Debian Bug report logs - #391051
mawk: buffer overflow in collect_RE from overlong regexp

version graph

Package: mawk; Maintainer for mawk is Steve Langasek <vorlon@debian.org>; Source for mawk is src:mawk.

Reported by: Ian Jackson <iwj@ubuntu.com>

Date: Wed, 4 Oct 2006 16:03:01 UTC

Severity: normal

Tags: fixed-upstream, fixed-upstream, patch

Merged with 244962

Found in versions 1.3.3-8, mawk/1.3.3-11

Fixed in version mawk/1.3.3-17

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#391051; Package mawk. Full text and rfc822 format available.

Acknowledgement sent to Ian Jackson <iwj@ubuntu.com>:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ian Jackson <iwj@ubuntu.com>
To: submit@bugs.debian.org
Subject: mawk crash fix on overlong re's
Date: Wed, 4 Oct 2006 16:12:51 +0100
Package: mawk
Version: 1.3.3-11
Tags: patch

An ubuntu user reports here
 https://launchpad.net/distros/ubuntu/+source/mawk/+bug/23494
that mawk crashes if the script contains an overly long regexp.

The patch below fixes this bug.

While this is a buffer overflow I don't think it's a serious security
problem since untrusted regexps are generally not provided to mawk.

Regards,
Ian.

diff -u mawk-1.3.3/debian/changelog mawk-1.3.3/debian/changelog
--- mawk-1.3.3/debian/changelog
+++ mawk-1.3.3/debian/changelog
@@ -1,3 +1,9 @@
+mawk (1.3.3-11ubuntu2) edgy; urgency=low
+
+  * Do not crash if regexp is too long for our buffer.  (LP 23494.)
+
+ -- Ian Jackson <iwj@ubuntu.com>  Wed,  4 Oct 2006 16:07:11 +0100
+
 mawk (1.3.3-11ubuntu1) dapper; urgency=low
 
   * autopkgtest/autodebtest now supported - upstream tests wired in.
only in patch2:
unchanged:
--- mawk-1.3.3.orig/scan.c
+++ mawk-1.3.3/scan.c
@@ -1033,6 +1033,15 @@
    STRING *sval ;
 
    while (1)
+   {
+      if (p == string_buff + SPRINTF_SZ - 2)
+      {
+          compile_error(
+			  "regular expression /%.10s ..."
+			  " exceeds implementation size limit",
+			  string_buff) ;
+	  mawk_exit(2) ;
+      }
       switch (scan_code[*p++ = next()])
       {
 	 case SC_DIV:		/* done */
@@ -1070,6 +1079,7 @@
 	    }
 	    break ;
       }
+   }
 
 out:
    /* now we've got the RE, so compile it */



Message sent on to Ian Jackson <iwj@ubuntu.com>:
Bug#391051. (Mon, 13 Jul 2009 00:42:03 GMT) Full text and rfc822 format available.

Message #8 received at 391051-submitter@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 391051-submitter@bugs.debian.org
Subject: re: #391051 mawk crash fix on overlong re's
Date: Sun, 12 Jul 2009 20:37:31 -0400
[Message part 1 (text/plain, inline)]
Actually the limit should be MIN_SPRINTF (though the given change will work)

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream. Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. (Thu, 30 Jul 2009 23:36:11 GMT) Full text and rfc822 format available.

Merged 244962 391051. Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. (Thu, 30 Jul 2009 23:45:06 GMT) Full text and rfc822 format available.

Changed Bug title to 'mawk: buffer overflow in collect_RE from overlong regexp' from 'mawk crash fix on overlong re's' Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Mon, 01 Mar 2010 18:06:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#391051; Package mawk. (Mon, 07 Nov 2011 19:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 07 Nov 2011 19:30:03 GMT) Full text and rfc822 format available.

Message #19 received at 391051@bugs.debian.org (full text, mbox):

From: Loïc Minier <lool@dooz.org>
To: 391051@bugs.debian.org, control@bugs.debian.org
Subject: quilt patch
Date: Mon, 7 Nov 2011 20:20:35 +0100
[Message part 1 (text/plain, inline)]
tags 391051 + patch
stop

        Hi

 Attached is a patch attached for the new quilt-based packaging.

   Cheers,
-- 
Loïc Minier
[20_overlong-regexps (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#391051; Package mawk. (Mon, 07 Nov 2011 19:45:26 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Nieder <jrnieder@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 07 Nov 2011 19:45:26 GMT) Full text and rfc822 format available.

Message #24 received at 391051@bugs.debian.org (full text, mbox):

From: Jonathan Nieder <jrnieder@gmail.com>
To: Loïc Minier <lool@dooz.org>
Cc: 391051@bugs.debian.org
Subject: Re: Bug#391051: quilt patch
Date: Mon, 7 Nov 2011 13:33:13 -0600
Hi,

Loïc Minier wrote:

> Author: Ian Jackson <iwj@ubuntu.com>
> Description: Do not crash if regexp is too long for our buffer; LP #23494
[...]
> +   {
> +      if (p == string_buff + SPRINTF_SZ - 2)

As mentioned at <http://bugs.debian.org/244962>, this "==" is wrong.  A
regex with backslashes can easily skip past the end.




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#391051; Package mawk. (Mon, 07 Nov 2011 19:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 07 Nov 2011 19:51:04 GMT) Full text and rfc822 format available.

Message #29 received at 391051@bugs.debian.org (full text, mbox):

From: Loïc Minier <lool@dooz.org>
To: 391051@bugs.debian.org
Cc: control@bugs.debian.org
Subject: quilt patch
Date: Mon, 7 Nov 2011 20:48:19 +0100
[Message part 1 (text/plain, inline)]
tags 391051 + patch
stop

        Hi

 attached is an updated patch for the new quilt packaging, also merging
 the fix and test case from:
 http://anonscm.debian.org/gitweb/?p=collab-maint/mawk.git;a=commitdiff;h=e2e6d7ad490a7b19c562af5874a08a4168382b57

 Note that the above commit is on top of a newer version of mawk merged
 into that git repo, but not actually uploaded to Debian; the packaging
 since moved to a bzr branch at:
    nosmart+http://bzr.debian.org/bzr/users/vorlon/mawk/trunk/

   Cheers,
-- 
Loïc Minier
[20_overlong-regexps (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#391051; Package mawk. (Mon, 07 Nov 2011 20:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Nieder <jrnieder@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 07 Nov 2011 20:03:06 GMT) Full text and rfc822 format available.

Message #34 received at 391051@bugs.debian.org (full text, mbox):

From: Jonathan Nieder <jrnieder@gmail.com>
To: Loïc Minier <lool@dooz.org>
Cc: 391051@bugs.debian.org
Subject: Re: Bug#391051: quilt patch
Date: Mon, 7 Nov 2011 14:01:09 -0600
Loïc Minier wrote:

>  attached is an updated patch for the new quilt packaging, also merging
>  the fix and test case from:

Thanks, Loïc!

>  Note that the above commit is on top of a newer version of mawk merged
>  into that git repo, but not actually uploaded to Debian; the packaging
>  since moved to a bzr branch at:
>     nosmart+http://bzr.debian.org/bzr/users/vorlon/mawk/trunk/

Ah, thanks for the pointer.  I have cleaned up Thomas Dickey's history
up to 1.3.3-20090727 or so (not pushed anywhere atm) and would be
happy to start working on finding a public place for it and
integrating the changes into Debian.

It wouldn't take much work, but it would take a little.  E.g., there
is a bug in that patchset in handling of the "-W i" option in Turkic
locales.  Not sure if it was already fixed later or not.




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#391051; Package mawk. (Mon, 07 Nov 2011 20:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 07 Nov 2011 20:09:03 GMT) Full text and rfc822 format available.

Message #39 received at 391051@bugs.debian.org (full text, mbox):

From: Loïc Minier <lool@dooz.org>
To: Jonathan Nieder <jrnieder@gmail.com>
Cc: 391051@bugs.debian.org
Subject: Re: Bug#391051: quilt patch
Date: Mon, 7 Nov 2011 21:06:03 +0100
On Mon, Nov 07, 2011, Jonathan Nieder wrote:
> As mentioned at <http://bugs.debian.org/244962>, this "==" is wrong.  A
> regex with backslashes can easily skip past the end.

 Thanks; I had noticed and sent the correct patch later to the Debian
 bug; I had sent the first one by accident (and just see that now that
 you comment on it).

-- 
Loïc Minier




Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. (Fri, 23 Mar 2012 22:36:08 GMT) Full text and rfc822 format available.

Notification sent to Ian Jackson <iwj@ubuntu.com>:
Bug acknowledged by developer. (Fri, 23 Mar 2012 22:36:08 GMT) Full text and rfc822 format available.

Message #44 received at 391051-close@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 391051-close@bugs.debian.org
Subject: Bug#391051: fixed in mawk 1.3.3-17
Date: Fri, 23 Mar 2012 22:32:55 +0000
Source: mawk
Source-Version: 1.3.3-17

We believe that the bug you reported is fixed in the latest version of
mawk, which is due to be installed in the Debian FTP archive:

mawk_1.3.3-17.diff.gz
  to main/m/mawk/mawk_1.3.3-17.diff.gz
mawk_1.3.3-17.dsc
  to main/m/mawk/mawk_1.3.3-17.dsc
mawk_1.3.3-17_amd64.deb
  to main/m/mawk/mawk_1.3.3-17_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 391051@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated mawk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 23 Mar 2012 13:15:00 -0700
Source: mawk
Binary: mawk
Architecture: source amd64
Version: 1.3.3-17
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 mawk       - a pattern scanning and text processing language
Closes: 391051 665383
Changes: 
 mawk (1.3.3-17) unstable; urgency=low
 .
   * debian/patches/cross-compile: fix the wrong invocation of AC_CHECK_PROG()
     that breaks cross-compiler detection.
   * debian/patches/21_memcpy-to-memmove: use memmove instead of memcpy in
     FINgets.  Closes: #665383, LP: #955791.
   * mark mawk Multi-Arch: foreign, to satisfy cross-build-dependencies.
   * debian/patches/20_overlong-regexps: Do not crash if regexp is too
     long for our buffer.  Thanks to Ian Jackson <iwj@ubuntu.com>,
     Jonathan Nieder <jrnieder@gmail.com>.  Closes: #391051, LP: #23494.
   * add autopkgtest/autodebtest support to run upstream tests.
Checksums-Sha1: 
 2bddcbeafcdf66bd461617f7761b0a9d93a8b19e 1801 mawk_1.3.3-17.dsc
 a280d211a2da54fd861012cf55dbdc90ab522e18 63506 mawk_1.3.3-17.diff.gz
 19705b41cf82ace4fae6cb1dc5f5e90f61fcfc28 90816 mawk_1.3.3-17_amd64.deb
Checksums-Sha256: 
 f98ce6e153e8ac1faf8165bbf77447a4279313f1c18f6bfeec0c5ce35e4b9c03 1801 mawk_1.3.3-17.dsc
 13cb66b6eb5ee654d5626621d5ef476ede6b0bebac18ce765516de810e58490c 63506 mawk_1.3.3-17.diff.gz
 cb383c9b0a158c8c045e7fc2e0735f78f5ed73c8dfb74f23c5c4dd4a85d008d0 90816 mawk_1.3.3-17_amd64.deb
Files: 
 92f6792d065ab4932b545fdf0f139132 1801 interpreters required mawk_1.3.3-17.dsc
 70929584abfc813f0bc31d0bc77f0f4f 63506 interpreters required mawk_1.3.3-17.diff.gz
 30b0681b565ac6ecbf6cea0a84f318a9 90816 interpreters required mawk_1.3.3-17_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIVAwUBT2z3ilaNMPMhshM9AQjyeg/9Hn1sGARWlz845DNje07zGfvwqR0Tsi6k
nBBDsCjzXWTLK/bDC+pkM9OK9Kgf2l5EAc4+gbBmGSgnwOYWftG5vWngNc1ziX4i
OL9f6sh9FWiIpgLHw7xixOmx/7fotfJBCg5RZzLi6Q5MQ5Rtyyj61oyx+e9K1wAv
YVxJ0YMTfApa4UzJa+I0eMsZMUv2Plgo+Df412a86OMY3Mz5qiQDSmHcNgcAB/J3
YrbvIUvgus5NvtJWZBawI+hU8Co4WiLZmPlsr39hr9q1OsOzso9SQ7l2RV9sjc/W
90cT3mLRwwkYmBMmIklkMcqmXemvyQzKQ04QoqZ8x7C9EFqONlfw70ok4JsrNNaG
8CIK9KyeECb8idTGNQUWbIKo616zEspbKryo3t/CXOhVGQmsdb/mqOyJIOvJjMJb
oj7MrL4PzLLK8p7U6klvnyX3B3U/r5q9/BAgvS3tcTEbqQElYOG2YrtuCPTywk81
2C4R1IMWlxTIbN9rPw9lEt+y3yXbW2WXuI8An7ayFCoik9Xr9s+zx4j4e8TNwSV6
YGrJ4p1Vc5/idZZceD+e7nU6avaITyAT55pj7f2CSKGaoOWK9GOVSuk700ZP+s+c
54XLRn2Lq237OAQXUd2o7VceStrlYqPYvSj0a/Q40CIzl/jd65nTfa90JLqrTJO/
uFiHuD3kE60=
=0u2o
-----END PGP SIGNATURE-----





Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. (Fri, 23 Mar 2012 22:36:09 GMT) Full text and rfc822 format available.

Notification sent to Gandalf the Grey <gandalf@storm.com.pl>:
Bug acknowledged by developer. (Fri, 23 Mar 2012 22:36:09 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 01 May 2012 07:39:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:09:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.