Bug#441444: marked as done (CVE-2007-4476 Buffer overflow in the safer_name_suffix function)

Sat, 12 Apr 2008 11:15:00 -0700 

Your message dated Sat, 12 Apr 2008 17:54:57 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#441444: fixed in tar 1.14-2.4
has caused the Debian Bug report #441444,
regarding CVE-2007-4476 Buffer overflow in the safer_name_suffix function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
441444: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=441444
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: tar
Version: 1.16-2
Severity: normal

Hi,
a CVE has been issued against tar:
CVE-2007-4476[0]:
Buffer overflow in the safer_name_suffix function in GNU tar 
has unspecified attack vectors and impact, resulting in a 
"crashing stack."

The SuSE security announcement is not really helpful for 
more information. I extracted the patch from the SuSE source 
RPM. For unstable and testing this problem is fixed because the whole 
function had been replaced by transform_member_name() which 
works totally different.

Etch is affected by this problem 
however the code is not in names.c but in lib/libpaxnames.c.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Patch from Sergey Poznyakoff <[EMAIL PROTECTED]> for cpio
based on patch:
2007-08-15  Dmitry V. Levin <[EMAIL PROTECTED]>

        Do not use alloca to avoid stack overflow with untrusted input.

        * lib/paxnames.c (hash_string_insert_direct): New function.
        (hash_string_insert): Use it.
        (hash_string_insert_data): New function.
        (safer_name_suffix): Use it instead of hash_string_insert()
        and alloca().

Index: src/names.c
===================================================================
--- src/names.c.orig
+++ src/names.c
@@ -958,15 +958,27 @@ hash_string_compare (void const *name1, 
   return strcmp (name1, name2) == 0;
 }
 
-/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
-   copy of STRING to TABLE and return 1.  */
+/* Return zero if TABLE contains a LEN-character long prefix of STRING,
+   otherwise, insert a newly allocated copy of this prefix to TABLE and
+   return 1.  If RETURN_PREFIX is not NULL, point it to the allocated
+   copy. */
 static bool
-hash_string_insert (Hash_table **table, char const *string)
+hash_string_insert_prefix (Hash_table **table, char const *string, size_t len,
+                          const char **return_prefix)
 {
   Hash_table *t = *table;
-  char *s = xstrdup (string);
+  char *s;
   char *e;
 
+  if (len)
+    {
+      s = xmalloc (len + 1);
+      memcpy (s, string, len);
+      s[len] = 0;
+    }
+  else
+    s = xstrdup (string);
+
   if (! ((t
 	  || (*table = t = hash_initialize (0, 0, hash_string_hasher,
 					    hash_string_compare, 0)))
@@ -974,7 +986,11 @@ hash_string_insert (Hash_table **table, 
     xalloc_die ();
 
   if (e == s)
-    return 1;
+    {
+      if (return_prefix)
+       *return_prefix = s;
+      return 1;
+    }
   else
     {
       free (s);
@@ -982,6 +998,14 @@ hash_string_insert (Hash_table **table, 
     }
 }
 
+/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
+   copy of STRING to TABLE and return 1.  */
+bool
+hash_string_insert (Hash_table **table, char const *string)
+{
+  return hash_string_insert_prefix (table, string, 0, NULL);
+}
+
 /* Return 1 if TABLE contains STRING.  */
 static bool
 hash_string_lookup (Hash_table const *table, char const *string)
@@ -1082,11 +1106,9 @@ safer_name_suffix (char const *file_name
 
       if (prefix_len)
 	{
-	  char *prefix = alloca (prefix_len + 1);
-	  memcpy (prefix, file_name, prefix_len);
-	  prefix[prefix_len] = '\0';
-
-	  if (hash_string_insert (&prefix_table[link_target], prefix))
+         const char *prefix;
+         if (hash_string_insert_prefix (&prefix_table[link_target], file_name,
+                                        prefix_len, &prefix))
 	    {
 	      static char const *const diagnostic[] =
 	      {

Attachment: pgpyg34dP3fee.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: tar
Source-Version: 1.14-2.4

We believe that the bug you reported is fixed in the latest version of
tar, which is due to be installed in the Debian FTP archive:

tar_1.14-2.4.diff.gz
  to pool/main/t/tar/tar_1.14-2.4.diff.gz
tar_1.14-2.4.dsc
  to pool/main/t/tar/tar_1.14-2.4.dsc
tar_1.14-2.4_i386.deb
  to pool/main/t/tar/tar_1.14-2.4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <[EMAIL PROTECTED]> (supplier of updated tar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 26 Dec 2007 12:19:01 +0100
Source: tar
Binary: tar
Architecture: source i386
Version: 1.14-2.4
Distribution: oldstable-security
Urgency: high
Maintainer: Bdale Garbee <[EMAIL PROTECTED]>
Changed-By: Florian Weimer <[EMAIL PROTECTED]>
Description: 
 tar        - GNU tar
Closes: 439335 441444
Changes: 
 tar (1.14-2.4) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Apply patch from Dmitry V. Levin <[EMAIL PROTECTED]> to avoid a
     stack-based buffer overflow while processing certain file names
     (CVE-2007-4476).  Closes: #441444.
   * Apply patch from Dmitry V. Levin to fix double-dot recognition
     in case of duplicate / (CVE-2007-4131).  Closes: #439335.
Files: 
 cbcbbd7c638de842f913ac566c3f0b0a 846 base required tar_1.14-2.4.dsc
 2675ec9acdf59ba6f0c54e5325675fcf 51869 base required tar_1.14-2.4.diff.gz
 3b1099df9c1df15768f8dc568068e02f 500822 base required tar_1.14-2.4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR3JTEL97/wQC1SS+AQIP4gf/SUnWTVcWn8qa8QXhlEfjct3ph2cOQRP7
/G6E9JDL7UaGavsR6O8JsBoSyl6cpwA4YCX54vZ9VA1P1NB2O/nkNFCG+rOX4zxl
WF2xl0Bj8ScPR5aSXC7KXgvhEVmF8NYzqRsfkW0NHGUNVH2BUGb1A/t2TEExPeB+
F9QXr9RoiNxwEEPcb5y46gRWZAgbbQBgdQeLUCQda9N4k1hqS1waEHuDbVA4F0bj
JUOV9rRS2Zm0lAmrUT9BwPYcQ2QjG1jhCunAl3pgERnc4ohDJ2ZrrSqmzLClVT7W
QJLL2YIOpFlIHbhNwX+jDNbQEPKirr3doO8z7im80bBf/z633H2/2A==
=7BMw
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to