Bug 25748 - buffer overflow in mirrordir
Summary: buffer overflow in mirrordir
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-26 11:14 CET by eric gerbier
Modified: 2019-11-28 10:41 CET (History)
3 users (show)

See Also:
Source RPM: mirrordir-0.10.49-27.mga7.src.rpm
CVE:
Status comment:


Attachments

Description eric gerbier 2019-11-26 11:14:45 CET
Description of problem:
I am using mirrordir tool to mirror some ftp repositories.
with the mageia 7 package, I got the following error message :

# mirrordir -v -t ftp://mirror.in2p3.fr/pub/linux/CentOS/7.7.1908/updates/x86_64/Packages .
mirrordir: ---verbose--- ftpfs: making connection to mirror.in2p3.fr
mirrordir: ---verbose--- ftpfs: sending login name
mirrordir: ---verbose--- ftpfs: sending user password
mirrordir: ---verbose--- ftpfs: logged in
ftpfs: got listing             *** buffer overflow detected ***: mirrordir terminated
Abandon (core dumped)

I have rebuild on mageia 7 (from src.rpm) the 0.10.49-25 version (released in mageia 6) and this version is working

Version-Release number of selected component (if applicable):
mirrordir-0.10.49-27.mga7

How reproducible:


Steps to Reproduce:
1. mirrordir -v -t ftp://mirror.in2p3.fr/pub/linux/CentOS/7.7.1908/updates/x86_64/Packages .
2.
3.
Comment 1 Lewis Smith 2019-11-26 21:27:00 CET
Thank you for reporting the fault; and building a fix.
The fault is exactly reproduceable as described [note the final '.' ; -v = verbose, -t = test] with mirrordir-0.10.49-27.mga7.x86_64

The package has no maintainer, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-11-26 21:52:30 CET
It must have been our optflags that broke it:
http://svnweb.mageia.org/packages?view=revision&revision=1148574

CC: (none) => geiger.david68210

Comment 3 eric gerbier 2019-11-27 08:25:56 CET
I have removed the optflags from spec file, rebuild the mageia 7 package, 
and YES, it works !
Comment 4 Nicolas Salguero 2019-11-27 13:50:16 CET
Suggested advisory:
========================

The updated packages fix a buffer overflow that leads to a crash of "mirrordir" command.

References:
https://bugs.mageia.org/show_bug.cgi?id=25748
========================

Updated packages in core/updates_testing:
========================
mirrordir-0.10.49-27.1.mga7
lib(64)diffie1-0.10.49-27.1.mga7
lib(64)diffie-devel-0.10.49-27.1.mga7

from SRPMS:
mirrordir-0.10.49-27.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 5 Jani Välimaa 2019-11-27 14:35:17 CET
IMO the fix is not correct. It makes pkg to work, but we should fix the code instead of removing our compiler flags.

.spec could be also simplified. -D_foo=bar flags should go to CPPFLAGS instead of CFLAGS. And instead of usind sed with %optflags, one should just use "%global _fortify_cflags %nil" to skip "-Wp,-D_FORTIFY_SOURCE=2", if it's really wanted.

Another thing is that mirrordir has been abandoned upstream for over 10 years:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555130
Comment 6 Jani Välimaa 2019-11-27 14:42:08 CET
(In reply to Jani Välimaa from comment #5)
> Another thing is that mirrordir has been abandoned upstream for over 10
> years:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555130

Actually make it over 20 years as the Debian bug was filed on 2009.
Comment 7 David Walser 2019-11-27 18:14:51 CET
Jani is right.  The fortify source option doesn't *cause* the buffer overflow, it just *detects* it and allows the program to safely exit rather than allow it to be silently able to be exploited (hypothetically at least).  The compiler option should be left in place and the actual buffer overflow should be fixed.  If we can't fix it ourselves (and can't find a fix anywhere else, like Ubuntu which also uses this compiler option generally), we should just close this as WONTFIX and drop the package in Cauldron.

Assignee: qa-bugs => pkg-bugs
CC: (none) => qa-bugs

Comment 8 Nicolas Salguero 2019-11-28 10:35:50 CET
I found the cause of the buffer overflow.  In my tests, with my patch and the fortify source option, the "mirrordir" command works.
Comment 9 Nicolas Salguero 2019-11-28 10:41:12 CET
Suggested advisory:
========================

The updated packages fix a buffer overflow that leads to a crash of "mirrordir" command.

References:
https://bugs.mageia.org/show_bug.cgi?id=25748
========================

Updated packages in core/updates_testing:
========================
mirrordir-0.10.49-27.2.mga7
lib(64)diffie1-0.10.49-27.2.mga7
lib(64)diffie-devel-0.10.49-27.2.mga7

from SRPMS:
mirrordir-0.10.49-27.2.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs


Note You need to log in before you can comment on or make changes to this bug.