.patch new file mode 100644 index 0000000..bf9d583 --- /dev/null +++ b/sharutils-4.15.2-Fix-a-heap-buffer-overflow-in-find_archive.patch @@ -0,0 +1,58 @@ +From 1067cdba6d08f2a765cb0ea371189a5b703eb4db Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 22 Feb 2018 16:39:43 +0100 +Subject: [PATCH] Fix a heap-buffer-overflow in find_archive() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +rw_buffer has allocated rw_base_size bytes. But subsequend fgets() in +find_archive() reads up-to BUFSIZ bytes. + +On my system, BUFSIZ is 8192. rw_base_size is usually equaled to +a memory page size, 4096 on my system. Thus find_archive() can write +beyonded allocated memmory for rw_buffer array: + +$ valgrind -- ./unshar /tmp/id\:000000\,sig\:06\,src\:000005+000030\,op\:splice\,rep\:4 +==30582== Memcheck, a memory error detector +==30582== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. +==30582== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info +==30582== Command: ./unshar /tmp/id:000000,sig:06,src:000005+000030,op:splice,rep:4 +==30582== +==30582== Invalid write of size 1 +==30582== at 0x4EAB480: _IO_getline_info (in /usr/lib64/libc-2.27.so) +==30582== by 0x4EB47C2: fgets_unlocked (in /usr/lib64/libc-2.27.so) +==30582== by 0x10BF60: fgets_unlocked (stdio2.h:320) +==30582== by 0x10BF60: find_archive (unshar.c:243) +==30582== by 0x10BF60: unshar_file (unshar.c:379) +==30582== by 0x10BCCC: validate_fname (unshar-opts.c:604) +==30582== by 0x10BCCC: main (unshar-opts.c:639) +==30582== Address 0x523a790 is 0 bytes after a block of size 4,096 alloc'd +==30582== at 0x4C2DBBB: malloc (vg_replace_malloc.c:299) +==30582== by 0x10C670: init_unshar (unshar.c:450) +==30582== by 0x10BC55: main (unshar-opts.c:630) + +This was reported in +. + +Signed-off-by: Petr Písař +--- + src/unshar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/unshar.c b/src/unshar.c +index 80bc3a9..0fc3773 100644 +--- a/src/unshar.c ++++ b/src/unshar.c +@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start) + off_t position = ftello (file); + + /* Read next line, fail if no more and no previous process. */ +- if (!fgets (rw_buffer, BUFSIZ, file)) ++ if (!fgets (rw_buffer, rw_base_size, file)) + { + if (!start) + error (0, 0, _("Found no shell commands in %s"), name); +-- +2.13.6 + diff --git a/sharutils.spec b/sharutils.spec index 9d8cb0c..f3ec799 100644 --- a/sharutils.spec +++ b/sharutils.spec @@ -1,7 +1,7 @@ Summary: The GNU shar utilities for packaging and unpackaging shell archives Name: sharutils Version: 4.15.2 -Release: 5%{?dist} +Release: 6%{?dist} # The main code: GPLv3+ # lib (gnulib): GPLv3+ # lib/md5.c: Public Domain @@ -14,6 +14,9 @@ Group: Applications/Archiving Source: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz # Pass compilation with -Werror=format-security, bug #1037323 Patch0: %{name}-4.14.2-Pass-compilation-with-Werror-format-security.patch +# Fix a heap buffer overflow in find_archive(), bug #1548019, +# +Patch1: %{name}-4.15.2-Fix-a-heap-buffer-overflow-in-find_archive.patch URL: http://www.gnu.org/software/%{name}/ BuildRequires: binutils BuildRequires: coreutils @@ -45,6 +48,7 @@ the shar files. %prep %setup -q %patch0 -p1 -b .format +%patch1 -p1 # convert TODO, THANKS to UTF-8 for i in TODO THANKS; do @@ -82,6 +86,9 @@ fi %{_mandir}/man5/* %changelog +* Thu Feb 22 2018 Petr Pisar - 4.15.2-8 +- Fix a heap buffer overflow in find_archive() (bug #1548019) + * Sat Feb 11 2017 Fedora Release Engineering - 4.15.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild