Re: New bugs discovered!

[sy4n <sy4n () autistici org>]

Making a diff between gzip 1.2.4 from OpenBSD 2.9 and gzip.org one i read:

bash-2.05$ diff gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c
48c48
< static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp
$";
---
> static char rcsid[] = "$Id: gzip.c,v 1.4 1998/11/22 20:03:21 deraadt Exp
$";
bash-2.05$ diff gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c
48c48
< static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp
$";
---
> static char rcsid[] = "$Id: gzip.c,v 1.4 1998/11/22 20:03:21 deraadt Exp
$";
524c524,530
<             strcpy(z_suffix, optarg);
---
>           if (z_len > sizeof(z_suffix)-1) {
>               fprintf(stderr, "%s: -S suffix too long\n", progname);
>               usage();
>               do_exit(ERROR);
>           }
>             strncpy(z_suffix, optarg, sizeof z_suffix-1);
>           z_suffix[sizeof z_suffix-1] = '\0';
1008a1015,1021
>     if (strlen(iname) >= sizeof(ifname) - 3) {
>       errno = ENAMETOOLONG;
>       perror(iname);
>       exit_code = ERROR;
>       return ERROR;
>     }
1576d1588
<     (void) chmod(ofname, 0777);
1636d1647
<     (void) chmod(ifname, 0777);


There are two missing sanity check in gnu original gzip, one according to
GomoR is in the suffix code, the other is in the input name checking in
function get_istat().

The correct code from OpenBSD 2.9 is:

    if (strlen(iname) >= sizeof(ifname) - 3) {
        errno = ENAMETOOLONG;
        perror(iname);
        exit_code = ERROR;
        return ERROR;
    }

    strcpy(ifname, iname);

while in the vulnerable gzip there isn't the if statement.

Instead, strcpy(nbuf,dir) in treat_dir() have a sanity check in both
versions:

if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) {
            strcpy(nbuf,dir);

so the problem isn't here.

Debian is also unaffected 'cause gzip_1.2.4-33.diff adds the same if
statement in gzip.c


---
sy4n