[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #20014] buffer overrun in locate while reading old-format database
From: |
James Youngman |
Subject: |
[bug #20014] buffer overrun in locate while reading old-format database |
Date: |
Wed, 30 May 2007 22:11:43 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060830 Firefox/1.5.0.7 (Debian-1.5.dfsg+1.5.0.7-2) |
Update of bug #20014 (project findutils):
Severity: 3 - Normal => 6 - Security
Status: In Progress => Fixed
Privacy: Private => Public
Summary: Placeholder => buffer overrun in locate
while reading old-format database
_______________________________________________________
Follow-up Comment #1:
This problem has been assigned the CVS number CVE-2007-2452.
Findutils supports three different formats of locate database, its native
format "LOCATE02", the slocate variant of LOCATE02, and a traditional ("old")
format that locate uses on other Unix systems.
When locate reads filenames from a LOCATE02 database (the default format),
the buffer into which data is read is automatically extended to accommodate
the length of the filenames.
This automatic buffer extension does not happen for old-format
databases. Instead a 1026-byte buffer is used. When a longer
pathname appears in the locate database, the end of this buffer is overrun.
The buffer is allocated on the heap (not the stack).
If the locate database is in the default LOCATE02 format, the locate program
does perform automatic buffer extension, and the program is not vulnerable to
this problem. The software used to build the old-format locate database is
not itself vulnerable to the same attack.
Most installations of GNU findutils do not use the old database
format, and so will not be vulnerable.
(file #12905)
_______________________________________________________
Additional Item Attachment:
File name: savannah-bug-20014.patch Size:3 KB
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?20014>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug #20014] buffer overrun in locate while reading old-format database,
James Youngman <=