Debian Bug report logs - #265904
sharutils: shar obscure fscanf() buffer overflow

version graph

Package: sharutils; Maintainer for sharutils is Santiago Vila <sanvila@debian.org>; Source for sharutils is src:sharutils.

Reported by: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>

Date: Sun, 15 Aug 2004 16:03:05 UTC

Severity: normal

Tags: patch, security

Found in version 1:4.2.1-11

Fixed in version sharutils/1:4.2.1-12

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#265904; Package sharutils. Full text and rfc822 format available.

Acknowledgement sent to Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>
To: submit@bugs.debian.org
Subject: sharutils: shar obscure fscanf() buffer overflow
Date: Sun, 15 Aug 2004 17:59:50 +0200
[Message part 1 (text/plain, inline)]
Subject: sharutils: shar obscure fscanf() buffer overflow
Package: sharutils
Version: 1:4.2.1-11
Severity: normal
Tags: patch

Hello,

I have found an obscure buffer overflow in shar from the sharutils 4.2.1
package.

The shar command executes wc when creating shar archives. In the rather
unlikely scenario where there is a malicious wc command installed that
prints lots of output, a buffer overflow will occur in shar, because of a
"%s" format string in an fscanf() call in shar.c.

This is of course no serious security threat. Nevertheless, I think it
is worth fixing, as the Right Thing for a program should be not to assume
anything about its input and to handle various problems well.

I have attached a patch against sharutils-4.2.1 upstream and an evil wc
command that exhibits this problem in shar on my machine.

I have already reported this upstream:

http://lists.gnu.org/archive/html/bug-gnu-utils/2004-08/msg00014.html

// Ulf Harnhammar
   http://www.advogato.org/person/metaur/

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-686
Locale: LANG=en_GB, LC_CTYPE=en_GB

Versions of packages sharutils depends on:
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
ii  libc6                       2.3.2.ds1-13 GNU C Library: Shared libraries an

-- no debconf information

[sharutils.patch (text/plain, attachment)]
[wc (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#265904; Package sharutils. Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <muehlenhoff@univention.de>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #10 received at 265904@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <muehlenhoff@univention.de>
To: 265904@bugs.debian.org, control@bugs.debian.org
Subject: Exploit available?
Date: Mon, 27 Sep 2004 08:47:36 +0200
tags 265904 security
thanks

Hi,
there seems to be an exploit for this vulnerability:
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/att-0792/sharexploit.c

I'm tagging this bug "security", so that the security team can
double-check whether this needs fixing for Woody and whether this
has to reach Sarge.

Cheers,

         Moritz
-- 
Moritz Mühlenhoff  muehlenhoff@univention.de      fon: +49 421 22 232- 0
Development        Linux for Your Business                             
Univention GmbH    http://www.univention.de/      fax: +49 421 22 232-99




Tags added: security Request was from Moritz Mühlenhoff <muehlenhoff@univention.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 265904-close@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@debian.org>
To: 265904-close@bugs.debian.org
Subject: Bug#265904: fixed in sharutils 1:4.2.1-12
Date: Wed, 30 Mar 2005 08:47:16 -0500
Source: sharutils
Source-Version: 1:4.2.1-12

We believe that the bug you reported is fixed in the latest version of
sharutils, which is due to be installed in the Debian FTP archive:

sharutils-doc_4.2.1-12_all.deb
  to pool/main/s/sharutils/sharutils-doc_4.2.1-12_all.deb
sharutils_4.2.1-12.diff.gz
  to pool/main/s/sharutils/sharutils_4.2.1-12.diff.gz
sharutils_4.2.1-12.dsc
  to pool/main/s/sharutils/sharutils_4.2.1-12.dsc
sharutils_4.2.1-12_i386.deb
  to pool/main/s/sharutils/sharutils_4.2.1-12_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 265904@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated sharutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 30 Mar 2005 15:19:26 +0200
Source: sharutils
Binary: sharutils-doc sharutils
Architecture: source i386 all
Version: 1:4.2.1-12
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description: 
 sharutils  - shar, unshar, uuencode, uudecode
 sharutils-doc - Documentation for GNU sharutils
Closes: 265904 302097
Changes: 
 sharutils (1:4.2.1-12) unstable; urgency=medium
 .
   * Fixed several buffer overflows (Closes: #265904, #302097).
     Patch borrowed from Gentoo. This is CAN-2004-1773.
   * Changed doc-base file to UTF-8.
Files: 
 0d077e1901d391ba236ec5de5dd44c76 616 utils standard sharutils_4.2.1-12.dsc
 5009dbc8ec7e1db48495fd60150d201f 7884 utils standard sharutils_4.2.1-12.diff.gz
 aab856cca73d11c2cb945dc1ea432499 27870 doc optional sharutils-doc_4.2.1-12_all.deb
 d384e7610591ed8c329f1ebf6932b583 111296 utils standard sharutils_4.2.1-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCSqdud9Uuvj7yPNYRAr3fAJ9aWZNXlg5rp6CtzLcgQvhtvrIdkgCgxW3a
Ij1ze/wprFCAxL42+/T38Qs=
=yc08
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:34:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.