This is an update from Shlomi. Hopefully he can fill in some details. There were some uses of strcpy() in the code, which is unsafe if it can be fed untrusted input that exceeds the buffer size. He has patched it to use snprintf() and to error out gracefully. This may not be a security issue for us unless the crashes from the buffer overflows (which fortunately, no pun intended, are already caught due to our compiler options) can cause a denial of service in something. I'm not sure where the functions being patched are called, where they get their input from, or what programs are affected. It looks like the strfile and unstr commands would be affected. I'm not sure where randstr.c is used. I'm guessing this is just a minor bug if it's just command-line commands that you can crash by feeding them too-large arguments. Updated packages in core/updates_testing: ---------------------------------------- fortune-mod-2.6.2-2.1.mga7 from fortune-mod-2.6.2-2.1.mga7.src.rpm
CC: (none) => shlomif
Thanks, David! randstr was an executable that was not getting built and installed by the version of fortune-mod that was packaged for mga7, so testing it can be skipped. Otherwise, a simple reproduction for the buffer overflow can be: perl -E 'system("strfile", scalar( "AAAAAAA/" x 3000));' perl -E 'system("unstr", scalar( "AAAAAAA/" x 3000));'
Tried the one-liners before update but saw no output. The commands seemed to work silently. What should we expect? (Not a perl programmer.)
CC: (none) => tarazed25
[shlomif@localhost ~]$ perl -E 'system("strfile", ("AAAAAAA/" x 1000));' => *** buffer overflow detected ***: terminated Shlomi got that output in Fedora (before the patch). I'd hope for the same. After the update it should say "input filename too long." Shlomi added an automated build-time test to the package. The package list for the update changed to: fortune-mod-2.6.2-2.3.mga7 from fortune-mod-2.6.2-2.3.mga7.src.rpm
BTW, this has nothing to do with Perl, Shlomi is just using Perl to automatically generate a *really* long argument to call the programs with, such that it overflows the buffer.
@David, comment 4: That is what I assumed but was not sure because of my lack of Perl experience. I do not see the message.
Do not see which message?
Either "buffer overflow detected" (before) or "input filename too long" (afterwards). After updating to fortune-mod-2.6.2-2.3.mga7 the test still fails to output anything. $ perl -E 'system("strfile", scalar( "AAAAAAA/" x 3000));' $ perl -E 'system("strfile", scalar( "AAAAAAA/" x 9000));' $ fortune works OK.
Fiddled about with strfile to see what it does. Generated a file containing a long string. $ ll whatever -rw-r--r-- 1 lcl lcl 24001 May 1 01:48 whatever $ sudo strfile whatever "whatever.dat" created There was 1 string Longest string: 24001 bytes Shortest string: 24001 bytes $ od -a whatever.dat 0000000 nul nul nul stx nul nul nul soh nul nul ] A nul nul ] A 0000020 nul nul nul nul % nul nul nul nul nul nul nul nul nul ] A 0000040 $ irb irb(main):001:0> system( "sudo strfile #{'AAAAAAA/'*3000}" ) input filename too long.: Success => false or $ ruby -e "system( \"sudo strfile #{'AAAAAAA/'*3000}\" )" input filename too long.: Success Now that is weird.
Not so weird. Why did it take so long...... $ sudo perl -e 'system("strfile", scalar( "AAAAAAA/" x 3000));' input filename too long.: Success
Hi, note that fortune-mod-2.6.2-2.4.mga7 fixes another potential issue of an integer overflow: ``` [shlomif@localhost ~]$ fortune 222222222222% songs-poems fortune: no place to put residual probability (-1116077170%) ``` If possible, try to test it as well.
fortune-mod-2.6.2-2.3.mga7.x86_64 $ fortune 222222222222% songs-poems fortune: no place to put residual probability (-1116077170%) Updated to fortune-mod-2.6.2-2.4. $ fortune 222222222222% songs-poems percentages must be <= 100 Overflow percentage detected at argument "222222222222%"! $ fortune Against stupidity the very gods Themselves contend in vain. -- Friedrich von Schiller, "The Maid of Orleans", III, 6 $ fortune 50% startrek 50% platitudes The heart is not a logical organ. -- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4 $ ls /usr/share/games/fortunes | grep -v u8 | grep -v dat | wc -l 44 44 categories to choose from. Seems OK.
Whiteboard: (none) => MGA7-64-OK
And: $ fortune debian <wolfgang> the problem with the 'go find a real girl' admonition is that so few of them actually have naked transformation sequences <reality> Dude, my girlfriend changes like four times a day
(In reply to Len Lawrence from comment #11) > fortune-mod-2.6.2-2.3.mga7.x86_64 > > $ fortune 222222222222% songs-poems > fortune: no place to put residual probability (-1116077170%) > > Updated to fortune-mod-2.6.2-2.4. > $ fortune 222222222222% songs-poems > percentages must be <= 100 > Overflow percentage detected at argument "222222222222%"! Thanks, Len!
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0199.html
Status: NEW => RESOLVEDResolution: (none) => FIXED