--- Begin Message ---
Package: uudeview
Version: 0.5.20-2
Severity: serious
Tags: security
CAN-2004-2265 is a security hole in uudeview, although you won't find
much useful info in the advisories associated with that CAN.
After downloading OpenPKG's fix from
tp://ftp.openpkg.org/release/2.0/UPD/uudeview-0.5.19-2.0.1.src.rpm ,
I was able to verify the problem:
if ((stdfile = tempnam (NULL, "uu")) == NULL) {
fprintf (stderr, "proc_stdin: cannot get temporary file\n");
return 0;
}
if ((target = fopen (stdfile, "wb")) == NULL) {
fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
stdfile, strerror (errno));
_FP_free (stdfile);
return 0;
}
This is a race, exploitable when uudeview is run on standard input.
I'm attaching OpenPKG's entire patch for uudeview 0.5.19, since you might
find unrelated changes also of interest. The relevent fixes for this hole
are change changes involving tempnam and _FP_tempnam.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages uudeview depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
uudeview recommends no packages.
-- no debconf information
--
see shy jo
Patch to defeat uudeview "UNKNOWN" filenames.
Problem introduced with 0.5.19
Problem remains in 0.5.20
Index: uuscan.c
--- uulib/uuscan.c.orig 2004-03-12 11:47:13.000000000 +0100
+++ uulib/uuscan.c 2004-03-12 13:37:54.000000000 +0100
@@ -1604,20 +1604,23 @@
}
/* skip empty lines */
- prevpos = ftell (datei);
+ {
+ long localprevpos;
+ localprevpos = ftell (datei);
if (IsLineEmpty (line)) {
while (!feof (datei)) {
if (_FP_fgets (line, 255, datei) == NULL)
break;
if (UUBUSYPOLL(ftell(datei),progress.fsize)) SPCANCEL();
if (!IsLineEmpty (line)) {
- fseek (datei, prevpos, SEEK_SET);
+ fseek (datei, localprevpos, SEEK_SET);
line[255] = '\0';
break;
}
- prevpos = ftell (datei);
+ localprevpos = ftell (datei);
}
}
+ }
/*
* If we don't have all valid MIME headers yet, but the following
mkstemp security enhancement. Similar to
FreeBSD http://www.freebsd.org/cgi/query-pr.cgi?pr=41508
SuSE uudeview-0.5.18-244.src.rpm
--- unix/uudeview.c
+++ unix/uudeview.c
@@ -434,7 +434,7 @@
return 0;
}
- if ((stdfile = tempnam (NULL, "uu")) == NULL) {
+ if ((stdfile = _FP_tempnam (NULL, "uu")) == NULL) {
fprintf (stderr, "proc_stdin: cannot get temporary file\n");
return 0;
}
--- uulib/fptools.c
+++ uulib/fptools.c
@@ -507,5 +507,15 @@
char * TOOLEXPORT
_FP_tempnam (char *dir, char *pfx)
{
- return _FP_strdup (tmpnam (NULL));
+ int fd;
+ char fileName[100];
+
+ strncpy(fileName, pfx, 90);
+ strcat(fileName, "XXXXXX");
+ fd = mkstemp(fileName);
+ if (fd == -1)
+ return NULL;
+ close(fd);
+ unlink(fileName);
+ return _FP_strdup (fileName);
}
--- uulib/uunconc.c
+++ uulib/uunconc.c
@@ -1264,7 +1264,7 @@
else
mode = "wb"; /* otherwise in binary */
- if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
+ if ((data->binfile = _FP_tempnam (NULL, "uu")) == NULL) {
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_NO_TEMP_NAME));
return UURET_NOMEM;
@@ -1426,7 +1426,7 @@
*/
if (data->uudet == BH_ENCODED && data->binfile) {
- if ((ntmp = tempnam (NULL, "uu")) == NULL) {
+ if ((ntmp = _FP_tempnam (NULL, "uu")) == NULL) {
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_NO_TEMP_NAME));
progress.action = 0;
http://www.fpx.de/fp/Software/UUDeview/HISTORY.txt
0.5.20 (01.03.2004)
--------
- fix bug in parsing of header lines [uuscan.c@@155]
- fix fgets to accept lines that are exactly of the maximum length
[uunconc.c, uuscan.c]
- fix two buffer overflows [uuscan.c@@391, fptools.c]
diff --unified=3 uudeview-0.5.19/uulib/fptools.c uudeview-0.5.20/uulib/fptools.c
--- uulib/fptools.c 1.7 2003-04-13 17:41:55.000000000 +0200
+++ uulib/fptools.c 1.8 2004-02-24 01:05:32.000000000 +0100
@@ -444,7 +444,7 @@
if (feof (stream))
return NULL;
- while (--n) {
+ while (--n && !feof (stream)) {
if ((c = fgetc (stream)) == EOF) {
if (ferror (stream))
return NULL;
@@ -478,11 +478,28 @@
*/
*buf++ = c;
}
+
/*
* n-1 characters already transferred
*/
+
*buf = '\0';
+ /*
+ * If a line break is coming up, read it
+ */
+
+ if (!feof (stream)) {
+ if ((c = fgetc (stream)) == '\015' && !feof (stream)) {
+ if ((c = fgetc (stream)) != '\012' && !feof (stream)) {
+ ungetc (c, stream);
+ }
+ }
+ else if (c != '\012' && !feof (stream)) {
+ ungetc (c, stream);
+ }
+ }
+
return obp;
}
diff --unified=3 uudeview-0.5.19/uulib/uunconc.c uudeview-0.5.20/uulib/uunconc.c
--- uulib/uunconc.c 1.36 2003-09-30 01:17:35.000000000 +0200
+++ uulib/uunconc.c 1.38 2004-03-01 23:52:27.000000000 +0100
@@ -1004,7 +1004,7 @@
while (!feof (datain) && *state != DONE &&
(ftell(datain)<maxpos || flags&FL_TOEND || maxpos==-1 ||
(!(flags&FL_PROPER) && uu_fast_scanning))) {
- if (_FP_fgets (line, 299, datain) == NULL)
+ if (_FP_fgets (line, 255, datain) == NULL)
break;
if (ferror (datain)) {
@@ -1046,7 +1046,7 @@
* try to make sense of data
*/
- line[299] = '\0'; /* For Safety of string functions */
+ line[255] = '\0'; /* For Safety of string functions */
count = 0;
if (boundary && line[0]=='-' && line[1]=='-' &&
@@ -1113,7 +1113,7 @@
}
if (_FP_strstr (line, " part=") != NULL) {
- if (_FP_fgets (line, 299, datain) == NULL) {
+ if (_FP_fgets (line, 255, datain) == NULL) {
break;
}
diff --unified=3 uudeview-0.5.19/uulib/uuscan.c uudeview-0.5.20/uulib/uuscan.c
--- uulib/uuscan.c 1.43 2003-07-06 20:29:35.000000000 +0200
+++ uulib/uuscan.c 1.46 2004-03-01 23:52:27.000000000 +0100
@@ -155,7 +155,7 @@
{
if (data == NULL) return 0;
if (*data == ':') return 0;
- while (*data && isalnum (*data)) data++;
+ while (*data && (isalnum (*data) || *data=='-')) data++;
return (*data == ':') ? 1 : 0;
}
@@ -391,8 +391,10 @@
*attribute != '\\' &&*attribute != '"' &&
*attribute != '/' && /* *attribute != '[' &&
*attribute != ']' && */ *attribute != '?' &&
- *attribute != '=' && length < 255)
+ *attribute != '=' && length < 255) {
*ptr++ = *attribute++;
+ length++;
+ }
*ptr = '\0';
}
@@ -629,12 +631,12 @@
while (!feof (datei)) {
oldposition = ftell (datei);
- if (_FP_fgets (line, 299, datei) == NULL)
+ if (_FP_fgets (line, 255, datei) == NULL)
break;
if (ferror (datei))
break;
- line[299] = '\0'; /* For Safety of string functions */
+ line[255] = '\0'; /* For Safety of string functions */
/*
* Make Busy Polls
signature.asc
Description: Digital signature
--- End Message ---
