|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0771: lha: several other bugs fixed | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Biege <thomas> |
| Component: | Incidents | Assignee: | Stanislav Brabec <sbrabec> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | meissner, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0771: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
lha_gdb.log.bz2
lha-security-code-review.diff lha.strc patchinfo-box.lha patchinfo.lha archive.lhz |
||
|
Description
Thomas Biege
2004-07-16 19:18:39 UTC
<!-- SBZ_reproduce --> - Gentoo bug: Already applied.
Exploit of Lukasz Wojtow: Segfaults.
Debian: Patch has no rejects (it creates changed files in directory debian):
patching file man/lha.man
patching file debian/README.Debian
patching file debian/header.c
patching file debian/changelog
patching file debian/control
patching file debian/lha.1
patching file debian/lhext.c
patching file debian/lha.h
patching file debian/rules
patching file debian/dirs
patching file debian/copyright
patching file debian/docs
patching file debian/patch.paul
patching file debian/patch.CAN-2004-0234_0235
patch.CAN-2004-0234_0235: Already applied.
patch.paul: Not applied, only include change.
Changed files in directory debian differences in comparison with SuSE Linux STABLE:
sbrabec@unicorn:~/STABLE/lha/BUILD/lha-114i/debian> diff src/header.c
debian/header.c
541,544d540
< if (header_size >= 256) {
< fprintf(stderr, "Possible buffer overflow hack
attack, type #1\n");
< exit(109);
< }
554,557d549
< if (header_size >= FILENAME_LENGTH) {
< fprintf(stderr, "Possible buffer overflow hack
attack, type #2\n");
< exit(110);
< }
sbrabec@unicorn:~/STABLE/lha/BUILD/lha-114i/debian> diff src/lhext.c debian/lhext.c
193,197d192
< if (is_directory_traversal(q)) {
< fprintf(stderr, "Possible directory traversal hack attempt in
%s\n", q);
< exit(111);
< }
<
199c194
< while (*q == '/') { q++; }
---
> q++;
215,219c210,212
< snprintf(name, sizeof(name), "%s/%s", extract_directory, q);
< else {
< strncpy(name, q, sizeof(name));
< name[sizeof(name) - 1] = '\0';
< }
---
> sprintf(name, "%s/%s", extract_directory, q);
> else
> strcpy(name, q);
429,455d421
< int
< is_directory_traversal(char *string)
< {
< unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */
< char *temp;
<
< temp = string;
<
< while (*temp != 0) {
< if (temp[0] == '/') {
< if (type == 1) { return 1; }
< type = 0;
< temp++;
< continue;
< }
<
< if ((temp[0] == '.') && (type < 2))
< type = 1;
< if (temp[0] != '.')
< type = 2;
<
< temp++;
< } /* while */
<
< return (type == 1);
< }
<
This probably means that we are still vulnerable... So please apply this patch. The exploit must not segfault afterwards. Which patch? I don't see any patch to be applied.
Upper mentioned difference is CAN-2004-0234_0235. After applying it to debian/,
only following remains and it seems, that our code has an extra check and debian
has only extra make_parent_path().
--- src/lhext.c 2004-07-16 14:50:06.867616009 +0200
+++ debian/lhext.c 2004-07-16 14:50:43.413669943 +0200
@@ -212,11 +212,9 @@
}
if (extract_directory)
- snprintf(name, sizeof(name), "%s/%s", extract_directory, q);
- else {
- strncpy(name, q, sizeof(name));
- name[sizeof(name) - 1] = '\0';
- }
+ sprintf(name, "%s/%s", extract_directory, q);
+ else
+ strcpy(name, q);
/* LZHDIRS_METHOD�����ĥإå��������å����� */
@@ -358,6 +356,7 @@
}
unlink(bb1);
+ make_parent_path(bb1);
l_code = symlink(bb2, bb1);
if (l_code < 0) {
if (quiet != TRUE)
Yes debian is missing the check:
--- lhext.c.old 2000-10-04 16:57:38.000000000 +0200
+++ lhext.c 2004-05-16 00:27:22.000000000 +0200
@@ -207,9 +207,11 @@
}
if (extract_directory)
- sprintf(name, "%s/%s", extract_directory, q);
- else
- strcpy(name, q);
+ snprintf(name, sizeof(name), "%s/%s", extract_directory, q);
+ else {
+ strncpy(name, q, sizeof(name));
+ name[sizeof(name) - 1] = '\0';
+ }
We got hits fix and Stanislav if I understand you correctly (network at
Nuermberg is hanging otherwise I can have looked it up on my own) patch
CAN-2004-0234_0235 is in our lha package too.
Stanislav,
if this is right please close this bug.
Thanks.
I have looked at your links and there is summary: We have all patches from Debian (except one line) and Gentoo links. But test archive still causes segfault (see #2). Even with the only additional line, which has Debian (see #4). can you run gdb on lha while it opens the test archive please. it looks like there are just more sprintfs and strcpys are aroound. Created attachment 22305 [details]
lha_gdb.log.bz2
No backtrace is possible, attaching trace log. Line numbers are valid for
current STABLE, Debian extra line not used.
(gdb) bt
#0 0x40065b55 in __vstrfmon_l () from /lib/libc.so.6
Cannot access memory at address 0x41414145
Looks like this code needs an audit... Created attachment 22323 [details]
lha-security-code-review.diff
this patch seems to fix the bug but i am not sure if it breaks something. ;)
thomas@Spiral:/tmp/lha> !per
perl expl.pl > ar.lhz
thomas@Spiral:/tmp/lha> lha -e ar.lhz
thomas@Spiral:/tmp/lha>
Created attachment 22324 [details]
lha.strc
strace dump
Stanislav, I'll attach the patchinfo files ASAP. Can you prepare the updates please. Created attachment 22365 [details]
patchinfo-box.lha
Created attachment 22366 [details]
patchinfo.lha
Which updates? I have no new patch except lower mentioned. And lower mentioned
change does not fix segfault on exploit archive.
--- src/lhext.c 2004-07-16 14:50:06.867616009 +0200
+++ debian/lhext.c 2004-07-16 14:50:43.413669943 +0200
@@ -358,6 +356,7 @@
}
unlink(bb1);
+ make_parent_path(bb1);
l_code = symlink(bb2, bb1);
if (l_code < 0) {
if (quiet != TRUE)
Created attachment 22367 [details]
archive.lhz
Try "lha -e archive.lhz" to check possible patch. Patch from #15 does not fix this crash and it seems that we doesn't have any else patches. Archive comes from Lukasz Wojtow <lw@wszia.edu.pl>. http://lw.ftw.zamosc.pl/lha-exploit.txt Sorry. And Debian diff #15 is needed/useful? i am not sure about the usefulness of the added make_parent_path(bb1). my patch is based on a patched 9.1 lha version, without the make_parent_path() and it seems to work. Submitted patch from comment #10 for 8.0-all 8.2-all 9.0-all sles7 sles7-ppc sles9-all stable-all ul1-all. PLease also submit the patchinfos... I did it to speed the process up. To : suse-dist@suse.de Cc : Attchmnt: Subject : patchinfos for lha submitted. ----- Message Text ----- hi, the patchinfos for bug 58081 can be found at: /work/src/done/PATCHINFO/patchinfo-box.lha /work/src/done/PATCHINFO/patchinfo.lha Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX AG, Security Support & Auditing -- Machines should work. People should think. -- Richard W. Hamming (Btw, the rmdir patch is actually not needed as we have ftruncate...) Good news. We should keep it for the sake of completeness. CRD: 11th Aug. 16:00 MEST nooen cared about a coordinated release. therefore i approved them now. :) CVE-2004-0771 CVE-2004-0771: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |