Your message dated Fri, 17 Oct 2014 15:49:42 +0000 with message-id <[email protected]> and subject line Bug#737159: fixed in bsdmainutils 9.0.6 has caused the Debian Bug report #737159, regarding Buffer overrun and truncated lines in col utility to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 737159: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737159 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: bsdmainutils Version: 9.0.5 Severity: important If an input line to col exceeds 32k characters, an integer overflow may cause col to attempt illegal memory reads and writes, and will also truncate output lines. This can easily be seen using the following command: valgrind col < <(printf 'xx\b\b'; printf z%.0s {1..131072}) | wc -c valgrind will report illegal reads and writes, and wc will show the truncated output. The following problem description is copied from a bug report to FreeBSD ( http://www.freebsd.org/cgi/query-pr.cgi?pr=186282), which uses a similar source for col (the line numbers are different but the problem is the same). ----- COPY STARTS At line 78 of col.c (http://svnweb.freebsd.org/base/head/usr.bin/col/col.c),the c_column member of the CHAR struct is declared as short: short c_column; /* column character is in */ This value is set (for each character) at line 299 from cur_col c->c_column = cur_col; But cur_col is an int. Consequently, if the input has a line of more than 32768 characters, the assignment to c->c_column will produce an integer overflow, producing two errors: first, the value of c->column may become negative, which may cause random memory to be overwritten; second, it may limit the line's output size to 32768 characters, overlaying portions of the line over other portions. The more serious issue, the buffer overrun, will be triggered in the case that l->l_needs_sort is set to true at line 306, which will happen if input characters are out of sequence as a result of backspaces in the input (more than one consecutive backspace is required to trigger this condition). In that case, control flow will eventually reach line 423: count[c->c_column]++; which may use a negative integer from c->c_column to index the malloc'd region count. While this is not likely to be exploitable, since the memory overwrite is an increment rather than a set, it could certainly cause unpredictable behaviour. In addition, the integer overflow will cause other problems for input containing long lines. --- COPY ENDS As indicate in the FreeBSD bug report, the easiest (but insufficient) fix is to make c_column a short rather than an int. However, that will still result in integer overflow if an input line is 2^31 characters long, or more; a better fix would be to check for overflow before incrementing cur_col, in various places in the main input loop.
--- End Message ---
--- Begin Message ---Source: bsdmainutils Source-Version: 9.0.6 We believe that the bug you reported is fixed in the latest version of bsdmainutils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Meskes <[email protected]> (supplier of updated bsdmainutils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 15 Aug 2014 11:46:48 +0200 Source: bsdmainutils Binary: bsdmainutils Architecture: source amd64 Version: 9.0.6 Distribution: unstable Urgency: medium Maintainer: Debian Bsdmainutils Team <[email protected]> Changed-By: Michael Meskes <[email protected]> Description: bsdmainutils - collection of more utilities from FreeBSD Closes: 729038 737159 737348 741386 750216 759675 763312 Changes: bsdmainutils (9.0.6) unstable; urgency=medium . * Add Ubuntu 13.04 release date to calendar.ubuntu. * Update Dutch calendar for royal succession. Thanks to Sander Steffann <[email protected]> (Closes: #750216) * Updated control file. * Completely convert kyrillic calendars. Thanks to Sergey Romanov <[email protected]> * Explain option 'p' and 'f' better in manpage (Closes: #759675) * Fix calendar.judaic format. Thanks to Robbin Edgren <[email protected]> (Closes: #763312) * Calculate Jewish calendars for five years. (Closes: #741386) * Symlink Judaic calendar for the current year. * Increase maximal line length to 1MB (Closes: #737348) * Process tabs in column binary (Closes: #729038) * Prevent buffer overrins in col (Closes: #737159) Checksums-Sha1: 332f20da8d8d5bcf53a6b26311063b1f37367f80 1699 bsdmainutils_9.0.6.dsc 26a24856e8e026eeca8978a8b5074c83c7fd0db2 280770 bsdmainutils_9.0.6.tar.gz b9573ed2e7d687f448bb1c5b12e00dc35c4b6dfa 183214 bsdmainutils_9.0.6_amd64.deb Checksums-Sha256: 751d8620245f0a8d8bdf791f9eded0d654b3890eb548aa120fd5e64ebc8ab3e9 1699 bsdmainutils_9.0.6.dsc 48868ac99c8dd92a69bb430e6bdf865602522ad3a2f5a0dd9cae77b46fc93b57 280770 bsdmainutils_9.0.6.tar.gz afaa9217a2454f03021fa57653779470a12d89d747d8e318b9f97af36a52fbdd 183214 bsdmainutils_9.0.6_amd64.deb Files: 4bd9a59494a786a21956cd3c2adfe29a 1699 utils important bsdmainutils_9.0.6.dsc afdbd3e8cddb349b01adc0c6e9f1254f 280770 utils important bsdmainutils_9.0.6.tar.gz 7fd92f542150e553b152b9e5a48fd2f1 183214 utils important bsdmainutils_9.0.6_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBVEEfTt8j2jOWl46zAQjQOA//RYLTtU/vyq/l5No0mWwxzAQSSY1ES45a //m6M255uE8H2P40bGqxhG4IwGVQOu+pftY2Jh65q90ITOMCp2mDL3AVtowBSOHk aC73EUJFcOQkNMZl1QWItImcnjmQpW7UQqlz3nbonr4FCL4S05yGrSLvRIDetsjI SvgZ5MNINP+zvQj4jdoD4cY1oS8wni2En1usBIzZj7i7HqEplit4B/5Fto051fFt 2rPYqQGnqU898CLhkw4jC+LvwYbOeyTpbYPeNa4hLfI7+UK8Xc7feGIOoIGqKNa2 BHIX8Rt+CoNlJFJE8FEEwpgHg0pkIa3fUuSoGqah/aWNNV+ys5X7kZiv+QskZAVq nvJ4eEAenbZHicFhV+nebwkJuYCyix5i1D4keiZKdkrRuYmw18Gf21B+Uzv9gtVd EQ1gNdV3/wNUWi/26V7XdAUXh4kFUAxEP4pCZzq7aXbj5QX2V0WWTz5cUdubY13S 5cW4D9KvHUIYNArXAvf/0QAImXwoEvfyUJlvrUVSRhnPpvKl+zmJhutBQiZH9A6q GsmyV63nvvDFKLe7c15powVm9mF7QtPNqqT85qhdds9SyWF6bWydtPAGWiTQXJuC /QaUApe0QhA+crP9PjADo5G+azIurdBax7lx7dZsYZJiA5PmPpv1tW7jqYR6Zq0H rokQXSIiKRg= =i+Vu -----END PGP SIGNATURE-----
--- End Message ---
