Bug 26567

Summary: fortune-mod possible buffer overflows due to use of strcpy
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: andrewsfarm, shlomif, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: fortune-mod-2.6.2-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-04-29 23:45:20 CEST 
This is an update from Shlomi.  Hopefully he can fill in some details.  There were some uses of strcpy() in the code, which is unsafe if it can be fed untrusted input that exceeds the buffer size.  He has patched it to use snprintf() and to error out gracefully.  This may not be a security issue for us unless the crashes from the buffer overflows (which fortunately, no pun intended, are already caught due to our compiler options) can cause a denial of service in something.  I'm not sure where the functions being patched are called, where they get their input from, or what programs are affected.  It looks like the strfile and unstr commands would be affected.  I'm not sure where randstr.c is used.  I'm guessing this is just a minor bug if it's just command-line commands that you can crash by feeding them too-large arguments.

Updated packages in core/updates_testing:
----------------------------------------
fortune-mod-2.6.2-2.1.mga7

from fortune-mod-2.6.2-2.1.mga7.src.rpm
David Walser 2020-04-29 23:45:30 CEST

CC: (none) => shlomif

Comment 1 Shlomi Fish 2020-04-30 07:17:58 CEST 
Thanks, David! randstr was an executable that was not getting built and installed by the version of fortune-mod that was packaged for mga7, so testing it can be skipped. Otherwise, a simple reproduction for the buffer overflow can be:

perl -E 'system("strfile", scalar( "AAAAAAA/" x 3000));'

perl -E 'system("unstr", scalar( "AAAAAAA/" x 3000));'
Comment 2 Len Lawrence 2020-04-30 21:58:30 CEST 
Tried the one-liners before update but saw no output.  The commands seemed to work silently.  What should we expect?  (Not a perl programmer.)

CC: (none) => tarazed25

Comment 3 David Walser 2020-04-30 22:38:01 CEST 
[shlomif@localhost ~]$ perl -E 'system("strfile", ("AAAAAAA/" x 1000));' => *** buffer overflow detected ***: terminated

Shlomi got that output in Fedora (before the patch).  I'd hope for the same.

After the update it should say "input filename too long."

Shlomi added an automated build-time test to the package.  The package list for the update changed to:
fortune-mod-2.6.2-2.3.mga7

from fortune-mod-2.6.2-2.3.mga7.src.rpm
Comment 4 David Walser 2020-04-30 22:38:58 CEST 
BTW, this has nothing to do with Perl, Shlomi is just using Perl to automatically generate a *really* long argument to call the programs with, such that it overflows the buffer.
Comment 5 Len Lawrence 2020-05-01 02:08:52 CEST 
@David, comment 4:
That is what I assumed but was not sure because of my lack of Perl experience.  I do not see the message.
Comment 6 David Walser 2020-05-01 02:27:42 CEST 
Do not see which message?
Comment 7 Len Lawrence 2020-05-01 03:10:36 CEST 
Either "buffer overflow detected" (before) or "input filename too long" (afterwards).

After updating to fortune-mod-2.6.2-2.3.mga7 the test still fails to output anything.
$ perl -E 'system("strfile", scalar( "AAAAAAA/" x 3000));'
$ perl -E 'system("strfile", scalar( "AAAAAAA/" x 9000));'
$

fortune works OK.
Comment 8 Len Lawrence 2020-05-01 03:35:39 CEST 
Fiddled about with strfile to see what it does.  Generated a file containing a long string.

$ ll whatever
-rw-r--r-- 1 lcl lcl 24001 May  1 01:48 whatever
$ sudo strfile whatever
"whatever.dat" created
There was 1 string
Longest string: 24001 bytes
Shortest string: 24001 bytes
$ od -a whatever.dat
0000000 nul nul nul stx nul nul nul soh nul nul   ]   A nul nul   ]   A
0000020 nul nul nul nul   % nul nul nul nul nul nul nul nul nul   ]   A
0000040

$ irb
irb(main):001:0> system( "sudo strfile #{'AAAAAAA/'*3000}" )
input filename too long.: Success
=> false

or
$ ruby -e "system( \"sudo strfile #{'AAAAAAA/'*3000}\" )"
input filename too long.: Success

Now that is weird.
Comment 9 Len Lawrence 2020-05-01 03:52:47 CEST 
Not so weird.  Why did it take so long......

$ sudo perl -e 'system("strfile", scalar( "AAAAAAA/" x 3000));'
input filename too long.: Success
Comment 10 Shlomi Fish 2020-05-02 18:24:30 CEST 
Hi, note that fortune-mod-2.6.2-2.4.mga7 fixes another potential issue of an integer overflow:

```
[shlomif@localhost ~]$ fortune 222222222222% songs-poems 
fortune: no place to put residual probability (-1116077170%)
```

If possible, try to test it as well.
Comment 11 Len Lawrence 2020-05-03 02:15:57 CEST 
fortune-mod-2.6.2-2.3.mga7.x86_64

$ fortune 222222222222% songs-poems
fortune: no place to put residual probability (-1116077170%)

Updated to fortune-mod-2.6.2-2.4.
$ fortune 222222222222% songs-poems
percentages must be <= 100
Overflow percentage detected at argument "222222222222%"!

$ fortune
Against stupidity the very gods Themselves contend in vain.
		-- Friedrich von Schiller, "The Maid of Orleans", III, 6

$ fortune 50% startrek 50% platitudes
The heart is not a logical organ.
		-- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4

$ ls /usr/share/games/fortunes | grep -v u8 | grep -v dat | wc -l
44

44 categories to choose from.

Seems OK.

Whiteboard: (none) => MGA7-64-OK

Comment 12 Len Lawrence 2020-05-03 02:19:34 CEST 
And:
$ fortune debian
<wolfgang> the problem with the 'go find a real girl' admonition is
           that so few of them actually have naked transformation
           sequences
<reality> Dude, my girlfriend changes like four times a day
Comment 13 Shlomi Fish 2020-05-03 08:28:11 CEST 
(In reply to Len Lawrence from comment #11)
> fortune-mod-2.6.2-2.3.mga7.x86_64
> 
> $ fortune 222222222222% songs-poems
> fortune: no place to put residual probability (-1116077170%)
> 
> Updated to fortune-mod-2.6.2-2.4.
> $ fortune 222222222222% songs-poems
> percentages must be <= 100
> Overflow percentage detected at argument "222222222222%"!

Thanks, Len!
Comment 14 Thomas Andrews 2020-05-05 01:03:59 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-05-05 13:13:57 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 15 Mageia Robot 2020-05-05 14:22:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0199.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED