Debian Bug report logs - #443913
CVE-2007-5037 buffer overflow in inotifytools_snprintf

version graph

Package: inotify-tools; Maintainer for inotify-tools is Ryan Niebur <ryan@debian.org>; Source for inotify-tools is src:inotify-tools.

Reported by: Nico Golde <nion@debian.org>

Date: Mon, 24 Sep 2007 22:57:01 UTC

Severity: grave

Tags: patch, security

Fixed in versions inotify-tools/3.11-1, inotify-tools/3.3-2

Done: Peter Makholm <peter@makholm.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Peter Makholm <peter@makholm.net>:
Bug#443913; Package inotify-tools. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Peter Makholm <peter@makholm.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-5037 buffer overflow in inotifytools_snprintf
Date: Tue, 25 Sep 2007 00:56:22 +0200
[Message part 1 (text/plain, inline)]
Package: inotify-tools
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for inotify-tools.

CVE-2007-5037[0]:
| Buffer overflow in the inotifytools_snprintf function in
| src/inotifytools.c in the inotify-tools library before 3.11 allows
| context-dependent attackers to execute arbitrary code via a long
| filename.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5037

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#443913; Package inotify-tools. Full text and rfc822 format available.

Acknowledgement sent to Peter Makholm <peter@makholm.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 443913@bugs.debian.org (full text, mbox):

From: Peter Makholm <peter@makholm.net>
To: 443913@bugs.debian.org
Cc: control@bugs.debian.org
Subject: CVE-2007-5037 buffer overflow in inotifytools_snprintf
Date: Tue, 25 Sep 2007 07:57:56 +0000
[Message part 1 (text/plain, inline)]
tag 443913 patch etch
thanks

This problem is fixed in unstable by uploading the new upstream
version (3.11-1). A fix for etch is awaitng the security team.

Patch for version 3.3-1 attached

//Makholm

[inotify-tools_cve-2007-5037.patch (text/x-diff, inline)]
diff -Naur inotify-tools-3.3-orig/libinotifytools/src/inotifytools.c inotify-tools-3.3/libinotifytools/src/inotifytools.c
--- inotify-tools-3.3-orig/libinotifytools/src/inotifytools.c	2006-10-29 09:44:06.000000000 +0100
+++ inotify-tools-3.3/libinotifytools/src/inotifytools.c	2007-09-25 07:49:10.768454036 +0200
@@ -1634,7 +1634,7 @@
 
 		if ( ch1 == 'w' ) {
 			if ( filename ) {
-				strncpy( &out[ind], filename, MAX_STRLEN - ind );
+				strncpy( &out[ind], filename, size - ind );
 				ind += strlen(filename);
 			}
 			++i;
@@ -1643,7 +1643,7 @@
 
 		if ( ch1 == 'f' ) {
 			if ( eventname ) {
-				strncpy( &out[ind], eventname, MAX_STRLEN - ind );
+				strncpy( &out[ind], eventname, size - ind );
 				ind += strlen(eventname);
 			}
 			++i;
@@ -1652,7 +1652,7 @@
 
 		if ( ch1 == 'e' ) {
 			eventstr = inotifytools_event_to_str( event->mask );
-			strncpy( &out[ind], eventstr, MAX_STRLEN - ind );
+			strncpy( &out[ind], eventstr, size - ind );
 			ind += strlen(eventstr);
 			++i;
 			continue;
@@ -1675,7 +1675,7 @@
 				timestr[0] = 0;
 			}
 
-			strncpy( &out[ind], timestr, MAX_STRLEN - ind );
+			strncpy( &out[ind], timestr, size - ind );
 			ind += strlen(timestr);
 			++i;
 			continue;
@@ -1684,7 +1684,7 @@
 		// Check if next char in fmt is e
 		if ( i < strlen(fmt) - 2 && fmt[i+2] == 'e' ) {
 			eventstr = inotifytools_event_to_str_sep( event->mask, ch1 );
-			strncpy( &out[ind], eventstr, MAX_STRLEN - ind );
+			strncpy( &out[ind], eventstr, size - ind );
 			ind += strlen(eventstr);
 			i += 2;
 			continue;

Tags added: patch, etch Request was from Peter Makholm <peter@makholm.net> to control@bugs.debian.org. (Tue, 25 Sep 2007 08:00:16 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 3.11-1. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 27 Sep 2007 11:51:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Makholm <peter@makholm.net>:
Bug#443913; Package inotify-tools. Full text and rfc822 format available.

Acknowledgement sent to kurt@roeckx.be (Kurt Roeckx):
Extra info received and forwarded to list. Copy sent to Peter Makholm <peter@makholm.net>. Full text and rfc822 format available.

Message #19 received at 443913@bugs.debian.org (full text, mbox):

From: kurt@roeckx.be (Kurt Roeckx)
To: control@bugs.debian.org
Cc: 443913@bugs.debian.org
Subject: tagging 443913
Date: Sun, 14 Oct 2007 13:09:32 +0200 (CEST)
# Automatically generated email from bts, devscripts version 2.10.8
# No need to set the etch tag
tags 443913 - etch




Tags removed: etch Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Sun, 14 Oct 2007 11:12:13 GMT) Full text and rfc822 format available.

Reply sent to Peter Makholm <peter@makholm.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #26 received at 443913-close@bugs.debian.org (full text, mbox):

From: Peter Makholm <peter@makholm.net>
To: 443913-close@bugs.debian.org
Subject: Bug#443913: fixed in inotify-tools 3.3-2
Date: Fri, 28 Dec 2007 19:52:18 +0000
Source: inotify-tools
Source-Version: 3.3-2

We believe that the bug you reported is fixed in the latest version of
inotify-tools, which is due to be installed in the Debian FTP archive:

inotify-tools_3.3-2.diff.gz
  to pool/main/i/inotify-tools/inotify-tools_3.3-2.diff.gz
inotify-tools_3.3-2.dsc
  to pool/main/i/inotify-tools/inotify-tools_3.3-2.dsc
inotify-tools_3.3-2_i386.deb
  to pool/main/i/inotify-tools/inotify-tools_3.3-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 443913@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Makholm <peter@makholm.net> (supplier of updated inotify-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Sep 2007 08:18:02 +0200
Source: inotify-tools
Binary: inotify-tools
Architecture: source i386
Version: 3.3-2
Distribution: stable-security
Urgency: high
Maintainer: Peter Makholm <peter@makholm.net>
Changed-By: Peter Makholm <peter@makholm.net>
Description: 
 inotify-tools - command-line programs providing a simple interface to inotify
Closes: 443913
Changes: 
 inotify-tools (3.3-2) stable-security; urgency=high
 .
   * Fixes buffer overflow in inotifytools_snprintf (CVE-2007-5037)
     by backporting changes from new upstream vesion (3.11)
     (Closes: #443913)
Files: 
 883ee55627b7becb5a9ca1a2e569281b 624 misc optional inotify-tools_3.3-2.dsc
 204ef6e0b855ec4315f4f13e2d3d1e1a 369780 misc optional inotify-tools_3.3.orig.tar.gz
 7bde9f27b0bb470a44d64b40b1e217e1 5311 misc optional inotify-tools_3.3-2.diff.gz
 e462da2503c92d98510647fb0c1f44eb 78260 misc optional inotify-tools_3.3-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHdEkXXm3vHE4uyloRAqH2AJ4y5sbLvWAH6M29kJaMuwIU5SOB1QCgoLmr
eWVuFWu5DL6s+rwXeuqf+kQ=
=j6f4
-----END PGP SIGNATURE-----





Reply sent to Peter Makholm <peter@makholm.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #31 received at 443913-close@bugs.debian.org (full text, mbox):

From: Peter Makholm <peter@makholm.net>
To: 443913-close@bugs.debian.org
Subject: Bug#443913: fixed in inotify-tools 3.3-2
Date: Sat, 16 Feb 2008 12:17:10 +0000
Source: inotify-tools
Source-Version: 3.3-2

We believe that the bug you reported is fixed in the latest version of
inotify-tools, which is due to be installed in the Debian FTP archive:

inotify-tools_3.3-2.diff.gz
  to pool/main/i/inotify-tools/inotify-tools_3.3-2.diff.gz
inotify-tools_3.3-2.dsc
  to pool/main/i/inotify-tools/inotify-tools_3.3-2.dsc
inotify-tools_3.3-2_i386.deb
  to pool/main/i/inotify-tools/inotify-tools_3.3-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 443913@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Makholm <peter@makholm.net> (supplier of updated inotify-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Sep 2007 08:18:02 +0200
Source: inotify-tools
Binary: inotify-tools
Architecture: source i386
Version: 3.3-2
Distribution: stable-security
Urgency: high
Maintainer: Peter Makholm <peter@makholm.net>
Changed-By: Peter Makholm <peter@makholm.net>
Description: 
 inotify-tools - command-line programs providing a simple interface to inotify
Closes: 443913
Changes: 
 inotify-tools (3.3-2) stable-security; urgency=high
 .
   * Fixes buffer overflow in inotifytools_snprintf (CVE-2007-5037)
     by backporting changes from new upstream vesion (3.11)
     (Closes: #443913)
Files: 
 883ee55627b7becb5a9ca1a2e569281b 624 misc optional inotify-tools_3.3-2.dsc
 204ef6e0b855ec4315f4f13e2d3d1e1a 369780 misc optional inotify-tools_3.3.orig.tar.gz
 7bde9f27b0bb470a44d64b40b1e217e1 5311 misc optional inotify-tools_3.3-2.diff.gz
 e462da2503c92d98510647fb0c1f44eb 78260 misc optional inotify-tools_3.3-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHdEkXXm3vHE4uyloRAqH2AJ4y5sbLvWAH6M29kJaMuwIU5SOB1QCgoLmr
eWVuFWu5DL6s+rwXeuqf+kQ=
=j6f4
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Mar 2008 07:27:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:47:20 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.