Re: mutt/2710: off-by-one error in mutt_dotlock.c
The following reply was made to PR mutt/2710; it has been noted by GNATS.
From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
To: bug-any@xxxxxxxxxxxxx
Cc:
Subject: Re: mutt/2710: off-by-one error in mutt_dotlock.c
Date: Fri, 26 Jan 2007 09:37:45 -0500
Ups.
Here's a patch:
--- dotlock.c 17 Sep 2005 20:46:10 -0000 3.4
+++ dotlock.c 26 Jan 2007 14:32:29 -0000
@@ -554,7 +554,7 @@
char linkpath[_POSIX_PATH_MAX];
int len;
- if ((len = readlink (pathptr, linkfile, sizeof (linkfile))) == -1)
+ if ((len = readlink (pathptr, linkfile, sizeof (linkfile) - 1)) == -1)
{
/* perror (pathptr); */
return -1;
On 2007-01-26 11:43:31 +0100, cb@xxxxxxxx wrote:
> From: cb@xxxxxxxx
> To: Mutt Developers <mutt-dev@xxxxxxxx>
> Date: Fri, 26 Jan 2007 11:43:31 +0100
> Subject: mutt/2710: off-by-one error in mutt_dotlock.c
> Reply-To: bug-any@xxxxxxxxxxxxx
> X-Spam-Level:
>
> >Number: 2710
> >Notify-List:
> >Category: mutt
> >Synopsis: off-by-one error in mutt_dotlock.c
> >Confidential: no
> >Severity: normal
> >Priority: medium
> >Responsible: mutt-dev
> >State: open
> >Keywords:
> >Class: sw-bug
> >Submitter-Id: net
> >Arrival-Date: Fri Jan 26 11:43:31 +0100 2007
> >Originator: cb@xxxxxxxx (Christoph Berg)
> >Release:
> >Organization:
> >Environment:
> >Description:
> Date: Fri, 10 Nov 2006 00:34:48 +0000
> From: Jochen Voss <voss@xxxxxxxxxx>
> Reply-To: Jochen Voss <voss@xxxxxxxxxx>, 397858@xxxxxxxxxxxxxxx
> To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
> Subject: Bug#397858: /usr/bin/mutt_dotlock: off-by-one error in
> mutt_dotlock.c
> X-Debian-PR-Message: report 397858
> X-Debian-PR-Package: mutt
> X-Debian-PR-Keywords:
> X-Debian-PR-Source: mutt
>
> Package: mutt
> Version: 1.5.13-1
> Severity: normal
> File: /usr/bin/mutt_dotlock
>
> Hello,
>
> recently I came across the following bit of code in the source file
> mutt-1.5.13/mutt_dotlock.c (function dotlock_deference_symlink, around
> line 557):
>
> if ((len = readlink (pathptr, linkfile, sizeof (linkfile))) == -1)
> {
> /* perror (pathptr); */
> return -1;
> }
>
> linkfile[len] = '\0';
>
> In the case when the link target is longer than 'sizeof (linkfile)'
> (256 characters), the readlink call returns 'sizeof (linkfile)' and
> the following assignment writes a zero-byte into the byte just after
> the buffer 'linkfile'. This is a buffer overflow.
>
> The bug does not look exploitable to me, but probably it should be
> fixed anyway.
>
> I hope this helps,
> Jochen
>
> -- System Information:
> Debian Release: 4.0
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Shell: /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18.1
> Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
>
> Versions of packages mutt depends on:
> ii exim4 4.63-10 metapackage to ease exim MTA
> (v4)
> ii exim4-daemon-light [mai 4.63-10 lightweight exim MTA (v4) daemon
> ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
> ii libdb4.4 4.4.20-8 Berkeley v4.4 Database
> Libraries [
> ii libgnutls13 1.4.4-2 the GNU TLS library - runtime
> libr
> ii libidn11 0.6.5-1 GNU libidn library,
> implementation
> ii libncursesw5 5.5-5 Shared libraries for terminal
> hand
> ii libsasl2 2.1.19.dfsg1-0.5 Authentication abstraction
> library
>
> Versions of packages mutt recommends:
> ii locales 2.3.6.ds1-8 GNU C Library: National
> Language (
> ii mime-support 3.37-1 MIME files 'mime.types' &
> 'mailcap
>
> -- no debconf information
> >How-To-Repeat:
> >Fix:
> Unknown
> >Add-To-Audit-Trail:
>
> >Unformatted:
>
>
--
Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>