Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 226979 - Buffer overflow in bzip2's bzip2recover
Summary: Buffer overflow in bzip2's bzip2recover
Alias: None
Product: Fedora
Classification: Fedora
Component: bzip2
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ivana Varekova
QA Contact: Ben Levenson
Whiteboard: impact=none
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-02 13:39 UTC by Lubomir Kundrak
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-02-06 15:00:03 UTC

Attachments (Terms of Use)

Description Lubomir Kundrak 2007-02-02 13:39:31 UTC
Description of problem:

bzip2-1.0.3/bzip2recover.c copies argv[0] to a statically sized buffer
progName which is declared as:

 92 #define BZ_MAX_FILENAME 2000
 94 Char inFileName[BZ_MAX_FILENAME];
 95 Char outFileName[BZ_MAX_FILENAME];
 96 Char progName[BZ_MAX_FILENAME];

here, in main():

344    strcpy ( progName, argv[0] );

If we trick argv[0] into being more than 2000 characters long, we can
overwrite arbitrary locations in heap following the progName[] buffer.
If compiler put buffers that store file names after this location,
the exploitation of the flaw could lead to arbitrary file overwrite,
however this does not happen.

Version-Release number of selected component (if applicable):

At least FC-6 and RHEL-5 bzip2recover. Seems like the code originates from
mid-90's, so it likely affects other releases.

How reproducible:


Steps to Reproduce:

$ DIR=$(perl -e 'print ((("x" x 200)."/") x 20)')
$ mkdir -p $DIR
$ ln -s $(which bzip2recover) $DIR
$ $DIR/bzip2recover
*** buffer overflow detected ***
Actual results:

In releases with FORTIFY_SOURCE, glibc catches the bug.
In other cases a random corruption on heap occurs, possibly causing
the program to receive a SIGSEGV signal.

Additional info:

This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.

Comment 1 Ivana Varekova 2007-02-05 11:31:31 UTC
Fixed in bzip2-1.0.4-2.fc7 (bzip2-1.0.3-4.fc6  in fc6 branch).

Comment 3 Ivana Varekova 2007-02-06 14:59:22 UTC
Fixed in bzip2-1.0.4-3.fc7 (bzip2-1.0.3-6.fc6  in fc6 branch).

Note You need to log in before you can comment on or make changes to this bug.