Bug#715261: manpages-dev: readdir_r should be strongly discouraged due to security reasons

Sun, 07 Jul 2013 05:25:20 -0700 

Package: manpages-dev
Version: 3.51-1
Severity: normal

The readdir(3) / readdir_r(3) man page says about readdir_r():

  Since POSIX.1 does not specify the size of the d_name field, and other
  nonstandard fields may precede that field within the dirent structure,
  portable  applications that use readdir_r() should allocate the buffer
  whose address is passed in entry as follows:

      name_max = pathconf(dirpath, _PC_NAME_MAX);
      if (name_max == -1)         /* Limit not defined, or error */
          name_max = 255;         /* Take a guess */
      len = offsetof(struct dirent, d_name) + name_max + 1;
      entryp = malloc(len);

But if name_max is wrong and a file has a name greater than what has
been allocated for d_name, this will yield a buffer overflow. Thus
the man page should strongly discourage the use of readdir_r() for
security reasons. See

  http://elliotth.blogspot.fr/2012/10/how-not-to-use-readdirr3.html

Note that even if pathconf doesn't fail, this is not safe due to
the race condition (as mentioned at the above URL) and also because
_PC_NAME_MAX just means "the maximum length of a filename in the
directory path [or fd] that the process is allowed to create.";
other processes may have created longer filenames, and indeed the
pathconf(3) man page says:

  Files with name lengths longer than the value returned for _name_
  equal to _PC_NAME_MAX may exist in the given directory.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages manpages-dev depends on:
ii  manpages  3.51-1

manpages-dev recommends no packages.

Versions of packages manpages-dev suggests:
ii  man-db [man-browser]  2.6.5-2

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to