[Touch-packages] [Bug 1641592] [NEW] nano 2.5.3-2 on Xenial crashes with long paths on lockfiles

Mon, 14 Nov 2016 04:51:01 -0800 

Public bug reported:

# lsb_release -rd
Description:    Ubuntu 16.04.1 LTS
Release:        16.04
# apt-cache policy nano
nano:
  Installed: 2.5.3-2
  Candidate: 2.5.3-2

Reproducer:
1. # nano -G 
999999999999999999999999999999999999999999999999999999999999999999999999999
2. <ctrl-z>
3. # nano -G 
999999999999999999999999999999999999999999999999999999999999999999999999999
4. <answer y/n to the lockfile question>
5. <nano should segfault>

Quick dissection:
Looking at function do_lockfile in files.c, it seems that promptstr is 
statically allocated to 128 characters. Now with a sufficiently long filename, 
the following sprintf() call will overflow the allocated promptstr buffer and 
corrupt memory.

** Affects: nano (Ubuntu)
     Importance: Undecided
         Status: New

** Summary changed:

- nano 2.5.3-2 on Xenial crashes when trying to access a lockfile
+ nano 2.5.3-2 on Xenial crashes with long paths on lockfiles

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nano in Ubuntu.
https://bugs.launchpad.net/bugs/1641592

Title:
  nano 2.5.3-2 on Xenial crashes with long paths on lockfiles

Status in nano package in Ubuntu:
  New

Bug description:
  # lsb_release -rd
  Description:    Ubuntu 16.04.1 LTS
  Release:        16.04
  # apt-cache policy nano
  nano:
    Installed: 2.5.3-2
    Candidate: 2.5.3-2

  Reproducer:
  1. # nano -G 
999999999999999999999999999999999999999999999999999999999999999999999999999
  2. <ctrl-z>
  3. # nano -G 
999999999999999999999999999999999999999999999999999999999999999999999999999
  4. <answer y/n to the lockfile question>
  5. <nano should segfault>

  Quick dissection:
  Looking at function do_lockfile in files.c, it seems that promptstr is 
statically allocated to 128 characters. Now with a sufficiently long filename, 
the following sprintf() call will overflow the allocated promptstr buffer and 
corrupt memory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nano/+bug/1641592/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to