Bug 25748

Summary: buffer overflow in mirrordir
Product: Mageia Reporter: eric gerbier <eric.gerbier>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, nicolas.salguero, qa-bugs, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: mirrordir-0.10.49-27.mga7.src.rpm CVE:
Status comment:

Description eric gerbier 2019-11-26 11:14:45 CET 
Description of problem:
I am using mirrordir tool to mirror some ftp repositories.
with the mageia 7 package, I got the following error message :

# mirrordir -v -t ftp://mirror.in2p3.fr/pub/linux/CentOS/7.7.1908/updates/x86_64/Packages .
mirrordir: ---verbose--- ftpfs: making connection to mirror.in2p3.fr
mirrordir: ---verbose--- ftpfs: sending login name
mirrordir: ---verbose--- ftpfs: sending user password
mirrordir: ---verbose--- ftpfs: logged in
ftpfs: got listing             *** buffer overflow detected ***: mirrordir terminated
Abandon (core dumped)

I have rebuild on mageia 7 (from src.rpm) the 0.10.49-25 version (released in mageia 6) and this version is working

Version-Release number of selected component (if applicable):
mirrordir-0.10.49-27.mga7

How reproducible:


Steps to Reproduce:
1. mirrordir -v -t ftp://mirror.in2p3.fr/pub/linux/CentOS/7.7.1908/updates/x86_64/Packages .
2.
3.
Comment 1 Lewis Smith 2019-11-26 21:27:00 CET 
Thank you for reporting the fault; and building a fix.
The fault is exactly reproduceable as described [note the final '.' ; -v = verbose, -t = test] with mirrordir-0.10.49-27.mga7.x86_64

The package has no maintainer, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-11-26 21:52:30 CET 
It must have been our optflags that broke it:
http://svnweb.mageia.org/packages?view=revision&revision=1148574

CC: (none) => geiger.david68210

Comment 3 eric gerbier 2019-11-27 08:25:56 CET 
I have removed the optflags from spec file, rebuild the mageia 7 package, 
and YES, it works !
Comment 4 Nicolas Salguero 2019-11-27 13:50:16 CET 
Suggested advisory:
========================

The updated packages fix a buffer overflow that leads to a crash of "mirrordir" command.

References:
https://bugs.mageia.org/show_bug.cgi?id=25748
========================

Updated packages in core/updates_testing:
========================
mirrordir-0.10.49-27.1.mga7
lib(64)diffie1-0.10.49-27.1.mga7
lib(64)diffie-devel-0.10.49-27.1.mga7

from SRPMS:
mirrordir-0.10.49-27.1.mga7.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs

Comment 5 Jani Välimaa 2019-11-27 14:35:17 CET 
IMO the fix is not correct. It makes pkg to work, but we should fix the code instead of removing our compiler flags.

.spec could be also simplified. -D_foo=bar flags should go to CPPFLAGS instead of CFLAGS. And instead of usind sed with %optflags, one should just use "%global _fortify_cflags %nil" to skip "-Wp,-D_FORTIFY_SOURCE=2", if it's really wanted.

Another thing is that mirrordir has been abandoned upstream for over 10 years:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555130
Comment 6 Jani Välimaa 2019-11-27 14:42:08 CET 
(In reply to Jani Välimaa from comment #5)
> Another thing is that mirrordir has been abandoned upstream for over 10
> years:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555130

Actually make it over 20 years as the Debian bug was filed on 2009.
Comment 7 David Walser 2019-11-27 18:14:51 CET 
Jani is right.  The fortify source option doesn't *cause* the buffer overflow, it just *detects* it and allows the program to safely exit rather than allow it to be silently able to be exploited (hypothetically at least).  The compiler option should be left in place and the actual buffer overflow should be fixed.  If we can't fix it ourselves (and can't find a fix anywhere else, like Ubuntu which also uses this compiler option generally), we should just close this as WONTFIX and drop the package in Cauldron.

Assignee: qa-bugs => pkg-bugs
CC: (none) => qa-bugs

Comment 8 Nicolas Salguero 2019-11-28 10:35:50 CET 
I found the cause of the buffer overflow.  In my tests, with my patch and the fortify source option, the "mirrordir" command works.
Comment 9 Nicolas Salguero 2019-11-28 10:41:12 CET 
Suggested advisory:
========================

The updated packages fix a buffer overflow that leads to a crash of "mirrordir" command.

References:
https://bugs.mageia.org/show_bug.cgi?id=25748
========================

Updated packages in core/updates_testing:
========================
mirrordir-0.10.49-27.2.mga7
lib(64)diffie1-0.10.49-27.2.mga7
lib(64)diffie-devel-0.10.49-27.2.mga7

from SRPMS:
mirrordir-0.10.49-27.2.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 10 Thomas Andrews 2019-12-13 00:23:27 CET 
Installed 64-bit mirrordir, then updated to version 0.10.49-27.2.

All packages installed cleanly. Executed the reporter's command from Comment 0. No overflow occurred. OK for 64-bit.

Validating. Advisory in Comment 9.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Rémi Verschelde 2019-12-13 16:43:11 CET 
Advisory uploaded.

Keywords: (none) => advisory

Comment 12 Mageia Robot 2019-12-13 19:26:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2019-0227.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED