Bug#227621: perl: getgrnam() crashes with Out of memory if /etc/group contains long lines

2005-06-10 Thread Steinar H. Gunderson 
tags 227621 + patch
thanks

On Mon, Jun 06, 2005 at 01:10:01PM +0200, Peter Palch wrote:
 There was a very similar bug in glibc some time ago. The problem appeared
 when a line in /etc/group was longer than 1023 characters - the routines in
 glibc allocated more and more memory in an infinite loop until all free
 memory was exhausted. It was reported as bug #208428 and I have contributed
 some information to it. However, the problem in glibc has been solved since
 then. You will find some detailed information in the bug report archive. The
 bug was finally solved upstream in an other way that I suggested - but
 surely it was a better solution.

It's about the same bug in perl as it was in glibc. reentr.pl line 698 reads:

  $call = qq[((PL_REENTRANT_RETINT = $call)$test ? $true : 
(((PL_REENTRANT_RETINT == ERANGE) || (errno == ERANGE)) ?  
($seenm{$func}{$seenr{$func}})Perl_reentrant_retry($func$rv) : 0))];
  
The problem here is errno == ERANGE. If, at any time, there's a line longer
than the initial buffer, getgrent() (or any in the same family) will get
ERANGE back (and errno will be set to ERANGE). However, this is never reset.
Thus, when getgrent_r() hits EOF, it returns ENOENT, _but errno is still
ERANGE_. Perl figures the buffer was too small, doubles it and tries again,
but still gets ENOENT, of course (and errno is still ERANGE). This goes on
forever and ever until you run out of memory (which happens quite fast).

The solution is simply to remove errno == ERANGE AFAICS; getgrent_r() does
not define what happens to errno, and the return message will always be
ERANGE if the buffer is too small.

I'm a bit tempted to tag this security; if a user can (say) change his or
her own GECOS field to make it long enough, Perl programs using getpwent()
will crash, for instance. I can't find any direct way to exploit it (chfn
limits the length of the fields, for instance), but I'm still slightly
concerned over the possibilities of a DoS; Cc-ing debian-security.

/* Steinar */
-- 
Homepage: http://www.sesse.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#227621: perl: getgrnam() crashes with Out of memory if /etc/group contains long lines

2005-06-09 Thread Steinar H. Gunderson 
severity 227621 important
thanks

On Mon, Jun 06, 2005 at 01:10:01PM +0200, Peter Palch wrote:
 Maybe yes - it's up to maintainers. Originally I did not intend to mark this
 bug as severity important as this bug appears only under not-so-common
 conditions (I have been told that to have such a long line in /etc/group is
 a sign of a bad system design - so many users and groups should already be
 placed in a database). Nevertheless, this bug can be very nasty.

We're bitten really hard by it now -- we do getgrent() in several
system-critical scripts, and we cannot really migrate away from that group
structure anytime soon, so we're stuck with trying to rewrite the scripts...

When I asked the RMs about this before the release, they judged it as
severity important, so I'm upgrading it. It still won't go into sarge AFAICS,
but hey...

/* Steinar */
-- 
Homepage: http://www.sesse.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#227621: perl: getgrnam() crashes with Out of memory if /etc/group contains long lines

2005-06-04 Thread Steinar H. Gunderson 
On Wed, Jan 14, 2004 at 02:47:44AM +0100, Peter Paluch wrote:
 There is a problem with the getgrent() function if the /etc/group file
 contains at least one line longer than 4088 characters, including the
 newline character. In this case, the script execution will fail with
 a Out of memory! message.

We were bitten by this as well, but in the form of a segfault, and with
significantly shorter lines (about 1500 characters). Shouldn't this be
upgraded to at least important?

FWIW, this happened after an upgrade from woody to sarge, so the woody
version is OK.

/* Steinar */
-- 
Homepage: http://www.sesse.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]