File: 20_CVE-2007-2452.dpatch

package info (click to toggle)
findutils 4.2.28-1etch1
  • links: PTS
  • area: main
  • in suites: etch
  • size: 7,460 kB
  • ctags: 2,635
  • sloc: ansic: 28,555; sh: 4,519; makefile: 616; exp: 419; sed: 16
file content (294 lines) | stat: -rw-r--r-- 8,389 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
 
#! /bin/sh /usr/share/dpatch/dpatch-run
## 20_CVE-2007-2452.dpatch by Jay
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix heap bufffer overflow in locate CVE-2007-2452.

@DPATCH@
$Revision: 1.4 $; $Date: 2007/05/30 22:04:52 $


I. BACKGROUND
=============

GNU findutils is a set of programs which search for files on Unix-like
systems.  It is maintained by the GNU Project of the Free Software
Foundation.  For more information, see http://www.gnu.org/software/findutils.


II. DESCRIPTION
===============

When GNU locate reads filenames from an old-format locate database,
they are read into a fixed-length buffer allocated on the heap.
Filenames longer than the 1026-byte buffer can cause a buffer overrun.
The overrunning data can be chosen by any person able to control the
names of filenames created on the local system.  This will normally
include all local users, but in many cases also remote users (for
example in the case of FTP servers allowing uploads).

III. ANALYSIS
=============

Findutils supports three different formats of locate database, its
native format "LOCATE02", the slocate variant of LOCATE02, and a
traditional ("old") format that locate uses on other Unix systems.

When locate reads filenames from a LOCATE02 database (the default
format), the buffer into which data is read is automatically extended
to accommodate the length of the filenames.

This automatic buffer extension does not happen for old-format
databases.  Instead a 1026-byte buffer is used.  When a longer
pathname appears in the locate database, the end of this buffer is
overrun.  The buffer is allocated on the heap (not the stack).

If the locate database is in the default LOCATE02 format, the locate
program does perform automatic buffer extension, and the program is
not vulnerable to this problem.  The software used to build the
old-format locate database is not itself vulnerable to the same
attack.

Most installations of GNU findutils do not use the old database
format, and so will not be vulnerable.


IV. DETECTION
=============

Software:
All existing releases of findutils are affected.


Installations:
To discover the longest path name on a given system, you can use the
following command (requires GNU findutils and GNU coreutils):

find / -print0 | tr -c '\0' 'x' | tr '\0' '\n' | wc -L


V. EXAMPLE
==========

This section includes a shell script which determines which of a list
of locate binaries is vulnerable to the problem.  The shell script has
been tested only on glibc based systems having a mktemp binary.

NOTE: This script deliberately overruns the buffer in order to
determine if a binary is affected.  Therefore running it on your
system may have undesirable effects.  We recommend that you read the
script before running it.

#! /bin/sh
set +m
if vanilla_db="$(mktemp nicedb.XXXXXX)" ; then
    if updatedb --prunepaths="" --old-format --localpaths="/tmp" \
	--output="${vanilla_db}" ; then
	true
    else
	rm -f "${vanilla_db}"
	vanilla_db=""
	echo "Failed to create old-format locate database; skipping the
sanity checks" >&2
    fi
fi

make_overrun_db() {
    # Start with a valid database
    cat "${vanilla_db}"
    # Make the final entry really long
    dd if=/dev/zero  bs=1 count=1500 2>/dev/null | tr '\000' 'x'
}



ulimit -c 0

usage() { echo "usage: $0 binary [binary...]" >&2; exit $1; }
[ $# -eq 0 ] && usage 1

bad=""
good=""
ugly=""
if dbfile="$(mktemp nasty.XXXXXX)"
then
    make_overrun_db > "$dbfile"
    for locate ; do
      ver="$locate = $("$locate"  --version | head -1)"
      if [ -z "$vanilla_db" ] || "$locate" -d "$vanilla_db" "" >/dev/null ; then
	  "$locate" -d "$dbfile" "" >/dev/null
	  if [ $? -gt 128 ] ; then
	      bad="$bad
vulnerable: $ver"
	  else
	      good="$good
good: $ver"
	  fi
       else
	  # the regular locate failed
	  ugly="$ugly
buggy, may or may not be vulnerable: $ver"
       fi
    done
    rm -f "${dbfile}" "${vanilla_db}"
    # good: unaffected.  bad: affected (vulnerable).
    # ugly: doesn't even work for a normal old-format database.
    echo "$good"
    echo "$bad"
    echo "$ugly"
else
  exit 1
fi





VI. VENDOR RESPONSE
===================

The GNU project discovered the problem while 'locate' was being worked
on.  The GNU findutils maintainer has issued a patch as part of this
announcement.  The patch appears below, but the relevant change is
also included in findutils version 4.2.31, which is available by FTP
at ftp://ftp.gnu.org/gnu/findutils/findutils-4.2.31.tar.gz.

A release of findutils-4.3.x will follow and will also include the
patch.


VII. PATCH
==========

A version of findutils in which this problem has been addressed is
available at ftp://ftp.gnu.org/gnu/findutils/findutils-4.2.31.tar.gz.

This patch also fixes the problem and should apply to findutils-4.2.23
and later.  Findutils-4.2.23 was released almost two years ago.

Index: locate/locate.c
===================================================================
RCS file: /cvsroot/findutils/findutils/locate/locate.c,v
retrieving revision 1.58.2.2
diff -u -p -r1.58.2.2 findutils/locate.c
--- findutils/locate/locate.c	22 Apr 2007 16:57:42 -0000	1.58.2.2
+++ findutils/locate/locate.c	28 May 2007 10:18:16 -0000
@@ -124,9 +124,9 @@ extern int errno;

 #include "locatedb.h"
 #include <getline.h>
-#include "../gnulib/lib/xalloc.h"
-#include "../gnulib/lib/error.h"
-#include "../gnulib/lib/human.h"
+#include "xalloc.h"
+#include "error.h"
+#include "human.h"
 #include "dirname.h"
 #include "closeout.h"
 #include "nextelem.h"
@@ -468,10 +468,36 @@ visit_justprint_unquoted(struct process_
   return VISIT_CONTINUE;
 }

+static void
+toolong (struct process_data *procdata)
+{
+  error (1, 0,
+	 _("locate database %s contains a "
+	   "filename longer than locate can handle"),
+	 procdata->dbfile);
+}
+
+static void
+extend (struct process_data *procdata, size_t siz1, size_t siz2)
+{
+  /* Figure out if the addition operation is safe before performing it. */
+  if (SIZE_MAX - siz1 < siz2)
+    {
+      toolong (procdata);
+    }
+  else if (procdata->pathsize < (siz1+siz2))
+    {
+      procdata->pathsize = siz1+siz2;
+      procdata->original_filename = x2nrealloc (procdata->original_filename,
+						&procdata->pathsize,
+						1);
+    }
+}
+
 static int
 visit_old_format(struct process_data *procdata, void *context)
 {
-  register char *s;
+  register size_t i;
   (void) context;

   /* Get the offset in the path where this path info starts.  */
@@ -479,20 +505,35 @@ visit_old_format(struct process_data *pr
     procdata->count += getw (procdata->fp) - LOCATEDB_OLD_OFFSET;
   else
     procdata->count += procdata->c - LOCATEDB_OLD_OFFSET;
+  assert(procdata->count > 0);

-  /* Overlay the old path with the remainder of the new.  */
-  for (s = procdata->original_filename + procdata->count;
+  /* Overlay the old path with the remainder of the new.  Read
+   * more data until we get to the next filename.
+   */
+  for (i=procdata->count;
        (procdata->c = getc (procdata->fp)) > LOCATEDB_OLD_ESCAPE;)
-    if (procdata->c < 0200)
-      *s++ = procdata->c;		/* An ordinary character.  */
-    else
-      {
-	/* Bigram markers have the high bit set. */
-	procdata->c &= 0177;
-	*s++ = procdata->bigram1[procdata->c];
-	*s++ = procdata->bigram2[procdata->c];
-      }
-  *s-- = '\0';
+    {
+      if (procdata->c < 0200)
+	{
+	  /* An ordinary character. */	
+	  extend (procdata, i, 1u);
+	  procdata->original_filename[i++] = procdata->c;
+	}
+      else
+	{
+	  /* Bigram markers have the high bit set. */
+	  extend (procdata, i, 2u);
+	  procdata->c &= 0177;
+	  procdata->original_filename[i++] = procdata->bigram1[procdata->c];
+	  procdata->original_filename[i++] = procdata->bigram2[procdata->c];
+	}
+    }
+
+  /* Consider the case where we executed the loop body zero times; we
+   * still need space for the terminating null byte.
+   */
+  extend (procdata, i, 1u);
+  procdata->original_filename[i] = 0;

   procdata->munged_filename = procdata->original_filename;





VIII. THANKS
============

Thanks to Rob Holland <rob@inversepath.com> and Tavis Ormandy.


VIII. CVE INFORMATION
=====================

The identifier CVE-2007-2452 been assigned for this issue.


_______________________________________________
Bug-findutils mailing list
Bug-findutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-findutils