[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: Help needed with bufferoverflow in cvs]
|
From: |
Tollef Fog Heen |
|
Subject: |
Re: [Fwd: Help needed with bufferoverflow in cvs] |
|
Date: |
21 Feb 2002 10:44:11 +0100 |
|
User-agent: |
Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 |
* (Larry Jones)
| > it seems that cvs (version 1.10.7 from Debians stable repos) has a
| > bufferoverflow but I'm but sure if it's exploitable
| [...]
| > cvs diff -C`perl -e "print 'a' x 300"` tables.sql
| [...]
| > Segmentation fault (core dumped)
|
| It's not a buffer overflow (-Cx will produce the same result), it's an
| improperly initialized global variable (the code calls longjmp() with a
| global jmp_buf that was never initialized by setjmp() and thus is all
| zeros). It's not exploitable and it was fixed long ago in CVS 1.10.8.
I am not too sure about that, please see the strace output from the
server:
[snip]
[pid 6325] write(8, "diff -Caaaaaaaaaaaaaaaaaaaaaaaaa"..., 320) = 320
[pid 6325] write(8, "\0\0\0\0", 4 <unfinished ...>
[pid 6294] write(1, "M Index: a\nM ==================="..., 114 <unfinished
...>
[pid 6325] <... write resumed> ) = 4
[pid 6325] write(8, "\0\0\0\0", 4) = 4
[pid 6325] write(8, "\0\0\0\0", 4) = 4
[pid 6325] write(8, "\0\0\0\0", 4) = 4
[pid 6325] write(8, "\0\0\0\0", 4) = 4
[pid 6325] write(8, "\0\0\0\0", 4) = 4
[pid 6325] write(8, ".\0\0\0", 4) = 4
[pid 6325] write(8, "E ", 2) = 2
[pid 6325] write(8, "cvs server: invalid context leng"..., 44) = 44
[pid 6325] --- SIGSEGV (Segmentation fault) ---
[pid 6294] <... write resumed> ) = 114
[pid 6294] --- SIGCHLD (Child exited) ---
[pid 6294] write(1, "M retrieving revision 1.1.1.1\n", 30) = 30
[pid 6294] select(8, [3 5 7], [], NULL, NULL) = 3 (in [3 5 7])
[pid 6294] read(3, "", 4096) = 0
[pid 6294] read(5, "", 4096) = 0
[pid 6294] read(7, "\0\0\0\0\0\0\0\0\0\0\0\0B\1\0\0M diff -Caaaaaaa"..., 4096)
= 412
[pid 6294] write(1, "M diff -Caaaaaaaaaaaaaaaaaaaaaaa"..., 322) = 322
[pid 6294] write(1, "E cvs server: invalid context le"..., 46) = 46
[pid 6294] select(8, [7], [], NULL, NULL) = 1 (in [7])
[pid 6294] read(7, "", 4096) = 0
[pid 6294] wait4(6325, [WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV], 0, NULL) =
6325
[pid 6294] fcntl(1, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
[pid 6294] fcntl(1, F_SETFL, O_RDWR) = 0
[pid 6294] write(1, "E Terminated with fatal signal 1"..., 34) = 34
[pid 6294] write(1, "error \n", 8) = 8
[pid 6294] read(0, "", 4096) = 0
[pid 6294] chdir("/tmp") = 0
[snip]
This is 1.10.7-7; do you have the patch for this problem handy?
--
Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.
Re: [Fwd: Help needed with bufferoverflow in cvs], Larry Jones, 2002/02/20
Re: [Fwd: Help needed with bufferoverflow in cvs], Tollef Fog Heen, 2002/02/22