Debian Bug report logs - #242597
GNU Sharutils buffer overflow.

version graph

Package: sharutils; Maintainer for sharutils is Santiago Vila <sanvila@debian.org>; Source for sharutils is src:sharutils.

Reported by: Shaun Colley <shaunige@yahoo.co.uk>

Date: Wed, 7 Apr 2004 15:48:02 UTC

Severity: normal

Found in version 4.2.1

Fixed in version sharutils/1:4.2.1-11

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Forwarded to bug-gnu-utils@GNU.ORG

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#242597; Package sharutils. Full text and rfc822 format available.

Acknowledgement sent to Shaun Colley <shaunige@yahoo.co.uk>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Shaun Colley <shaunige@yahoo.co.uk>
To: submit@bugs.debian.org
Subject: GNU Sharutils buffer overflow.
Date: Wed, 7 Apr 2004 16:37:54 +0100 (BST)
Package: sharutils
Version: 4.2.1


When an overly long string is fed to 'shar' when using
the '-o' command-line option, a small, fixed length
buffer is overflowed, and thus important execution
flow information can be overwritten, such as the
Instruction Pointer (EIP).

Here is my console output:

---
bash$ shar -o `perl -e 'print "a"x20000'`
Segmentation fault (core dumped)
---

By examining the core file produced, it is apparent
that various registers/pieces of memory have been
overwritten by the a's spilling over the boundaries of
the small buffer.

Below is the offending code, in shar.c:

--- shar.c snippet ---
[...]

static char output_base_name[50];

[...]

while (optchar = getopt_long (argc, argv,
                               
"+$BCDFL:MPQSTVXZab:cd:fg:hl:mn:o:pqs:wxz",
                                long_options, NULL),
         optchar != EOF)
    switch (optchar)
      {

[...]

case 'o':
        strcpy (output_base_name, optarg);
        if (!strchr (output_base_name, '%'))
          strcat (output_base_name, ".%02d");
        part_number = 0;
        open_output ();
        break;

[...]
--- EO shar.c snippet ---

As you can see, the argument following '-o' is copied
into a buffer only 50 bytes in length, using the
dangerous 'strcpy' function, without bounds checking. 
Obviously, this allows a user to supply a long
argument following the '-o' option, causing
'output_base_name' buffer to be overflowed - hence a
buffer overflow.

Although unlikely, this problem could be exploited by
a malicious user to execute arbitrary code, such as if
'shar -o ...' was invoked from a web CGI script, or if
a third-party SUID root application invoked 'shar -o
...' with user-supplied input.  Another possible
instance of when this might be exploited is maybe when
a user has a line invoking 'shar -o ...' in their
'procmailrc' file, which automatically invokes shar
with the vulnerable option when "trusted" contacts
send shar archives.

Despite it not being a major security threat, the
small likelyhood of it being exploited exists,
nonetheless.  It's quite easy to fix, though.

I suggest the following fix:

---
--- shar.1.c    2004-04-06 16:26:55.000000000 +0100
+++ shar.c      2004-04-06 16:32:32.000000000 +0100
@@ -1905,7 +1905,7 @@
        break;

       case 'o':
-       strcpy (output_base_name, optarg);
+       strncpy (output_base_name, optarg,
sizeof(output_base_name));
        if (!strchr (output_base_name, '%'))
          strcat (output_base_name, ".%02d");
        part_number = 0;
---

The above patch could be modified a little bit, but it
does do the job.  When the above patch is applied, and
the Sharutils package is rebuilt, the buffer overflow
no longer exists - this is due to bounds checking,
implemented by the strncpy() call.  Only the first 50
bytes will be copied into the 'output_base_name'
buffer by strncpy(), thus eliminating the buffer
overflow problem.

This issue exists in the latest release of GNU
Sharutils - GNU sharutils 4.2.1.




Thank you for your time.
Shaun.




	
	
		
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html



Reply sent to Santiago Vila <sanvila@unex.es>:
You have marked Bug as forwarded. Full text and rfc822 format available.

Message #8 received at 242597-forwarded@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: bug-gnu-utils@GNU.ORG
Cc: 242597-forwarded@bugs.debian.org, Shaun Colley <shaunige@yahoo.co.uk>
Subject: Bug#242597: GNU Sharutils buffer overflow. (fwd)
Date: Sun, 27 Jun 2004 18:28:02 +0200 (CEST)
Hello.

I received this from the Debian bug system.
[ Please keep the cc: lines when replying ].

Note: I agree this is not a security bug, but I think it is a bug.

---------- Forwarded message ----------
From: Shaun Colley <shaunige@yahoo.co.uk>
To: submit@bugs.debian.org
Date: Wed, 7 Apr 2004 16:37:54 +0100 (BST)
Subject: #242597: GNU Sharutils buffer overflow.
Resent-Sender: Santiago Vila <sanvila@master.debian.org>

Package: sharutils
Version: 4.2.1


When an overly long string is fed to 'shar' when using
the '-o' command-line option, a small, fixed length
buffer is overflowed, and thus important execution
flow information can be overwritten, such as the
Instruction Pointer (EIP).

Here is my console output:

---
bash$ shar -o `perl -e 'print "a"x20000'`
Segmentation fault (core dumped)
---

By examining the core file produced, it is apparent
that various registers/pieces of memory have been
overwritten by the a's spilling over the boundaries of
the small buffer.

Below is the offending code, in shar.c:

--- shar.c snippet ---
[...]

static char output_base_name[50];

[...]

while (optchar = getopt_long (argc, argv,

"+$BCDFL:MPQSTVXZab:cd:fg:hl:mn:o:pqs:wxz",
                                long_options, NULL),
         optchar != EOF)
    switch (optchar)
      {

[...]

case 'o':
        strcpy (output_base_name, optarg);
        if (!strchr (output_base_name, '%'))
          strcat (output_base_name, ".%02d");
        part_number = 0;
        open_output ();
        break;

[...]
--- EO shar.c snippet ---

As you can see, the argument following '-o' is copied
into a buffer only 50 bytes in length, using the
dangerous 'strcpy' function, without bounds checking.
Obviously, this allows a user to supply a long
argument following the '-o' option, causing
'output_base_name' buffer to be overflowed - hence a
buffer overflow.

Although unlikely, this problem could be exploited by
a malicious user to execute arbitrary code, such as if
'shar -o ...' was invoked from a web CGI script, or if
a third-party SUID root application invoked 'shar -o
...' with user-supplied input.  Another possible
instance of when this might be exploited is maybe when
a user has a line invoking 'shar -o ...' in their
'procmailrc' file, which automatically invokes shar
with the vulnerable option when "trusted" contacts
send shar archives.

Despite it not being a major security threat, the
small likelyhood of it being exploited exists,
nonetheless.  It's quite easy to fix, though.

I suggest the following fix:

---
--- shar.1.c    2004-04-06 16:26:55.000000000 +0100
+++ shar.c      2004-04-06 16:32:32.000000000 +0100
@@ -1905,7 +1905,7 @@
        break;

       case 'o':
-       strcpy (output_base_name, optarg);
+       strncpy (output_base_name, optarg,
sizeof(output_base_name));
        if (!strchr (output_base_name, '%'))
          strcat (output_base_name, ".%02d");
        part_number = 0;
---

The above patch could be modified a little bit, but it
does do the job.  When the above patch is applied, and
the Sharutils package is rebuilt, the buffer overflow
no longer exists - this is due to bounds checking,
implemented by the strncpy() call.  Only the first 50
bytes will be copied into the 'output_base_name'
buffer by strncpy(), thus eliminating the buffer
overflow problem.

This issue exists in the latest release of GNU
Sharutils - GNU sharutils 4.2.1.




Thank you for your time.
Shaun.







____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html



Message #9 received at 242597-forwarded@bugs.debian.org (full text, mbox):

From: Karl Eichwalder <ke@suse.de>
To: Santiago Vila <sanvila@unex.es>
Cc: bug-gnu-utils@GNU.ORG, 242597-forwarded@bugs.debian.org, Shaun Colley <shaunige@yahoo.co.uk>
Subject: Re: Bug#242597: GNU Sharutils buffer overflow. (fwd)
Date: Mon, 28 Jun 2004 13:40:48 +0200
Santiago Vila <sanvila@unex.es> writes:

> I received this from the Debian bug system.
> [ Please keep the cc: lines when replying ].
>
> Note: I agree this is not a security bug, but I think it is a bug.

IIRC, fix is in CVS http://developer.berlios.de/projects/sharutils/
I hve neither the time nor the knowledge to work on sharutils
seriously.  Somebody out there who wants to take over the sharutils
package?

I can help with testing and preparing pre-releases.



Message #10 received at 242597-forwarded@bugs.debian.org (full text, mbox):

From: Paul Eggert <eggert@CS.UCLA.EDU>
To: Karl Eichwalder <ke@suse.de>
Cc: Santiago Vila <sanvila@unex.es>, 242597-forwarded@bugs.debian.org, Shaun Colley <shaunige@yahoo.co.uk>, bug-gnu-utils@gnu.org
Subject: Re: Bug#242597: GNU Sharutils buffer overflow. (fwd)
Date: Mon, 28 Jun 2004 11:37:59 -0700
Karl Eichwalder <ke@suse.de> writes:

> IIRC, fix is in CVS http://developer.berlios.de/projects/sharutils/

That doesn't seem to contain the entire sharutils history, at least as
far as the unofficial versions that you've generated over the years.
Do you have a copy of it somewhere?

> Somebody out there who wants to take over the sharutils package?

Officially I think Ulrich Drepper is still the maintainer, even though
he hasn't worked on it for many years.  Can you please contact
gnu@gnu.org and see what the story is?  Most likely they need to elect
a new maintainer for sharutils.

> I can help with testing and preparing pre-releases.

Thanks.



Message #11 received at 242597-forwarded@bugs.debian.org (full text, mbox):

From: karl@freefriends.org (Karl Berry)
To: eggert@CS.UCLA.EDU
Cc: ke@suse.de, 242597-forwarded@bugs.debian.org, shaunige@yahoo.co.uk, sanvila@unex.es, bug-gnu-utils@gnu.org
Subject: Re: Bug#242597: GNU Sharutils buffer overflow. (fwd)
Date: Mon, 28 Jun 2004 18:01:48 -0400
    Officially I think Ulrich Drepper is still the maintainer, even though
    he hasn't worked on it for many years.  Can you please contact
    gnu@gnu.org and see what the story is?  Most likely they need to elect
    a new maintainer for sharutils.

Since I'm taking care of maintainers@gnu.org these days, I actually
wrote Ulrich already.  He confirmed that he'd be happy to step down.
I am confirming with rms, and then I will ask for volunteers in the
usual way.



Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Shaun Colley <shaunige@yahoo.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #16 received at 242597-close@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@debian.org>
To: 242597-close@bugs.debian.org
Subject: Bug#242597: fixed in sharutils 1:4.2.1-11
Date: Wed, 28 Jul 2004 13:02:20 -0400
Source: sharutils
Source-Version: 1:4.2.1-11

We believe that the bug you reported is fixed in the latest version of
sharutils, which is due to be installed in the Debian FTP archive:

sharutils-doc_4.2.1-11_all.deb
  to pool/main/s/sharutils/sharutils-doc_4.2.1-11_all.deb
sharutils_4.2.1-11.diff.gz
  to pool/main/s/sharutils/sharutils_4.2.1-11.diff.gz
sharutils_4.2.1-11.dsc
  to pool/main/s/sharutils/sharutils_4.2.1-11.dsc
sharutils_4.2.1-11_i386.deb
  to pool/main/s/sharutils/sharutils_4.2.1-11_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 242597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated sharutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Jul 2004 18:43:20 +0200
Source: sharutils
Binary: sharutils sharutils-doc
Architecture: source all i386
Version: 1:4.2.1-11
Distribution: unstable
Urgency: high
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description: 
 sharutils  - shar, unshar, uuencode, uudecode
 sharutils-doc - Documentation for GNU sharutils
Closes: 242597 260089
Changes: 
 sharutils (1:4.2.1-11) unstable; urgency=high
 .
   * Fixed buffer overflow in shar. Patch taken from CVS (Closes: #242597).
   * Changed -o to || in prerm of sharutils-doc (Closes: #260089).
   * Removed preinst, dpkg supports epochs since a very long time.
Files: 
 b6b07205e0710f66c3c303637f8d0260 659 utils standard sharutils_4.2.1-11.dsc
 9c4dd345b83fecd25bb35a5949140e9d 7280 utils standard sharutils_4.2.1-11.diff.gz
 4a54e95f6a412a95a9002131c50ec952 27764 doc optional sharutils-doc_4.2.1-11_all.deb
 ced457ed2e1d41783eea3247be85d0a6 109132 utils standard sharutils_4.2.1-11_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBB9hvd9Uuvj7yPNYRAhoeAKC4Mfy2GcR4NtfkBCtJ0PeVBGo/dgCgnayN
rOLgGiVOgTevYnH93ONp/qI=
=8eaU
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 14:28:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.