From owner-freebsd-security@FreeBSD.ORG Wed Jul 8 00:52:57 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 85D111065670 for ; Wed, 8 Jul 2009 00:52:57 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id 6E57014DF52 for ; Wed, 8 Jul 2009 00:52:18 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: (qmail 8586 invoked from network); 8 Jul 2009 00:52:17 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 8 Jul 2009 00:52:17 -0000 Message-ID: <4A53EDC1.4040506@freebsd.org> Date: Tue, 07 Jul 2009 17:52:17 -0700 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.21 (X11/20090405) MIME-Version: 1.0 To: freebsd security X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: rumours of openssh vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 00:52:57 -0000 Hi all, There are rumours flying around about a supposed vulnerability in OpenSSH. Two details which I've seen mentioned many times are (a) that this exploit was used to break into a RedHat system running OpenSSH 4.3 plus backported security patches, and (b) that "recent" versions of OpenSSH are not affected; but it's not clear if there is any basis for these rumours. Given the almost complete lack of information here, there obviously will not be a FreeBSD security advisory forthcoming until we know more. As such, I can only recommend that the standard advice be followed: Use a firewall to limit who can access OpenSSH; and make sure that you are running a supported FreeBSD release. If anyone has any concrete information concerning this, please contact the FreeBSD security team at . -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid From owner-freebsd-security@FreeBSD.ORG Wed Jul 8 01:36:20 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61D46106564A; Wed, 8 Jul 2009 01:36:20 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-fx0-f218.google.com (mail-fx0-f218.google.com [209.85.220.218]) by mx1.freebsd.org (Postfix) with ESMTP id 9DB9C8FC16; Wed, 8 Jul 2009 01:36:19 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by fxm18 with SMTP id 18so4500869fxm.43 for ; Tue, 07 Jul 2009 18:36:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=iXmbyMuITES+GblURyqCl87riJMZme8mg+Qp1yKWHN0=; b=Zpusih6NxTFLkNqOR03Au3wBEe849j94fw/p+ZZzAkCcq9qf2ppkRHhpBg1Ucoiyjd +xKt0qsHqSz9YyJH1Y/UMaRTUrl24gQDhgBHWQGtsmjFlQJRaUTZ13ALz8a5YAz7rWkS tICj1qWpfEAsGMgN3yTjfEwW42XB0X8Gd2JcM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=XOcTlyHRzh7YGfO/CWO4eK/SYGP0NbJHGCnD0yyg8uNtN0jII5EHWYGF0tFKPPRfOL HaJKsQLAbBAOBXvCD2JaQkVs1jO7em8IjSYb2T0SSPKXQEqTiOZzcPyrYo4zlAWsNN2q uKiBmndNbHHtaN3Q+QvZGg9/YBwPSTOJKKr/c= MIME-Version: 1.0 Received: by 10.204.118.207 with SMTP id w15mr6340207bkq.97.1247015776100; Tue, 07 Jul 2009 18:16:16 -0700 (PDT) In-Reply-To: <4A53EDC1.4040506@freebsd.org> References: <4A53EDC1.4040506@freebsd.org> From: Igor Mozolevsky Date: Wed, 8 Jul 2009 02:15:56 +0100 Message-ID: To: security-officer@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd security , secteam@freebsd.org Subject: Re: rumours of openssh vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 01:36:20 -0000 2009/7/8 FreeBSD Security Officer : > There are rumours flying around about a supposed vulnerability in OpenSSH. [snip] More information is at the Internet Storm Center: http://isc.sans.org/diary.html?storyid=6742 Cheers, -- Igor From owner-freebsd-security@FreeBSD.ORG Wed Jul 8 13:58:32 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3EC9106564A; Wed, 8 Jul 2009 13:58:32 +0000 (UTC) (envelope-from nhoughton@sourcefire.com) Received: from mail-yx0-f181.google.com (mail-yx0-f181.google.com [209.85.210.181]) by mx1.freebsd.org (Postfix) with ESMTP id 51AA88FC16; Wed, 8 Jul 2009 13:58:32 +0000 (UTC) (envelope-from nhoughton@sourcefire.com) Received: by yxe11 with SMTP id 11so8138892yxe.3 for ; Wed, 08 Jul 2009 06:58:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.47.10 with SMTP id u10mr12488745anu.17.1247060190984; Wed, 08 Jul 2009 06:36:30 -0700 (PDT) In-Reply-To: References: <4A53EDC1.4040506@freebsd.org> Date: Wed, 8 Jul 2009 09:36:30 -0400 Message-ID: <3a88cd320907080636g1e30610ek4de2384abab6f779@mail.gmail.com> From: Nigel Houghton To: Igor Mozolevsky Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 08 Jul 2009 14:15:19 +0000 Cc: freebsd security , security-officer@freebsd.org, secteam@freebsd.org Subject: Re: rumours of openssh vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 13:58:33 -0000 On Tue, Jul 7, 2009 at 9:15 PM, Igor Mozolevsky wrote: > 2009/7/8 FreeBSD Security Officer : > >> There are rumours flying around about a supposed vulnerability in OpenSSH. > > [snip] > > More information is at the Internet Storm Center: > http://isc.sans.org/diary.html?storyid=6742 > > > Cheers, > -- > Igor Actually, no, there isn't any more information on the ISC blog. There is actually less information, the logs are truncated (not that there's anything to see in them anyway). Nice to see an appropriate reaction to this "issue" from Colin. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ From owner-freebsd-security@FreeBSD.ORG Wed Jul 8 19:52:34 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA39E1065673 for ; Wed, 8 Jul 2009 19:52:34 +0000 (UTC) (envelope-from endian.sign@gmail.com) Received: from mail-ew0-f224.google.com (mail-ew0-f224.google.com [209.85.219.224]) by mx1.freebsd.org (Postfix) with ESMTP id 7C0328FC26 for ; Wed, 8 Jul 2009 19:52:34 +0000 (UTC) (envelope-from endian.sign@gmail.com) Received: by mail-ew0-f224.google.com with SMTP id 24so149648ewy.43 for ; Wed, 08 Jul 2009 12:52:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=XfPnb5C3reNsQGrguQWW8w6ezdpgqYYmotQ1aJq8OUg=; b=VBQA0v6pSnu2eNED9r52NN8xjwxBZugKmCRcYV3i1VNgUMpLJdZZ1Oq67n9SX07Z03 WNvYR+ctFNW4gvUGuW1tXgnes4rkYVbil6YjGFyMc7FksRlsA+HIEedN/FZRieJlObdA oRe0B1nxyY8UmEm6jE6TqSj6Ja6pSoatTsv5I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=m+RvMhAwVHDyx6EJvezeD5mQAApdw2gIatfS5+x0bZ6a2Trka4qOtVKj9qf5Ot9XIK 5T0JG1aDK6EagGk1mD2NmS6gkwAs82OXGtNPyLHjuWAh4krTF50+dGJswVdKYtdBDH70 dxmumZQTl6I7+sfYEjZCztw8hrVZ0DRIZtjww= Received: by 10.216.0.73 with SMTP id 51mr2067046wea.52.1247081530121; Wed, 08 Jul 2009 12:32:10 -0700 (PDT) Received: from minerva.freedsl.mg (freedsl-2.blueline.mg [41.204.101.83]) by mx.google.com with ESMTPS id m5sm25145719gve.18.2009.07.08.12.32.06 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 08 Jul 2009 12:32:09 -0700 (PDT) Date: Wed, 8 Jul 2009 22:33:39 +0300 From: rrl To: freebsd-security@freebsd.org Message-ID: <20090708193339.GA4836@minerva.freedsl.mg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.19 (2009-01-05) Subject: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 19:52:35 -0000 Hi all, > uname -a FreeBSD XXXXX 7.2-RELEASE FreeBSD 7.2-RELEASE #1: Wed Jun 24 10:19:42 EAT 2009 XXXXXXXXX:/usr/obj/usr/src/sys/GENERIC i386 I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name with the -S option. > gzip -S `perl -e 'print "A"x1200'` dummy_file Memory fault (core dumped) The offending code lays in the function file_compress: > /* Add (usually) .gz to filename */ > if ((size_t)snprintf(outfile, outsize, "%s%s", > file, suffixes[0].zipped) >= outsize) > memcpy(outfile - suffixes[0].ziplen - 1, > suffixes[0].zipped, suffixes[0].ziplen + 1); The problem here is that outfile points to a local buffer from the function handle_file which calls file_compress. And given that we give a very long suffix, memcpy does in fact write to memory location out of outfile, overwriting the return address of file_compress. Here's a possible fix: --- /usr/src/usr.bin/gzip/gzip.c 2009-05-17 12:00:16.000000000 +0300 +++ gzip.c 2009-07-08 20:27:22.000000000 +0300 @@ -1219,10 +1219,15 @@ file_compress(char *file, char *outfile, /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", - file, suffixes[0].zipped) >= outsize) + file, suffixes[0].zipped) >= outsize && + (unsigned int)suffixes[0].ziplen < outsize) memcpy(outfile - suffixes[0].ziplen - 1, suffixes[0].zipped, suffixes[0].ziplen + 1); - + else { + maybe_warnx("filename too long %s%s", file, suffixes[0].zipped); + close(in); + return -1; + } #ifndef SMALL if (check_outfile(outfile) == 0) { close(in); Cheers, From owner-freebsd-security@FreeBSD.ORG Wed Jul 8 20:25:20 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A83B91065670 for ; Wed, 8 Jul 2009 20:25:20 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 5C9F98FC17 for ; Wed, 8 Jul 2009 20:25:20 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=OG3UVJk4wLMJsIlTsPtDL7XH3xNUsq41jvG03m/LiIMelnAP3SmWY40dNVcza8MDIzPipAKq3o3VnK9+WM4C8VMQNHrg/ECsUpliWyE6UaUskyG0shOAHVN/hsWkDrGVOFC/9Lk8spdBSG6ftEyBs3lqk4WLIP5wIrm997VZgrg=; Received: from phoenix.codelabs.ru (ppp91-77-10-253.pppoe.mtu-net.ru [91.77.10.253]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1MOdhe-0007ky-1m; Thu, 09 Jul 2009 00:25:18 +0400 Date: Thu, 9 Jul 2009 00:25:15 +0400 From: Eygene Ryabinkin To: rrl Message-ID: References: <20090708193339.GA4836@minerva.freedsl.mg> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="4ZLFUWh1odzi/v6L" Content-Disposition: inline In-Reply-To: <20090708193339.GA4836@minerva.freedsl.mg> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 20:25:20 -0000 --4ZLFUWh1odzi/v6L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote: > I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name > with the -S option. > > gzip -S `perl -e 'print "A"x1200'` dummy_file > Memory fault (core dumped) > > The offending code lays in the function file_compress: > > /* Add (usually) .gz to filename */ > > if ((size_t)snprintf(outfile, outsize, "%s%s", > > file, suffixes[0].zipped) >= outsize) > > memcpy(outfile - suffixes[0].ziplen - 1, > > suffixes[0].zipped, suffixes[0].ziplen + 1); The memcpy() call looks like a complete madness: it will write before the beginning of the 'outfile', so it will be buffer underflow in any case (unless I am terribly mistaken and missing some obvious point). I'd change the above code to warn and return if snprintf will discard some trailing characters, the patch is attached. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # --4ZLFUWh1odzi/v6L Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="gzip.c-fix-buffer-underflow.diff" --- usr.bin/gzip/gzip.c.orig 2009-07-09 00:03:03.000000000 +0400 +++ usr.bin/gzip/gzip.c 2009-07-09 00:21:40.000000000 +0400 @@ -1235,9 +1235,12 @@ /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", - file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, - suffixes[0].zipped, suffixes[0].ziplen + 1); + file, suffixes[0].zipped) >= outsize) { + warnx("Output file name '%s%s' is too long, exiting", + file, suffixes[0].zipped); + close(in); + return -1; + } #ifndef SMALL if (check_outfile(outfile) == 0) { --4ZLFUWh1odzi/v6L-- From owner-freebsd-security@FreeBSD.ORG Thu Jul 9 03:34:34 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5BAC1065691 for ; Thu, 9 Jul 2009 03:34:34 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 6F90D8FC21 for ; Thu, 9 Jul 2009 03:34:33 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=mrEOUVKXZbdyz/HHOjOK0fXpokPXEqMjZ50sDBmfufKaTuyVcrnzxdy2cXTmlQVuu57RqnbNGVHFSGopiGIgzxeK+VPNFcmJU6O/MC9jbSyPr6pHZqtzO8J1hh4s73obJW8I90bN1DcicYNKQr9xt1H2qEXPrTAeTmtSHvK3k48=; Received: from phoenix.codelabs.ru (ppp91-77-10-253.pppoe.mtu-net.ru [91.77.10.253]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1MOk8p-0001oL-MF; Thu, 09 Jul 2009 07:17:47 +0400 Date: Thu, 9 Jul 2009 07:17:46 +0400 From: Eygene Ryabinkin To: d@delphij.net Message-ID: References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> <4A553458.70005@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A553458.70005@delphij.net> Sender: rea-fbsd@codelabs.ru Cc: rrl , freebsd-security@freebsd.org Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2009 03:34:35 -0000 Xin, good day. Wed, Jul 08, 2009 at 05:05:44PM -0700, Xin LI wrote: > >>> The offending code lays in the function file_compress: > >>>> /* Add (usually) .gz to filename */ > >>>> if ((size_t)snprintf(outfile, outsize, "%s%s", > >>>> file, suffixes[0].zipped) >= outsize) > >>>> memcpy(outfile - suffixes[0].ziplen - 1, > >>>> suffixes[0].zipped, suffixes[0].ziplen + 1); > >> The memcpy() call looks like a complete madness: it will write before > >> the beginning of the 'outfile', so it will be buffer underflow in any > >> case (unless I am terribly mistaken and missing some obvious point). > > > >> I'd change the above code to warn and return if snprintf will discard > >> some trailing characters, the patch is attached. > > I have attached another possible fix, which catches the problem when > parsing the command line. The point is that, I think we really want to > catch bad input as early as possible. Yes, it is good to catch it here too. > Index: gzip.c > =================================================================== > --- gzip.c (?????? 195435) > +++ gzip.c (????????????) > @@ -372,6 +372,8 @@ > case 'S': > len = strlen(optarg); > if (len != 0) { > + if (len >= PATH_MAX) > + errx(1, "incorrect suffix: '%s'", optarg); > suffixes[0].zipped = optarg; > suffixes[0].ziplen = len; > } else { But the place with the memcpy() should be patched too. Two reasons: - suffix could not (yet) overflow PATH_MAX, but filename + suffix -- can; - I am really worried about the usage of memcpy with underflow; I had tried to study the reasons for it via NetBSD CVS, but it just appeared one day and the reason for going to 'outfile - suffixes[0].ziplen - 1' (with .gz its outfile - 4) are unknown; I am still taking this as the programming error. So, unless you know why we're underflowing the passed pointer, the memcpy block should be patched too, for future safety and code correctness. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From owner-freebsd-security@FreeBSD.ORG Thu Jul 9 04:04:55 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38AA3106567C for ; Thu, 9 Jul 2009 04:04:55 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id CCD718FC14 for ; Thu, 9 Jul 2009 04:04:54 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 1B1005C024 for ; Thu, 9 Jul 2009 07:50:49 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id CF11C55CD6F8; Thu, 9 Jul 2009 07:50:48 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id R8y1aAjir3RV; Thu, 9 Jul 2009 07:49:50 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-62.dsl.pltn13.sbcglobal.net [76.237.33.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 982A655CD6F4; Thu, 9 Jul 2009 07:49:38 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=RKBh5Dofgloiv0+cUL2RZFScQZKJad00MQtjdJ1azxuy2B4IVkvMnzdkV0j0mJ1ac 0ErL3OVQY2pEoabXRsGZw== Message-ID: <4A553080.5060205@delphij.net> Date: Wed, 08 Jul 2009 16:49:20 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: rea-fbsd@codelabs.ru References: <20090708193339.GA4836@minerva.freedsl.mg> In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: rrl , freebsd-security@freebsd.org Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2009 04:04:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eygene Ryabinkin wrote: > Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote: >> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name >> with the -S option. >>> gzip -S `perl -e 'print "A"x1200'` dummy_file >> Memory fault (core dumped) >> >> The offending code lays in the function file_compress: >>> /* Add (usually) .gz to filename */ >>> if ((size_t)snprintf(outfile, outsize, "%s%s", >>> file, suffixes[0].zipped) >= outsize) >>> memcpy(outfile - suffixes[0].ziplen - 1, >>> suffixes[0].zipped, suffixes[0].ziplen + 1); > > The memcpy() call looks like a complete madness: it will write before > the beginning of the 'outfile', so it will be buffer underflow in any > case (unless I am terribly mistaken and missing some obvious point). > > I'd change the above code to warn and return if snprintf will discard > some trailing characters, the patch is attached. Nice catch! I'll take a look at this as soon as possible. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpVMIAACgkQi+vbBBjt66BkrgCePlsfN2Y8+yXkJiI39A2tEmRS CKcAnipqLptYZx2BeuM+7piL0vBF1yzz =9kvD -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jul 9 04:04:55 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68C881065673 for ; Thu, 9 Jul 2009 04:04:55 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id CCD488FC13 for ; Thu, 9 Jul 2009 04:04:54 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 1289E5C026 for ; Thu, 9 Jul 2009 08:07:06 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id D16DA55CD6E9; Thu, 9 Jul 2009 08:07:05 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id aceDcMmO10Hs; Thu, 9 Jul 2009 08:06:12 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-62.dsl.pltn13.sbcglobal.net [76.237.33.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 75D2155CD6F4; Thu, 9 Jul 2009 08:06:04 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type; b=nDkGoaExCGhzu9XcWQQUXG1GzkzKr8y5ulhvhT09jKrLMhFZxjxux+9BaJOcNTgBd mB8ie97e1AnNRhbSv6Yog== Message-ID: <4A553458.70005@delphij.net> Date: Wed, 08 Jul 2009 17:05:44 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: d@delphij.net References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> In-Reply-To: <4A553080.5060205@delphij.net> X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------010401030701030109000706" Cc: rrl , freebsd-security@freebsd.org, rea-fbsd@codelabs.ru Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2009 04:04:56 -0000 This is a multi-part message in MIME format. --------------010401030701030109000706 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Xin LI wrote: > Eygene Ryabinkin wrote: >> Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote: >>> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name >>> with the -S option. >>>> gzip -S `perl -e 'print "A"x1200'` dummy_file >>> Memory fault (core dumped) >>> >>> The offending code lays in the function file_compress: >>>> /* Add (usually) .gz to filename */ >>>> if ((size_t)snprintf(outfile, outsize, "%s%s", >>>> file, suffixes[0].zipped) >= outsize) >>>> memcpy(outfile - suffixes[0].ziplen - 1, >>>> suffixes[0].zipped, suffixes[0].ziplen + 1); >> The memcpy() call looks like a complete madness: it will write before >> the beginning of the 'outfile', so it will be buffer underflow in any >> case (unless I am terribly mistaken and missing some obvious point). > >> I'd change the above code to warn and return if snprintf will discard >> some trailing characters, the patch is attached. I have attached another possible fix, which catches the problem when parsing the command line. The point is that, I think we really want to catch bad input as early as possible. If there is no objections I would request for approval from re@. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEUEARECAAYFAkpVNFcACgkQi+vbBBjt66AkuQCfSm79QmZC2jPwE8kSEaz5NvH7 V+8Al0zsIfe40Tv0Yu/LrtMpnEK5cok= =OtC/ -----END PGP SIGNATURE----- --------------010401030701030109000706 Content-Type: text/plain; name="gzip.c-S-underflow.diff" Content-Transfer-Encoding: 8bit Content-Disposition: inline; filename="gzip.c-S-underflow.diff" Index: gzip.c =================================================================== --- gzip.c (版本 195435) +++ gzip.c (工作副本) @@ -372,6 +372,8 @@ case 'S': len = strlen(optarg); if (len != 0) { + if (len >= PATH_MAX) + errx(1, "incorrect suffix: '%s'", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { --------------010401030701030109000706--