Your message dated Sun, 07 Jun 2015 22:23:23 +0000
with message-id <[email protected]>
and subject line Bug#777427: fixed in posh 0.12.5
has caused the Debian Bug report #777427,
regarding incorrect initializtion of PWD
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
777427: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777427
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: posh
Version: 0.12.3
X-Debbugs-CC: [email protected]
The initialization of the PWD variable has an off-by-one error in its
length calculation. The current_wd_size is not sufficient to hold the
terminal NUL. Since the contents of current_wd is not NUL-terminated,
subsequent use of that variable could result in potentially dangerous
buffer overruns.
I am not aware of any externally visible or exploitable behavior, but
valgrind reports the error and it's obvious by inspection.
The patch is easy:
drdlogin0039$ git diff master fixpwdlen
diff --git a/main.c b/main.c
index a2ea74f..88a3a5b 100644
--- a/main.c
+++ b/main.c
@@ -199,7 +199,7 @@ main(int argc, char **argv)
int len;
simplified = canonicalize_file_name(current_wd);
- len = strlen(simplified);
+ len = strlen(simplified) + 1;
if (len > current_wd_size)
current_wd = aresize(current_wd, current_wd_size =
len, APERM);
drdlogin0039$
Herre is some valgrind output:
First, the unpatched code:
drdlogin0039$ git checkout master
Switched to branch 'master'
Your branch is up-to-date with 'origin/master'.
drdlogin0039$ make
make all-recursive
make[1]: Entering directory `/d/en/salmonj-3/g/posh'
Making all in .
make[2]: Entering directory `/d/en/salmonj-3/g/posh'
gcc -DHAVE_CONFIG_H -I. -g -O2 -MT main.o -MD -MP -MF .deps/main.Tpo
-c -o main.o main.c
mv -f .deps/main.Tpo .deps/main.Po
gcc -g -O2 -o posh alloc.o c_test.o eval.o exec.o expr.o history.o
io.o jobs.o lex.o main.o misc.o path.o shf.o syn.o table.o trap.o tree.o
tty.o var.o builtins.o compat.o times.o
make[2]: Leaving directory `/d/en/salmonj-3/g/posh'
Making all in src
make[2]: Entering directory `/d/en/salmonj-3/g/posh/src'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/d/en/salmonj-3/g/posh/src'
Making all in tests
make[2]: Entering directory `/d/en/salmonj-3/g/posh/tests'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/d/en/salmonj-3/g/posh/tests'
make[1]: Leaving directory `/d/en/salmonj-3/g/posh'
drdlogin0039$ valgrind ./posh -c 'exit 0'
==29822== Memcheck, a memory error detector
==29822== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==29822== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==29822== Command: ./posh -c exit\ 0
==29822==
==29822== Invalid read of size 1
==29822== at 0x4A07FA4: strlen (mc_replace_strmem.c:403)
==29822== by 0x414235: export (var.c:528)
==29822== by 0x414ACA: setstr (var.c:376)
==29822== by 0x401F87: main (main.c:215)
==29822== Address 0x4c4f03e is 0 bytes after a block of size 30 alloc'd
==29822== at 0x4A06C20: realloc (vg_replace_malloc.c:662)
==29822== by 0x4026F5: aresize (alloc.c:76)
==29822== by 0x402433: main (main.c:205)
==29822==
==29822== Invalid read of size 1
==29822== at 0x4A08DEC: memcpy (mc_replace_strmem.c:882)
==29822== by 0x414288: export (var.c:536)
==29822== by 0x414ACA: setstr (var.c:376)
==29822== by 0x401F87: main (main.c:215)
==29822== Address 0x4c4f03e is 0 bytes after a block of size 30 alloc'd
==29822== at 0x4A06C20: realloc (vg_replace_malloc.c:662)
==29822== by 0x4026F5: aresize (alloc.c:76)
==29822== by 0x402433: main (main.c:205)
==29822==
==29822==
==29822== HEAP SUMMARY:
==29822== in use at exit: 21,337 bytes in 375 blocks
==29822== total heap usage: 698 allocs, 323 frees, 43,119 bytes allocated
==29822==
==29822== LEAK SUMMARY:
==29822== definitely lost: 32 bytes in 1 blocks
==29822== indirectly lost: 2,848 bytes in 89 blocks
==29822== possibly lost: 0 bytes in 0 blocks
==29822== still reachable: 18,457 bytes in 285 blocks
==29822== suppressed: 0 bytes in 0 blocks
==29822== Rerun with --leak-check=full to see details of leaked memory
==29822==
==29822== For counts of detected and suppressed errors, rerun with: -v
==29822== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 6 from 6)
And now recompile and rerun valgrind on the patched branch:
drdlogin0039$ git checkout fixpwdlen
Switched to branch 'fixpwdlen'
drdlogin0039$ make
make all-recursive
make[1]: Entering directory `/d/en/salmonj-3/g/posh'
Making all in .
make[2]: Entering directory `/d/en/salmonj-3/g/posh'
gcc -DHAVE_CONFIG_H -I. -g -O2 -MT main.o -MD -MP -MF .deps/main.Tpo
-c -o main.o main.c
mv -f .deps/main.Tpo .deps/main.Po
gcc -g -O2 -o posh alloc.o c_test.o eval.o exec.o expr.o history.o
io.o jobs.o lex.o main.o misc.o path.o shf.o syn.o table.o trap.o tree.o
tty.o var.o builtins.o compat.o times.o
make[2]: Leaving directory `/d/en/salmonj-3/g/posh'
Making all in src
make[2]: Entering directory `/d/en/salmonj-3/g/posh/src'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/d/en/salmonj-3/g/posh/src'
Making all in tests
make[2]: Entering directory `/d/en/salmonj-3/g/posh/tests'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/d/en/salmonj-3/g/posh/tests'
make[1]: Leaving directory `/d/en/salmonj-3/g/posh'
drdlogin0039$ valgrind ./posh -c 'exit 0'
==30073== Memcheck, a memory error detector
==30073== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==30073== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==30073== Command: ./posh -c exit\ 0
==30073==
==30073==
==30073== HEAP SUMMARY:
==30073== in use at exit: 21,338 bytes in 375 blocks
==30073== total heap usage: 698 allocs, 323 frees, 43,120 bytes allocated
==30073==
==30073== LEAK SUMMARY:
==30073== definitely lost: 32 bytes in 1 blocks
==30073== indirectly lost: 2,848 bytes in 89 blocks
==30073== possibly lost: 0 bytes in 0 blocks
==30073== still reachable: 18,458 bytes in 285 blocks
==30073== suppressed: 0 bytes in 0 blocks
==30073== Rerun with --leak-check=full to see details of leaked memory
==30073==
==30073== For counts of detected and suppressed errors, rerun with: -v
==30073== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)
drdlogin0039$
--
*.*
--- End Message ---
--- Begin Message ---
Source: posh
Source-Version: 0.12.5
We believe that the bug you reported is fixed in the latest version of
posh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Clint Adams <[email protected]> (supplier of updated posh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Jun 2015 14:54:36 -0400
Source: posh
Binary: posh posh-dbg
Architecture: source amd64
Version: 0.12.5
Distribution: unstable
Urgency: medium
Maintainer: Clint Adams <[email protected]>
Changed-By: Clint Adams <[email protected]>
Description:
posh - Policy-compliant Ordinary SHell
posh-dbg - Policy-compliant Ordinary SHell - debugging symbols
Closes: 777427 778069
Changes:
posh (0.12.5) unstable; urgency=medium
.
* Patch from John Salmon to correct fencepost error in PWD
initialization. closes: #777427.
* Suppress linemarker generation when building signal table, as
gcc 5 gets crazy. closes: #778069.
* Blindly assume that signal handlers return void.
* Switch to dh.
Checksums-Sha1:
8a7d193a2776c9af5b9f7c9ea4bcfa1f05908fc0 1742 posh_0.12.5.dsc
ffd5228ecb0e6f614710c3360b866711b546c9e1 267356 posh_0.12.5.tar.xz
8b80dc508e72cfb25b4bce8918ef78dd69767c93 153170 posh-dbg_0.12.5_amd64.deb
593aaa0ae9dc3e4668aa731902683172568922a6 88614 posh_0.12.5_amd64.deb
Checksums-Sha256:
9a4c08b7dfbfc563195db3b09ad41ffb5e736f02f50af8fcd7b89175a693d7c7 1742
posh_0.12.5.dsc
adf1b5670b9978c3b6d5ae64356be72d8c31db1750a7600ff981fec3ff920a0a 267356
posh_0.12.5.tar.xz
71053f09c83c159d593b22447983d068467cb7583f837b17545e24b81212dedf 153170
posh-dbg_0.12.5_amd64.deb
cbdc49c23aeab8e7790f2104091becc1661475877016a02127bbaf89b1f5a706 88614
posh_0.12.5_amd64.deb
Files:
e3c5b69782a2559a3c8072432827dca6 1742 shells optional posh_0.12.5.dsc
6676fdf3fd9c5fc41461b25942741472 267356 shells optional posh_0.12.5.tar.xz
c53b795207e7319b5ed7169f5aec2435 153170 debug extra posh-dbg_0.12.5_amd64.deb
f355ecc24963665e2547398fabcb3f42 88614 shells optional posh_0.12.5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Debian!
iQJ8BAEBCgBmBQJVdKbkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3NTgxRUM4NzQwNTNFNkM4MDc3OTFCOUI1
NTkyMzMxRTE5OUQzOEE4AAoJEFWSMx4ZnTioSxgQAJEie+O+QLyLngk5eQ8OjkQQ
ainNOm/aLpnawT134YY6+Silw4rxuuil+Mfiyi63clNw6jPwo4y5rQxSWA8Ga/mx
lBdDX9B2c6fsCyVPf3kfY17XtgjMahC08VHAabSJfKE6pRXiwuNtwthUnnj7blBx
yiZQ1k3XJ1jEd3gZztdSqeG4cL7vzGAa/9B8hU6CiYi0kKmnujmHbfvlMGXIWtsn
CUxzs0yDfQ7eeLaO8X+M3+K41C2f5dfi6I6Ls0PDwXOJi9/eJoPCxsqJmhHkk8yq
iSjLJceQb93fcMf+vC6YRBkdd1pYh9tMF84pqdp5RHPWnHZD9T6SybA2Wvy/FnIe
x2DWRnyA47ogTMd92S/g44AVXAXAC8/KlG+ZdL3Yop0qODBSvu6IGpNCPY5mw5uT
oxHsnLhMvl0syJxAXJRjvAtxPVei5rPId0WAnGKAAM3Op5XxqJwmIg9AJhpw3+xk
p/bNgGv3KjMWe9qse+54rN5i/ROFtO2qQA/4sq2SFXimslx4UqQV/V53ppr69a6r
4jycP5yqQ8nnWzH8LWqbChTIhHuW/PLaQPwdxoC/adbkQZClspNYhKrAFl+7bHZt
HAkME00wqr7gMe+jIJJ0LpqaTCUqgKE9ryxbbb8iDd6E5qNx07EkkpA5qGeSmeqM
tZGAsFeagLxO2ERrXS70
=zSbh
-----END PGP SIGNATURE-----
--- End Message ---
