Your message dated Thu, 24 May 2018 02:35:31 +0000
with message-id <[email protected]>
and subject line Bug#895268: fixed in libtickit 0.2-3
has caused the Debian Bug report #895268,
regarding libtickit: Fix out-of-bounds write with FD_SET()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
895268: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895268
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libtickit
Version: 0.2-2
Severity: important
Tags: patch
User: [email protected]
Usertags: origin-ubuntu bionic ubuntu-patch
Hi James,
You filed https://bugs.launchpad.net/libtickit/+bug/1744933 about tests
reporting a buffer overflow in libtickit. It seems you worked around this
by disabling the hardening flags - or at least attempting to, which was
ineffective in Ubuntu because -D_FORTIFY_SOURCE=2 is a compiler built-in in
Ubuntu; which is how I noticed this, because the package still failed to
build in Ubuntu.
I dug into the build failure, and this looks like a genuine out-of-bounds
write in the use of FD_SET() in src/term.c (i.e. the source, not the
tests). An attacker can likely only cause the fd to be set to -1 rather
than to an arbitrary value, so it's not necessarily exploitable, but the
code does currently allow for scribbling into memory where it shouldn't, so
that's not good.
I've pushed the attached patch to Ubuntu, which fixes the build failure and
also drops the override of -fortify from the hardening flags.
Hope that helps,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[email protected] [email protected]
diff -Nru libtickit-0.2/debian/patches/cflags-for-tests.patch
libtickit-0.2/debian/patches/cflags-for-tests.patch
--- libtickit-0.2/debian/patches/cflags-for-tests.patch 1969-12-31
16:00:00.000000000 -0800
+++ libtickit-0.2/debian/patches/cflags-for-tests.patch 2018-04-08
22:17:54.000000000 -0700
@@ -0,0 +1,20 @@
+Description: include configured compiler flags when building test cases
+ The test suite fails on Ubuntu because the default buildflags there cause
+ a _FORTIFY_SOURCE failure. Pass $CFLAGS and $LDFLAGS when building the
+ test cases, to correct this flag mismatch.
+Author: Steve Langasek <[email protected]>
+Last-Modified: 2018-04-08
+
+Index: libtickit-0.2/Makefile
+===================================================================
+--- libtickit-0.2.orig/Makefile
++++ libtickit-0.2/Makefile
+@@ -73,7 +73,7 @@
+ perl $^ > $@
+
+ t/%.t: t/%.c $(LIBRARY) t/taplib.lo t/mockterm.lo t/taplib-tickit.lo
+- $(LIBTOOL) --mode=link --tag=CC gcc -o $@ -Iinclude -std=c99 -ggdb $^
++ $(LIBTOOL) --mode=link --tag=CC gcc $(CFLAGS) $(LDFLAGS) -o $@
-Iinclude -std=c99 -ggdb $^
+
+ t/%.lo: t/%.c
+ $(LIBTOOL) --mode=compile --tag=CC gcc $(CFLAGS) -o $@ -c $^
diff -Nru libtickit-0.2/debian/patches/fix-buffer-overflow.patch
libtickit-0.2/debian/patches/fix-buffer-overflow.patch
--- libtickit-0.2/debian/patches/fix-buffer-overflow.patch 1969-12-31
16:00:00.000000000 -0800
+++ libtickit-0.2/debian/patches/fix-buffer-overflow.patch 2018-04-09
00:07:35.000000000 -0700
@@ -0,0 +1,21 @@
+Description: fix out-of-bounds write with fd_set[-1]
+ If termkey_get_fd() fails, we shouldn't try to call select for an fd of -1.
+ Just return instead of crashing on undefined behavior.
+Author: Steve Langasek <[email protected]>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1744933
+Last-Modified: 2018-04-09
+
+Index: libtickit-0.2/src/term.c
+===================================================================
+--- libtickit-0.2.orig/src/term.c
++++ libtickit-0.2/src/term.c
+@@ -679,7 +679,9 @@
+ }
+
+ fd_set readfds;
++ FD_ZERO(&readfds);
+ int fd = termkey_get_fd(tk);
++ if (fd < 0 || fd >= FD_SETSIZE) return;
+ FD_SET(fd, &readfds);
+ int ret = select(fd + 1, &readfds, NULL, NULL, msec > -1 ? &timeout : NULL);
+
diff -Nru libtickit-0.2/debian/patches/series
libtickit-0.2/debian/patches/series
--- libtickit-0.2/debian/patches/series 1969-12-31 16:00:00.000000000 -0800
+++ libtickit-0.2/debian/patches/series 2018-04-08 23:56:27.000000000 -0700
@@ -0,0 +1,2 @@
+cflags-for-tests.patch
+fix-buffer-overflow.patch
diff -Nru libtickit-0.2/debian/rules libtickit-0.2/debian/rules
--- libtickit-0.2/debian/rules 2018-02-05 05:06:30.000000000 -0800
+++ libtickit-0.2/debian/rules 2018-04-09 00:07:43.000000000 -0700
@@ -1,7 +1,7 @@
#!/usr/bin/make -f
# -*- makefile -*-
-export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-fortify
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
include /usr/share/dpkg/default.mk
--- End Message ---
--- Begin Message ---
Source: libtickit
Source-Version: 0.2-3
We believe that the bug you reported is fixed in the latest version of
libtickit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated libtickit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 May 2018 22:17:24 -0400
Source: libtickit
Binary: libtickit-dev libtickit1
Architecture: source
Version: 0.2-3
Distribution: unstable
Urgency: medium
Maintainer: James McCoy <[email protected]>
Changed-By: James McCoy <[email protected]>
Description:
libtickit-dev - Terminal Interface Construction KIT (development files)
libtickit1 - Terminal Interface Construction KIT
Closes: 895268
Changes:
libtickit (0.2-3) unstable; urgency=medium
.
* Backport patches from upstream to fix out-of-bounds access by FD_SET.
(Closes: #895268)
* rules:
+ Re-enable hardening since #895268 is fixed
+ Disable tests when DEB_BUILD_OPTIONS contains nocheck
* libtickit-dev: Install examples
* Declare compliance with Policy 4.1.4, no changes needed
Checksums-Sha1:
ba11d2e3b99e3b5c838332ea10c45b1f7accd9e9 2115 libtickit_0.2-3.dsc
b400cf01f75420a9cf93a8f4ac703ffada52d829 5084 libtickit_0.2-3.debian.tar.xz
e2902a60be17efa01bc3ee6e6e7098bcbc9b1bc1 5932 libtickit_0.2-3_source.buildinfo
Checksums-Sha256:
b2d9c3089fae16ff414dcf9cf8b30cbbf058ba02965a6a4984c814aff4cdaf3c 2115
libtickit_0.2-3.dsc
aa30fc38bb0d7f75306405480ebed394f398dc611461b79b4067516806c3ecdd 5084
libtickit_0.2-3.debian.tar.xz
2c689b930ce03327b7c822d821b7fb2936ea12524b79311197c0bb1a867327cc 5932
libtickit_0.2-3_source.buildinfo
Files:
8fc6cba515fa607bbdb29149a87853ee 2115 libs optional libtickit_0.2-3.dsc
e4bcad28f60ae420900c286210f92c75 5084 libs optional
libtickit_0.2-3.debian.tar.xz
4a06ef411c854f00419148d3eaf1ff24 5932 libs optional
libtickit_0.2-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKoBAEBCgCSFiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAlsGIkJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIUHGphbWVzc2Fu
QGRlYmlhbi5vcmcACgkQ3+aRrjMbo9ud2w//YMcywG/jKgd1mRjMRnaIz76C89Q+
Rt83AjLdCyhTJLlwszG5lcHtvQ7fu3QIXbSfM3rdWcDWCX+IJrlHx3R92LWBShtV
NaX9PZtWwheAbvrl7o2bg8ghlgh4zXNBVQXQPJ+XDuFq4GbKOEfRMscyfiGT0wtP
P60Z6Sxe9El02ClPCsc693JfmHU43CSJC/FRnr0YvHYdqr8c0dvJyvYE9kJGo7Wn
403aKV1pJ9voN1NLuuFp8NQCdn/fCQd7fVK8iQf5ObgzXUBVmZwPXRA9WMp2UWos
dxjO2X/nA7IP7ampWVX7msxoHyxBUPigc7Hddb87fKUpHHmicv58lXUGhGpiUwrc
9+j/kpod1n1dAPnGHsAxztcWXkpx/e4lslwCBx0GTVIXnx0bZbOb1GzvwWWuSLp5
cDNKi/VD5B/PcbiD173sPZ56d/8nWW6OqNB39y61TCULO/eeKctG96qrw4xfaAgB
YKOF+/pFoPQ2mCcLIKdtpoRPqxVFoHO0WaM2eFEG9UFiar5TIn8QfQGp5C2+/znQ
CPbmNzD0NhgY4qKehhxg6PBolfwpiTmMigOMyL1mZlZxyKAb1b+3wfMpf7yoPHOM
71cP9z1VG8+XCgP63vH9KHCSc10xUAuNc8Jj2/yET1XrTcwZl8IrGyBLVoSAJhvJ
/JpDQ8vVFsKV8aY=
=vHWA
-----END PGP SIGNATURE-----
--- End Message ---
