<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/2710: off-by-one error in mutt_dotlock.c



The following reply was made to PR mutt/2710; it has been noted by GNATS.

From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
To: bug-any@xxxxxxxxxxxxx
Cc: 
Subject: Re: mutt/2710: off-by-one error in mutt_dotlock.c
Date: Fri, 26 Jan 2007 09:37:45 -0500

 Ups.
 
 Here's a patch:
 
 --- dotlock.c  17 Sep 2005 20:46:10 -0000      3.4
 +++ dotlock.c  26 Jan 2007 14:32:29 -0000
 @@ -554,7 +554,7 @@
        char linkpath[_POSIX_PATH_MAX];
        int len;
  
 -      if ((len = readlink (pathptr, linkfile, sizeof (linkfile))) == -1)
 +      if ((len = readlink (pathptr, linkfile, sizeof (linkfile) - 1)) == -1)
        {
        /* perror (pathptr); */
        return -1;
 
 
 
 On 2007-01-26 11:43:31 +0100, cb@xxxxxxxx wrote:
 > From: cb@xxxxxxxx
 > To: Mutt Developers <mutt-dev@xxxxxxxx>
 > Date: Fri, 26 Jan 2007 11:43:31 +0100
 > Subject: mutt/2710: off-by-one error in mutt_dotlock.c
 > Reply-To: bug-any@xxxxxxxxxxxxx
 > X-Spam-Level: 
 > 
 > >Number:         2710
 > >Notify-List:    
 > >Category:       mutt
 > >Synopsis:       off-by-one error in mutt_dotlock.c
 > >Confidential:   no
 > >Severity:       normal
 > >Priority:       medium
 > >Responsible:    mutt-dev
 > >State:          open
 > >Keywords:       
 > >Class:          sw-bug
 > >Submitter-Id:   net
 > >Arrival-Date:   Fri Jan 26 11:43:31 +0100 2007
 > >Originator:     cb@xxxxxxxx (Christoph Berg)
 > >Release:        
 > >Organization:
 > >Environment:
 > >Description:
 > Date: Fri, 10 Nov 2006 00:34:48 +0000
 > From: Jochen Voss <voss@xxxxxxxxxx>
 > Reply-To: Jochen Voss <voss@xxxxxxxxxx>, 397858@xxxxxxxxxxxxxxx
 > To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
 > Subject: Bug#397858: /usr/bin/mutt_dotlock: off-by-one error in
 >         mutt_dotlock.c
 > X-Debian-PR-Message: report 397858
 > X-Debian-PR-Package: mutt
 > X-Debian-PR-Keywords:
 > X-Debian-PR-Source: mutt
 > 
 > Package: mutt
 > Version: 1.5.13-1
 > Severity: normal
 > File: /usr/bin/mutt_dotlock
 > 
 > Hello,
 > 
 > recently I came across the following bit of code in the source file
 > mutt-1.5.13/mutt_dotlock.c (function dotlock_deference_symlink, around
 > line 557):
 > 
 >       if ((len = readlink (pathptr, linkfile, sizeof (linkfile))) == -1)
 >       {
 >         /* perror (pathptr); */
 >         return -1;
 >       }
 > 
 >       linkfile[len] = '\0';
 > 
 > In the case when the link target is longer than 'sizeof (linkfile)'
 > (256 characters), the readlink call returns 'sizeof (linkfile)' and
 > the following assignment writes a zero-byte into the byte just after
 > the buffer 'linkfile'.  This is a buffer overflow.
 > 
 > The bug does not look exploitable to me, but probably it should be
 > fixed anyway.
 > 
 > I hope this helps,
 > Jochen
 > 
 > -- System Information:
 > Debian Release: 4.0
 >   APT prefers unstable
 >   APT policy: (500, 'unstable')
 > Architecture: i386 (i686)
 > Shell:  /bin/sh linked to /bin/bash
 > Kernel: Linux 2.6.18.1
 > Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
 > 
 > Versions of packages mutt depends on:
 > ii  exim4                   4.63-10          metapackage to ease exim MTA 
 > (v4)
 > ii  exim4-daemon-light [mai 4.63-10          lightweight exim MTA (v4) daemon
 > ii  libc6                   2.3.6.ds1-8      GNU C Library: Shared libraries
 > ii  libdb4.4                4.4.20-8         Berkeley v4.4 Database 
 > Libraries [
 > ii  libgnutls13             1.4.4-2          the GNU TLS library - runtime 
 > libr
 > ii  libidn11                0.6.5-1          GNU libidn library, 
 > implementation
 > ii  libncursesw5            5.5-5            Shared libraries for terminal 
 > hand
 > ii  libsasl2                2.1.19.dfsg1-0.5 Authentication abstraction 
 > library
 > 
 > Versions of packages mutt recommends:
 > ii  locales                      2.3.6.ds1-8 GNU C Library: National 
 > Language (
 > ii  mime-support                 3.37-1      MIME files 'mime.types' & 
 > 'mailcap
 > 
 > -- no debconf information
 > >How-To-Repeat:
 > >Fix:
 > Unknown
 > >Add-To-Audit-Trail:
 > 
 > >Unformatted:
 > 
 > 
 
 -- 
 Thomas Roessler   <roessler@xxxxxxxxxxxxxxxxxx>