Debian Bug report logs - #682803
trn4: Segfault whilst applying killfile to article with long header line

version graph

Package: trn4; Maintainer for trn4 is Colin Watson <cjwatson@debian.org>; Source for trn4 is src:trn4.

Reported by: Nick Leverton <nick@leverton.org>

Date: Wed, 25 Jul 2012 19:54:01 UTC

Severity: normal

Tags: patch

Found in version trn4/4.0-test77-5

Fixed in version trn4/4.0-test77-6

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, nick@leverton.org, Colin Watson <cjwatson@debian.org>:
Bug#682803; Package trn4. (Wed, 25 Jul 2012 19:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nick Leverton <nick@leverton.org>:
New Bug report received and forwarded. Copy sent to nick@leverton.org, Colin Watson <cjwatson@debian.org>. (Wed, 25 Jul 2012 19:54:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nick Leverton <nick@leverton.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: trn4: Segfault whilst applying killfile to large newsgroup - detected by hardening
Date: Wed, 25 Jul 2012 20:11:36 +0100
[Message part 1 (text/plain, inline)]
Package: trn4
Version: 4.0-test77-5
Severity: normal

Hi,

Thanks for fortifying the latest trn on Debian :-)

I'm trying trn on a news server that I don't use it with very often.
I have used trn on this server and this newsgroup before but not,
apparently, for many thousands of articles.

On entering the newsgroup, trn4 crashes whilst applying the killfile.
The backtrace suggests that fortify has detected a buffer overflow.

I have found that the crash doesn't happen if compiled with
DEB_BUILD_OPTIONS=noopt so I suspect it's optimisation changing the
ordering or some assumptions about something.  Attached is a gdb
backtrace, I also have a capture of the NNTP conversation but it's a
bit big (15Mb uncompressed).

Thanks

Nick


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'stable-updates'), (600, 'stable'), (180, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages trn4 depends on:
ii  base-files             6.9
ii  debconf [debconf-2.0]  1.5.44
ii  inn2-inews [inews]     2.5.3-1
ii  libc6                  2.13-33
ii  libtinfo5              5.9-10

Versions of packages trn4 recommends:
ii  nullmailer [mail-transport-agent]  1:1.11-1

Versions of packages trn4 suggests:
ii  ispell  3.3.02-5

-- debconf information:
  shared/news/server: george
  trn4/whoami-change:
  trn4/mail-name:
[trn.gdb.bt-full (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, nick@leverton.org, Colin Watson <cjwatson@debian.org>:
Bug#682803; Package trn4. (Wed, 01 Aug 2012 19:33:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nick Leverton <nick@leverton.org>:
Extra info received and forwarded to list. Copy sent to nick@leverton.org, Colin Watson <cjwatson@debian.org>. (Wed, 01 Aug 2012 19:33:07 GMT) Full text and rfc822 format available.

Message #10 received at 682803@bugs.debian.org (full text, mbox):

From: Nick Leverton <nick@leverton.org>
To: Debian Bug Tracking System <682803@bugs.debian.org>
Subject: Re: trn4: Segfault whilst applying killfile to article with long header line
Date: Wed, 01 Aug 2012 20:31:19 +0100
Package: trn4
Version: 4.0-test77-5
Followup-For: Bug #682803

I should have investigated the article reported in the backtrace.
It has a References header of 1034 characters, and we are trying (at
artsrch.c line 400) to sprintf that into good old 'buf' which is only
1024 bytes long.

I fear this may not be generally soluble without changing some of trn's
basic assumptions, such as all headers it may receive being less than a
certain fixed length.  This is not true under RFC5536, even if it ever
was under RFC1036.

On the other hand, doubling up the buffer lengths might see us die hard
trn lovers through another 25 years of Usenet, perhaps ?  It's not as
if RAM size is a problem on most platforms these days.

Nick



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#682803; Package trn4. (Wed, 08 Aug 2012 21:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nick Leverton <nick@leverton.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. (Wed, 08 Aug 2012 21:21:03 GMT) Full text and rfc822 format available.

Message #15 received at 682803@bugs.debian.org (full text, mbox):

From: Nick Leverton <nick@leverton.org>
To: Debian Bug Tracking System <682803@bugs.debian.org>
Subject: Re: Bug#682803: trn4: Segfault whilst applying killfile to article with long header line
Date: Wed, 8 Aug 2012 22:11:07 +0100
[Message part 1 (text/plain, inline)]
retitle 682803 trn4: Segfault whilst applying killfile to article with long header line
tag 682803 +patch
thanks

This now reminds me of some investigations I did a few years back into a
similar issue in inn's nntpget.  I found that a small number of clients
did not trim References headers when they grew past 1024 bytes, or perhaps
trimmed before appending the new message-id rather than afterwards.

Regardless, the number of articles with References headers > 1024
was non-zero, but few had them very much longer than that as most of
these lengthy subthreads involved at least one person with a non-broken
newsreader.

I therefore think the attached patch should be more than adequate.
Tested here and solves the problem on all the newsgroups I'm subscribed
to that have long enough threads to cause this issue.

Thanks

Nick
[increase-buffer-sizes.patch (text/x-diff, attachment)]

Changed Bug title to 'trn4: Segfault whilst applying killfile to article with long header line' from 'trn4: Segfault whilst applying killfile to large newsgroup - detected by hardening' Request was from Nick Leverton <nick@leverton.org> to control@bugs.debian.org. (Wed, 08 Aug 2012 21:21:05 GMT) Full text and rfc822 format available.

Added tag(s) patch. Request was from Nick Leverton <nick@leverton.org> to control@bugs.debian.org. (Wed, 08 Aug 2012 21:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#682803; Package trn4. (Fri, 24 Aug 2012 05:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. (Fri, 24 Aug 2012 05:30:03 GMT) Full text and rfc822 format available.

Message #24 received at 682803@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Nick Leverton <nick@leverton.org>, 682803@bugs.debian.org
Subject: Re: Bug#682803: trn4: Segfault whilst applying killfile to article with long header line
Date: Fri, 24 Aug 2012 06:27:36 +0100
On Wed, Aug 08, 2012 at 10:11:07PM +0100, Nick Leverton wrote:
> This now reminds me of some investigations I did a few years back into a
> similar issue in inn's nntpget.  I found that a small number of clients
> did not trim References headers when they grew past 1024 bytes, or perhaps
> trimmed before appending the new message-id rather than afterwards.
> 
> Regardless, the number of articles with References headers > 1024
> was non-zero, but few had them very much longer than that as most of
> these lengthy subthreads involved at least one person with a non-broken
> newsreader.
> 
> I therefore think the attached patch should be more than adequate.
> Tested here and solves the problem on all the newsgroups I'm subscribed
> to that have long enough threads to cause this issue.

Thanks for the patch - it's clearly a hack, but I think a reasonable
one.  I'm applying it now.

(Incidentally, if you're an umrat do you know my wife Kirsten?)

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]



Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Fri, 24 Aug 2012 05:51:05 GMT) Full text and rfc822 format available.

Notification sent to Nick Leverton <nick@leverton.org>:
Bug acknowledged by developer. (Fri, 24 Aug 2012 05:51:05 GMT) Full text and rfc822 format available.

Message #29 received at 682803-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 682803-close@bugs.debian.org
Subject: Bug#682803: fixed in trn4 4.0-test77-6
Date: Fri, 24 Aug 2012 05:47:56 +0000
Source: trn4
Source-Version: 4.0-test77-6

We believe that the bug you reported is fixed in the latest version of
trn4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 682803@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated trn4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 24 Aug 2012 06:23:45 +0100
Source: trn4
Binary: trn4
Architecture: source i386
Version: 4.0-test77-6
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 trn4       - Threaded USENET news reader, based on rn (4.0 beta test)
Closes: 682803
Changes: 
 trn4 (4.0-test77-6) unstable; urgency=low
 .
   [ Nick Leverton ]
   * Double the size of the line buffer to fix a segfault whilst applying
     killfile to article with long header line; articles with References
     headers > 1024 bytes are not uncommon, but in practice they do not seem
     to grow very much beyond that (closes: #682803).
Checksums-Sha1: 
 25722bf86c08f60314fc05efcc696fddce3b3745 1792 trn4_4.0-test77-6.dsc
 cafc35e4953b1efd713e02d3da41b30e696e3414 57265 trn4_4.0-test77-6.debian.tar.gz
 69c45be11d92308baed996ab1a6ef60b811e37d2 427540 trn4_4.0-test77-6_i386.deb
Checksums-Sha256: 
 f3d9bd0c8d7ca87a0ebb194a5cdfc078368ec307e6388e7e8723e13528a8be48 1792 trn4_4.0-test77-6.dsc
 cf0f5f3c54c26ba1aaca290c8ed4c0fa19e2062dc0b4e57bc45c5a16effe9d54 57265 trn4_4.0-test77-6.debian.tar.gz
 1c40690eda2a0c8e917169d50bac0645f5a940caf93d208b7125e00979262348 427540 trn4_4.0-test77-6_i386.deb
Files: 
 00f47365ee0b326c8bcdc97a6dea7609 1792 non-free/news optional trn4_4.0-test77-6.dsc
 bb1a3e01793bd3bc16a4800f3189e297 57265 non-free/news optional trn4_4.0-test77-6.debian.tar.gz
 7729da0cc24f4348a26f70bed7cab590 427540 non-free/news optional trn4_4.0-test77-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUDcS0Dk1h9l9hlALAQgYcxAAlOSdw0zL1uZYA67hWv7wjza8Ng55hf2E
ChOoMpQ56GPZ4WDZcrSE/G+qmudjxBnzgD4b9yarjaMuSjt9GQ51xGrCdCHK12Jr
msUSD3HZhZN5dp9Pd0daqgiKdaWM9RM3Aby8wnooglBOmL5yemob2d3LH0uH+kqi
oKUZrvCn86YOH/jrb2fsXOKEISiI/NdtY/KU7ZMcMS+wNh1yNkTFbMG4j0vjk/ST
wCps3xbgG6d1/eD1JGWD7D1tC+hstXnlvk/jZh1W9BCwRziZK6hBq4A6tLGrIrSA
31nO5cv3SQ6gvKWCtT0JS/w+xhTjqMU4puyLrZD8ur7JVicw1LSdzbm2lTicEJE+
Zv7Hl+Yn1Qf1U4/RUDCAX5JO0Q9w0pfHMEw1eVGdS8uKkEly7TInm+NxW90xiijw
vMT6jC5eTKlFyuw/twUKTERio7U82LQzPS2fLCPQuuFP2ftxlf2CZT3MdwOFK6dX
k+obxUB2SLm0XiUSo+fZiPWD0f9FTHW7kTI4LxJ6oWvbjlZpWeOyOLf72uj6kWcR
9/bzgEqWdaHrCuhxaAY4RfTRKSnaYog3z3n3YOcuC3rtQBXGQaRcNWdxcbOlEuHa
T39KPkhu7HfsyhExSSwzL1JQfH3aXP1NHzTzF0tqiJ0fVcDQ/Y/g9AX/ROegMQjA
sdGBkBmOnyQ=
=hwCX
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 05 Oct 2012 07:25:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:48:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.