Package: manpages-dev
Version: 3.51-1
Severity: normal
The readdir(3) / readdir_r(3) man page says about readdir_r():
Since POSIX.1 does not specify the size of the d_name field, and other
nonstandard fields may precede that field within the dirent structure,
portable applications that use readdir_r() should allocate the buffer
whose address is passed in entry as follows:
name_max = pathconf(dirpath, _PC_NAME_MAX);
if (name_max == -1) /* Limit not defined, or error */
name_max = 255; /* Take a guess */
len = offsetof(struct dirent, d_name) + name_max + 1;
entryp = malloc(len);
But if name_max is wrong and a file has a name greater than what has
been allocated for d_name, this will yield a buffer overflow. Thus
the man page should strongly discourage the use of readdir_r() for
security reasons. See
http://elliotth.blogspot.fr/2012/10/how-not-to-use-readdirr3.html
Note that even if pathconf doesn't fail, this is not safe due to
the race condition (as mentioned at the above URL) and also because
_PC_NAME_MAX just means "the maximum length of a filename in the
directory path [or fd] that the process is allowed to create.";
other processes may have created longer filenames, and indeed the
pathconf(3) man page says:
Files with name lengths longer than the value returned for _name_
equal to _PC_NAME_MAX may exist in the given directory.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.9-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages manpages-dev depends on:
ii manpages 3.51-1
manpages-dev recommends no packages.
Versions of packages manpages-dev suggests:
ii man-db [man-browser] 2.6.5-2
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
