Bug#975321: task-spooler: buffer overflow when setting TMPDIR

Fri, 20 Nov 2020 04:42:19 -0800 

Package: task-spooler
Version: 1.0-1
Severity: normal

Dear Maintainer,
When the environment variable TMPDIR is set to a certain length, invoking tsp 
results in a buffer overflow that crashes the program. For instance:


$ echo $TMPDIR
/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
$ tsp echo hello
*** buffer overflow detected ***: terminated
Abandon (core dumped)

The backtrace shows that the problem arises when creating the string
/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/socket-
ts.1000
which is copied in a buffer that is too small:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f684ed84537 in __GI_abort () at abort.c:79
#2  0x00007f684eddd6c8 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7f684eeebc28 "*** %s ***: terminated\n") at
../sysdeps/posix/libc_fatal.c:155
#3  0x00007f684ee6c5b2 in __GI___fortify_fail (msg=msg@entry=0x7f684eeebbbe
"buffer overflow detected") at fortify_fail.c:26
#4  0x00007f684ee6afb0 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007f684ee6a8b2 in __strcpy_chk (dest=0x7fff211a9592 "",
src=0x563601497500 "/tmp/", 'a' <repeats 88 times>, "/socket-ts.1000",
destlen=108) at strcpy_chk.c:30
#6  0x00005635ff7c891a in ?? ()
#7  0x00005635ff7c8a42 in ?? ()
#8  0x00005635ff7c6ce1 in ?? ()
#9  0x00007f684ed85cca in __libc_start_main (main=0x5635ff7c6b60, argc=3,
argv=0x7fff211a9818, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>,
    stack_end=0x7fff211a9808) at ../csu/libc-start.c:308
#10 0x00005635ff7c735a in ?? ()




-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-2-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set 
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages task-spooler depends on:
ii  libc6  2.31-4

task-spooler recommends no packages.

task-spooler suggests no packages.

-- no debconf information

Reply via email to