Bug 61557 (CVE-2004-1772)

Summary: VUL-0: CVE-2004-1772: buffer overflow in sharutils
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: ro, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1772: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2004-09-30 21:48:24 UTC 
To: GNU Announcements <info-gnu@gnu.org> 
Date: Wed, 29 Sep 2004 21:13:55 -0400 (EDT)    
From: Bruce Korb <bkorb@.veritas.com> 
Cc: bug-gnu-utils@gnu.org 
Subject: Release of version 4.3.77 of sharutils 
Reply-To: bug-gnu-utils@gnu.org 
Errors-To: bug-gnu-utils-bounces+schwab=suse.de@gnu.org 
 
GNU sharutils consists of two pairs of utilities: shar and unshar, and 
uuencode and uudecode.  "shar" makes so-called shell archives out of 
many files, preparing them for transmission by electronic mail 
services (converting binary data to ascii representations, breaking 
the text into multiple shar scripts, etc.).  "unshar" is the safe way 
to reassemble and extract the original files.  It will automatically 
strip off the mail headers and other introductory text. 
 
"uuencode" and "uudecode" are programs that convert binary files into 
ascii text so that the original data can pass through the email system 
without having intermediate hosts "fixing" the files en route. 
 
NEWS: 
Version 4.3.77 - September 2004, by Bruce Korb 
 
* Fixed a buffer overrun exploit
Comment 1 Marcus Meissner 2004-09-30 21:48:24 UTC 
<!-- SBZ_reproduce  -->
n/a at this time.
Comment 2 Marcus Meissner 2004-09-30 21:49:14 UTC 
Andreas has found additional buffer overflow problems. 
 
How easy is this to trigger, Andreas?
Comment 3 Andreas Schwab 2004-09-30 22:10:42 UTC 
The other overrun is triggered when you call shar with a long file name as 
argument, or when it encounters such a long name while descending a directory.  
This file name is then used to construct and execute a shell command in a fixed 
sized buffer. 
 
There are also quoting bugs, both in these directly executed shell commands and 
in the generated shar file, which trigger when a file name contains a single 
quote character.
Comment 4 Marcus Meissner 2004-10-14 23:29:06 UTC 
public mostly
Comment 5 Marcus Meissner 2004-10-15 17:45:01 UTC 
my testcase segfaulted... 
 
        pushd . 
        for i in `seq 1 150` 
        do 
                date > foo 
                mkdir aaaaaaaaaaaaaaaaaaaa 
                cd    aaaaaaaaaaaaaaaaaaaa 
 
        done 
        popd 
        shar .>/dev/null 
        Segmentation fault              <<<< must not happen.
Comment 6 Marcus Meissner 2004-11-02 22:03:16 UTC 
ping
Comment 7 Andreas Schwab 2004-11-03 23:22:43 UTC 
Fixed.
Comment 8 Michael Schröder 2004-11-06 01:06:33 UTC 
9.2 is not affected? And where is the patchinfo?
Comment 9 Michael Schröder 2004-11-09 22:48:35 UTC 
Marcus, Andreas said you have some old patchinfos that can be used here?
Comment 10 Michael Schröder 2004-11-09 23:40:41 UTC 
(9.2 version is submitted)
Comment 11 Marcus Meissner 2004-11-12 21:27:23 UTC 
packages appr4oved
Comment 12 Ludwig Nussel 2005-04-04 08:17:36 UTC 
CAN-2004-1772 I think
Comment 13 Thomas Biege 2009-10-13 19:52:27 UTC 
CVE-2004-1772: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)