Vulnerability Development mailing list archives
Re: New bugs discovered!
From: sy4n <sy4n () autistici org>
Date: Tue, 20 Nov 2001 00:43:29 +0000 (GMT)
Making a diff between gzip 1.2.4 from OpenBSD 2.9 and gzip.org one i read: bash-2.05$ diff gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c 48c48 < static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp $"; ---
static char rcsid[] = "$Id: gzip.c,v 1.4 1998/11/22 20:03:21 deraadt Exp
$"; bash-2.05$ diff gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c 48c48 < static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp $"; ---
static char rcsid[] = "$Id: gzip.c,v 1.4 1998/11/22 20:03:21 deraadt Exp
$"; 524c524,530 < strcpy(z_suffix, optarg); ---
if (z_len > sizeof(z_suffix)-1) { fprintf(stderr, "%s: -S suffix too long\n", progname); usage(); do_exit(ERROR); } strncpy(z_suffix, optarg, sizeof z_suffix-1); z_suffix[sizeof z_suffix-1] = '\0';
1008a1015,1021
if (strlen(iname) >= sizeof(ifname) - 3) { errno = ENAMETOOLONG; perror(iname); exit_code = ERROR; return ERROR; }
1576d1588 < (void) chmod(ofname, 0777); 1636d1647 < (void) chmod(ifname, 0777); There are two missing sanity check in gnu original gzip, one according to GomoR is in the suffix code, the other is in the input name checking in function get_istat(). The correct code from OpenBSD 2.9 is: if (strlen(iname) >= sizeof(ifname) - 3) { errno = ENAMETOOLONG; perror(iname); exit_code = ERROR; return ERROR; } strcpy(ifname, iname); while in the vulnerable gzip there isn't the if statement. Instead, strcpy(nbuf,dir) in treat_dir() have a sanity check in both versions: if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) { strcpy(nbuf,dir); so the problem isn't here. Debian is also unaffected 'cause gzip_1.2.4-33.diff adds the same if statement in gzip.c --- sy4n
Current thread:
- Re: New bugs discovered!, (continued)
- Re: New bugs discovered! Bernhard Rosenkraenzer (Nov 19)
- Re: New bugs discovered! Baba Bogdan (Nov 19)
- Re: New bugs discovered! Ciprian Csordas (Nov 19)
- Re: New bugs discovered! Chris Ess (Nov 19)
- Re: New bugs discovered! Bernhard Rosenkraenzer (Nov 19)
- Re: New bugs discovered! Valdis . Kletnieks (Nov 19)
- Re: New bugs discovered! Baba Bogdan (Nov 19)
- Re: New bugs discovered! InterceptiX Security (Nov 19)
- Re: New bugs discovered! Ron DuFresne (Nov 19)
- Re: New bugs discovered! Meritt James (Nov 19)
- Re: New bugs discovered! GomoR (Nov 19)
- Re: New bugs discovered! sy4n (Nov 19)
- Re: New bugs discovered! jnf (Nov 19)
- Re: New bugs discovered! Syzop (Nov 19)
- Re: New bugs discovered! X (Nov 19)
- Re: New bugs discovered! Croquette Friskies (Nov 19)
- Re: New bugs discovered! The Itch (Nov 19)
- Re: New bugs discovered! Alex Butcher (vuln-dev) (Nov 20)
- RE: New bugs discovered! dave . goldsmith (Nov 19)
- RE: New bugs discovered! DePriest, Jason R. (Nov 19)
- Re: New bugs discovered! Bernhard Rosenkraenzer (Nov 19)