Package: uudeview Version: 0.5.20-2 Severity: serious Tags: security CAN-2004-2265 is a security hole in uudeview, although you won't find much useful info in the advisories associated with that CAN.
After downloading OpenPKG's fix from tp://ftp.openpkg.org/release/2.0/UPD/uudeview-0.5.19-2.0.1.src.rpm , I was able to verify the problem: if ((stdfile = tempnam (NULL, "uu")) == NULL) { fprintf (stderr, "proc_stdin: cannot get temporary file\n"); return 0; } if ((target = fopen (stdfile, "wb")) == NULL) { fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n", stdfile, strerror (errno)); _FP_free (stdfile); return 0; } This is a race, exploitable when uudeview is run on standard input. I'm attaching OpenPKG's entire patch for uudeview 0.5.19, since you might find unrelated changes also of interest. The relevent fixes for this hole are change changes involving tempnam and _FP_tempnam. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages uudeview depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an uudeview recommends no packages. -- no debconf information -- see shy jo
Patch to defeat uudeview "UNKNOWN" filenames. Problem introduced with 0.5.19 Problem remains in 0.5.20 Index: uuscan.c --- uulib/uuscan.c.orig 2004-03-12 11:47:13.000000000 +0100 +++ uulib/uuscan.c 2004-03-12 13:37:54.000000000 +0100 @@ -1604,20 +1604,23 @@ } /* skip empty lines */ - prevpos = ftell (datei); + { + long localprevpos; + localprevpos = ftell (datei); if (IsLineEmpty (line)) { while (!feof (datei)) { if (_FP_fgets (line, 255, datei) == NULL) break; if (UUBUSYPOLL(ftell(datei),progress.fsize)) SPCANCEL(); if (!IsLineEmpty (line)) { - fseek (datei, prevpos, SEEK_SET); + fseek (datei, localprevpos, SEEK_SET); line[255] = '\0'; break; } - prevpos = ftell (datei); + localprevpos = ftell (datei); } } + } /* * If we don't have all valid MIME headers yet, but the following mkstemp security enhancement. Similar to FreeBSD http://www.freebsd.org/cgi/query-pr.cgi?pr=41508 SuSE uudeview-0.5.18-244.src.rpm --- unix/uudeview.c +++ unix/uudeview.c @@ -434,7 +434,7 @@ return 0; } - if ((stdfile = tempnam (NULL, "uu")) == NULL) { + if ((stdfile = _FP_tempnam (NULL, "uu")) == NULL) { fprintf (stderr, "proc_stdin: cannot get temporary file\n"); return 0; } --- uulib/fptools.c +++ uulib/fptools.c @@ -507,5 +507,15 @@ char * TOOLEXPORT _FP_tempnam (char *dir, char *pfx) { - return _FP_strdup (tmpnam (NULL)); + int fd; + char fileName[100]; + + strncpy(fileName, pfx, 90); + strcat(fileName, "XXXXXX"); + fd = mkstemp(fileName); + if (fd == -1) + return NULL; + close(fd); + unlink(fileName); + return _FP_strdup (fileName); } --- uulib/uunconc.c +++ uulib/uunconc.c @@ -1264,7 +1264,7 @@ else mode = "wb"; /* otherwise in binary */ - if ((data->binfile = tempnam (NULL, "uu")) == NULL) { + if ((data->binfile = _FP_tempnam (NULL, "uu")) == NULL) { UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, uustring (S_NO_TEMP_NAME)); return UURET_NOMEM; @@ -1426,7 +1426,7 @@ */ if (data->uudet == BH_ENCODED && data->binfile) { - if ((ntmp = tempnam (NULL, "uu")) == NULL) { + if ((ntmp = _FP_tempnam (NULL, "uu")) == NULL) { UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, uustring (S_NO_TEMP_NAME)); progress.action = 0; http://www.fpx.de/fp/Software/UUDeview/HISTORY.txt 0.5.20 (01.03.2004) -------- - fix bug in parsing of header lines [uuscan.c@@155] - fix fgets to accept lines that are exactly of the maximum length [uunconc.c, uuscan.c] - fix two buffer overflows [uuscan.c@@391, fptools.c] diff --unified=3 uudeview-0.5.19/uulib/fptools.c uudeview-0.5.20/uulib/fptools.c --- uulib/fptools.c 1.7 2003-04-13 17:41:55.000000000 +0200 +++ uulib/fptools.c 1.8 2004-02-24 01:05:32.000000000 +0100 @@ -444,7 +444,7 @@ if (feof (stream)) return NULL; - while (--n) { + while (--n && !feof (stream)) { if ((c = fgetc (stream)) == EOF) { if (ferror (stream)) return NULL; @@ -478,11 +478,28 @@ */ *buf++ = c; } + /* * n-1 characters already transferred */ + *buf = '\0'; + /* + * If a line break is coming up, read it + */ + + if (!feof (stream)) { + if ((c = fgetc (stream)) == '\015' && !feof (stream)) { + if ((c = fgetc (stream)) != '\012' && !feof (stream)) { + ungetc (c, stream); + } + } + else if (c != '\012' && !feof (stream)) { + ungetc (c, stream); + } + } + return obp; } diff --unified=3 uudeview-0.5.19/uulib/uunconc.c uudeview-0.5.20/uulib/uunconc.c --- uulib/uunconc.c 1.36 2003-09-30 01:17:35.000000000 +0200 +++ uulib/uunconc.c 1.38 2004-03-01 23:52:27.000000000 +0100 @@ -1004,7 +1004,7 @@ while (!feof (datain) && *state != DONE && (ftell(datain)<maxpos || flags&FL_TOEND || maxpos==-1 || (!(flags&FL_PROPER) && uu_fast_scanning))) { - if (_FP_fgets (line, 299, datain) == NULL) + if (_FP_fgets (line, 255, datain) == NULL) break; if (ferror (datain)) { @@ -1046,7 +1046,7 @@ * try to make sense of data */ - line[299] = '\0'; /* For Safety of string functions */ + line[255] = '\0'; /* For Safety of string functions */ count = 0; if (boundary && line[0]=='-' && line[1]=='-' && @@ -1113,7 +1113,7 @@ } if (_FP_strstr (line, " part=") != NULL) { - if (_FP_fgets (line, 299, datain) == NULL) { + if (_FP_fgets (line, 255, datain) == NULL) { break; } diff --unified=3 uudeview-0.5.19/uulib/uuscan.c uudeview-0.5.20/uulib/uuscan.c --- uulib/uuscan.c 1.43 2003-07-06 20:29:35.000000000 +0200 +++ uulib/uuscan.c 1.46 2004-03-01 23:52:27.000000000 +0100 @@ -155,7 +155,7 @@ { if (data == NULL) return 0; if (*data == ':') return 0; - while (*data && isalnum (*data)) data++; + while (*data && (isalnum (*data) || *data=='-')) data++; return (*data == ':') ? 1 : 0; } @@ -391,8 +391,10 @@ *attribute != '\\' &&*attribute != '"' && *attribute != '/' && /* *attribute != '[' && *attribute != ']' && */ *attribute != '?' && - *attribute != '=' && length < 255) + *attribute != '=' && length < 255) { *ptr++ = *attribute++; + length++; + } *ptr = '\0'; } @@ -629,12 +631,12 @@ while (!feof (datei)) { oldposition = ftell (datei); - if (_FP_fgets (line, 299, datei) == NULL) + if (_FP_fgets (line, 255, datei) == NULL) break; if (ferror (datei)) break; - line[299] = '\0'; /* For Safety of string functions */ + line[255] = '\0'; /* For Safety of string functions */ /* * Make Busy Polls
signature.asc
Description: Digital signature