Debian Bug report logs - #340177
CVE-2004-2541: Buffer overflows in parsing file names from #include statements

version graph

Package: cscope; Maintainer for cscope is Tobias Klauser <tklauser@distanz.ch>; Source for cscope is src:cscope.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 21 Nov 2005 16:03:11 UTC

Severity: grave

Tags: fixed, patch, security

Found in version cscope/15.5+cvs20050816-1

Fixed in version cscope/15.5+cvs20050816-2

Done: Michael Ablassmeier <abi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Anthony Fok <foka@debian.org>:
Bug#340177; Package cscope. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Anthony Fok <foka@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2004-2541: Buffer overflows in parsing file names from #include statements
Date: Mon, 21 Nov 2005 16:59:34 +0100
Package: cscope
Version: 15.5+cvs20050816-1
Severity: grave
Tags: security
Justification: user security hole

Source code with overly long file names in #include statements may trigger a
buffer overflow and permit arbitrary code execution. Please see
http://sourceforge.net/tracker/index.php?func=detail&aid=1064875&group_id=4664&atid=104664
for details.

As cscope is a tool frequently used to study external code from untrusted sources
this seems like a valid attack vector to me, thus the RC severity. If you disagree,
feel free to lower the severity.

This has been assigned CVE-2004-2541, please mention it in the changelog when
fixing this.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages cscope depends on:
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  libncurses5                   5.5-1      Shared libraries for terminal hand

cscope recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, secure-testing-team@lists.alioth.debian.org, Anthony Fok <foka@debian.org>:
Bug#340177; Package cscope. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
Extra info received and forwarded to list. Copy sent to security@debian.org, secure-testing-team@lists.alioth.debian.org, Anthony Fok <foka@debian.org>. Full text and rfc822 format available.

Message #10 received at 340177@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <340177@bugs.debian.org>
Subject: cscope: fix for CVE-2004-2541: "buffer overflows in parsing file names from #include statements"
Date: Mon, 15 May 2006 14:18:01 +0100
[Message part 1 (text/plain, inline)]
Package: cscope
Version: 15.5+cvs20050816-1
Followup-For: Bug #340177

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Upstream appears to have stalled on this issue because some cscope
targets platforms do not have snprintf().  Debian has snprintf(), so
this is not a problem for us.

The attached patch CVE-2004-2541.diff converts sprintf() calls to
snprintf().  It applies and compiles, and when patched cscope no longer
segfaults when examining the attached CVE-2004-2541-test.c.

- -- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-alec-laptop
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages cscope depends on:
ii  libc6                         2.3.6-7    GNU C Library: Shared libraries
ii  libncurses5                   5.5-2      Shared libraries for terminal hand

cscope recommends no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEaH+JAud/2YgchcQRAj5fAKCjaA733NRcu8TO5tqNN3AAdYlcIQCcCwDQ
fPGtu6bPz2Hu2cuHkNhifw4=
=5d2y
-----END PGP SIGNATURE-----
[CVE-2004-2541.diff (text/x-c, attachment)]
[CVE-2004-2541-test.c (text/x-c, attachment)]

Tags added: patch Request was from Alec Berryman <alec@thened.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Fok <foka@debian.org>:
Bug#340177; Package cscope. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Anthony Fok <foka@debian.org>. Full text and rfc822 format available.

Message #17 received at 340177@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Alec Berryman <alec@thened.net>, 340177@bugs.debian.org
Subject: Re: Bug#340177: cscope: fix for CVE-2004-2541: "buffer overflows in parsing file names from #include statements"
Date: Mon, 15 May 2006 17:15:57 +0200
Alec Berryman wrote:
> Package: cscope
> Version: 15.5+cvs20050816-1
> Followup-For: Bug #340177
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Upstream appears to have stalled on this issue because some cscope
> targets platforms do not have snprintf().  Debian has snprintf(), so
> this is not a problem for us.

Thanks, this must have slipped through, I'll prepare a DSA.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Fok <foka@debian.org>:
Bug#340177; Package cscope. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Anthony Fok <foka@debian.org>. Full text and rfc822 format available.

Message #22 received at 340177@bugs.debian.org (full text, mbox):

From: Julien Cristau <julien.cristau@ens-lyon.org>
To: 340177@bugs.debian.org
Subject: diff for 15.5+cvs20050816-1.1 NMU
Date: Sat, 10 Jun 2006 20:21:46 +0200
[Message part 1 (text/plain, inline)]
Hi,

Attached is the diff for my cscope 15.5+cvs20050816-1.1 NMU.
(Actually it's just the patch already attached to this bug + a changelog
entry.)

Cheers,
Julien
[cscope-15.5+cvs20050816-1.1-nmu.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Julien Cristau <julien.cristau@ens-lyon.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Michael Ablassmeier <abi@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 340177-close@bugs.debian.org (full text, mbox):

From: Michael Ablassmeier <abi@debian.org>
To: 340177-close@bugs.debian.org
Subject: Bug#340177: fixed in cscope 15.5+cvs20050816-2
Date: Tue, 01 Aug 2006 02:17:24 -0700
Source: cscope
Source-Version: 15.5+cvs20050816-2

We believe that the bug you reported is fixed in the latest version of
cscope, which is due to be installed in the Debian FTP archive:

cscope_15.5+cvs20050816-2.diff.gz
  to pool/main/c/cscope/cscope_15.5+cvs20050816-2.diff.gz
cscope_15.5+cvs20050816-2.dsc
  to pool/main/c/cscope/cscope_15.5+cvs20050816-2.dsc
cscope_15.5+cvs20050816-2_amd64.deb
  to pool/main/c/cscope/cscope_15.5+cvs20050816-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340177@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Ablassmeier <abi@debian.org> (supplier of updated cscope package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  1 Aug 2006 11:04:19 +0200
Source: cscope
Binary: cscope
Architecture: source amd64
Version: 15.5+cvs20050816-2
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Michael Ablassmeier <abi@debian.org>
Description: 
 cscope     - Interactively examine a C program source
Closes: 340177
Changes: 
 cscope (15.5+cvs20050816-2) unstable; urgency=low
 .
   * QA Upload (Ack NMU, Closes: #340177)
   * Set Maintainer to QA Group, Orphaned: #378802
   * Conforms to latest Standards Version 3.7.2
Files: 
 55fc2653e93c76b0f8d7c934f5ca5266 656 devel optional cscope_15.5+cvs20050816-2.dsc
 f65f5799c6b2e77d387fa2c87c522b34 79150 devel optional cscope_15.5+cvs20050816-2.diff.gz
 b54dbb8d544a778f698e88167a0b60c3 153866 devel optional cscope_15.5+cvs20050816-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEzxmOEFV7g4B8rCURAjVvAJ9++yJB7LPfDjYoveuDTV+vXL+vCACfU50Y
AEcj4nnc0ZX1uFdfNljUHh8=
=HOGI
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 15:51:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:59:16 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.