Your message dated Tue, 11 Feb 2014 19:50:58 +0000
with message-id <e1wdjma-0005ct...@franck.debian.org>
and subject line Bug#730487: fixed in libxdg-basedir 1.2.0-1
has caused the Debian Bug report #730487,
regarding libxdg-basedir: Writing beyond allocated buffer
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
730487: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730487
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libxdg-basedir1
Version: 1.1.1-2
Severity: critical
File: libxdg-basedir
Tags: patch upstream
Dear Maintainer,
Any application using xdgDataHome, xdgConfigHome and possibly others
will trigger invalid reads and writes in valgrind. For example the
following code:
const char *xdg_data_home = xdgDataHome(NULL);
printf("%s\n", xdg_data_home);
It triggers:
==14808== Invalid write of size 1
==14808== at 0x4C2D97A: memcpy@GLIBC_2.2.5 (mc_replace_strmem.c:881)
==14808== by 0x4E352A0: xdgGetRelativeHome (basedir.c:577)
==14808== by 0x4006A5: main (in /tmp/a.out)
==14808== Address 0x53e305b is 0 bytes after a block of size 27 alloc'd
==14808== at 0x4C294A0: malloc (vg_replace_malloc.c:291)
==14808== by 0x4E35278: xdgGetRelativeHome (basedir.c:575)
==14808== by 0x4006A5: main (in /tmp/a.out)
==14808==
==14808== Invalid read of size 1
==14808== at 0x4C2C954: __GI_strlen (mc_replace_strmem.c:405)
==14808== by 0x50A42DB: puts (ioputs.c:36)
==14808== by 0x4006B5: main (in /tmp/a.out)
==14808== Address 0x53e305b is 0 bytes after a block of size 27 alloc'd
==14808== at 0x4C294A0: malloc (vg_replace_malloc.c:291)
==14808== by 0x4E35278: xdgGetRelativeHome (basedir.c:575)
==14808== by 0x4006A5: main (in /tmp/a.out)
==14808==
The solution is simple: add a +1 to the malloc in line 575 of basedir.c.
This as it uses the +1 on line 577 when limiting the amount of data that
is to be copied.
Attached are:
* a full test case
* full result of valgrind before patching the library
* the patch for the library
* full result of valgrind after patching the library
I'm in doubt whether this is really this critical or not; I could
imagine ways that, under certain circumstances, it is possible to crash
users of this library. Especially when this allocation happens at the
end of a page, and the next page isn't valid. Then writing the last
byte/character could trigger a segmentation fault. Furthermore, the last
byte could corrupt the memory management pointers at the begin of
allocations causing malloc and/or free to crash, as well as malloc/free
overwriting the last byte and the string then becoming longer due to the
missing '\0' termination causing applications to crash when e.g. strdup
allocates the memory based on strlen before allocation, then allocates
and corrupts the string, and finally memcpy-ing but not '\0' terminating
the duplicated string. These are all hypothetical though.
Regards,
Remko Bijker
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libxdg-basedir1 depends on:
ii libc6 2.17-96
libxdg-basedir1 recommends no packages.
libxdg-basedir1 suggests no packages.
-- no debconf information
==14838== Memcheck, a memory error detector
==14838== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==14838== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==14838== Command: ./a.out
==14838==
/home/rubidium/.local/share
==14838==
==14838== HEAP SUMMARY:
==14838== in use at exit: 0 bytes in 0 blocks
==14838== total heap usage: 1 allocs, 1 frees, 28 bytes allocated
==14838==
==14838== All heap blocks were freed -- no leaks are possible
==14838==
==14838== For counts of detected and suppressed errors, rerun with: -v
==14838== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)
==14808== Memcheck, a memory error detector
==14808== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==14808== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==14808== Command: ./a.out
==14808==
==14808== Invalid write of size 1
==14808== at 0x4C2D97A: memcpy@GLIBC_2.2.5 (mc_replace_strmem.c:881)
==14808== by 0x4E352A0: xdgGetRelativeHome (basedir.c:577)
==14808== by 0x4006A5: main (in /tmp/a.out)
==14808== Address 0x53e305b is 0 bytes after a block of size 27 alloc'd
==14808== at 0x4C294A0: malloc (vg_replace_malloc.c:291)
==14808== by 0x4E35278: xdgGetRelativeHome (basedir.c:575)
==14808== by 0x4006A5: main (in /tmp/a.out)
==14808==
==14808== Invalid read of size 1
==14808== at 0x4C2C954: __GI_strlen (mc_replace_strmem.c:405)
==14808== by 0x50A42DB: puts (ioputs.c:36)
==14808== by 0x4006B5: main (in /tmp/a.out)
==14808== Address 0x53e305b is 0 bytes after a block of size 27 alloc'd
==14808== at 0x4C294A0: malloc (vg_replace_malloc.c:291)
==14808== by 0x4E35278: xdgGetRelativeHome (basedir.c:575)
==14808== by 0x4006A5: main (in /tmp/a.out)
==14808==
/home/rubidium/.local/share
==14808==
==14808== HEAP SUMMARY:
==14808== in use at exit: 0 bytes in 0 blocks
==14808== total heap usage: 1 allocs, 1 frees, 27 bytes allocated
==14808==
==14808== All heap blocks were freed -- no leaks are possible
==14808==
==14808== For counts of detected and suppressed errors, rerun with: -v
==14808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 2 from 2)
diff -Nupr libxdg-basedir-1.1.1.orig/src/basedir.c libxdg-basedir-1.1.1/src/basedir.c
--- libxdg-basedir-1.1.1.orig/src/basedir.c 2013-11-25 16:07:09.864380760 +0100
+++ libxdg-basedir-1.1.1/src/basedir.c 2013-11-25 16:09:07.452378162 +0100
@@ -572,7 +572,7 @@ static char * xdgGetRelativeHome(const c
unsigned int homelen;
if (!(home = xdgGetEnv("HOME")))
return NULL;
- if (!(relhome = (char*)malloc((homelen = strlen(home))+fallbacklength))) return NULL;
+ if (!(relhome = (char*)malloc((homelen = strlen(home))+fallbacklength+1))) return NULL;
memcpy(relhome, home, homelen);
memcpy(relhome+homelen, relativefallback, fallbacklength+1);
}
#include <stdlib.h>
#include <stdio.h>
#include <basedir.h>
int main(int argc, char *argv[])
{
const char *xdg_data_home = xdgDataHome(NULL);
printf("%s\n", xdg_data_home);
free((void*)xdg_data_home);
return 0;
}
--- End Message ---
--- Begin Message ---
Source: libxdg-basedir
Source-Version: 1.2.0-1
We believe that the bug you reported is fixed in the latest version of
libxdg-basedir, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 730...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miriam Ruiz <mir...@debian.org> (supplier of updated libxdg-basedir package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 11 Feb 2014 19:39:53 +0100
Source: libxdg-basedir
Binary: libxdg-basedir-dev libxdg-basedir1 libxdg-basedir1-dbg
Architecture: source amd64
Version: 1.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Mark Nevill <mark.nev...@gmail.com>
Changed-By: Miriam Ruiz <mir...@debian.org>
Description:
libxdg-basedir-dev - Implementation of the XDG Base Directory Specifications
(developm
libxdg-basedir1 - Implementation of the XDG Base Directory Specifications
libxdg-basedir1-dbg - Implementation of the XDG Base Directory Specifications
(debuggin
Closes: 720576 730487 734558
Changes:
libxdg-basedir (1.2.0-1) unstable; urgency=medium
.
* New upstream release
- Added support for Basedir 0.7's XDG_RUNTIME_DIRECTORY.
* Upgraded Standards-Version to 3.9.5
* Migrated debian/copyright to machine-readable format
* Changed homepage to http://nevill.ch/libxdg-basedir . Closes: #720576
* Changed my email address to mir...@debian.org
* Fixes: Writing beyond allocated buffer. Closes: #730487
* Use dh-autoreconf instead of autotools-dev to fix FTBFS. Closes: #734558
Checksums-Sha1:
dcf191c450e3a75254ef6b518c4c40e71e2d7e70 1312 libxdg-basedir_1.2.0-1.dsc
b924afe4e29c52358ad67476887e9ca0dcf90f7c 335790
libxdg-basedir_1.2.0.orig.tar.gz
a5554e89ecf5ae615b7093c33745637f11b9d106 18932
libxdg-basedir_1.2.0-1.debian.tar.xz
04fb39be342c60c6a71344431281ce08e7aed543 38780
libxdg-basedir-dev_1.2.0-1_amd64.deb
72288cccca15397b94a28b0311c49dfc72c10a62 10952
libxdg-basedir1_1.2.0-1_amd64.deb
528cbeca0814c49c1571488969acb1086776537d 14738
libxdg-basedir1-dbg_1.2.0-1_amd64.deb
Checksums-Sha256:
4ea3f273148cb5bb0d4bc5856e14b687d3fb72550b4761dd5b140ab52b4cef95 1312
libxdg-basedir_1.2.0-1.dsc
2757a949618742d80ac59ee2f0d946adc6e71576406cdf798e6ced507708cdf4 335790
libxdg-basedir_1.2.0.orig.tar.gz
50f3050bc577e1c401eac82bd1dec5b58e2de88bb6313238707ae2b38d350f6f 18932
libxdg-basedir_1.2.0-1.debian.tar.xz
9874f63ae89b97bb7058a0353685617eda5f8db0c1be8697416aa619261565c9 38780
libxdg-basedir-dev_1.2.0-1_amd64.deb
f4f226b110f5ec3ddc0c6d192d21e98b7e32a6c6a56a320381510d2755f7582f 10952
libxdg-basedir1_1.2.0-1_amd64.deb
573d09e706955a2d941d89c1e8413deb6e7462066d54cdced93616a47d172128 14738
libxdg-basedir1-dbg_1.2.0-1_amd64.deb
Files:
b99c8a028971f8a3bdde027978661474 1312 libs optional libxdg-basedir_1.2.0-1.dsc
5a9eaaba2ec7f62253ecaed032af313b 335790 libs optional
libxdg-basedir_1.2.0.orig.tar.gz
f76241c6490b3089aef5112bade4c6e5 18932 libs optional
libxdg-basedir_1.2.0-1.debian.tar.xz
5a59e9a7ad1f5cccf387cdec49425494 38780 libdevel optional
libxdg-basedir-dev_1.2.0-1_amd64.deb
32435ae056233baff96feafb0ddaefb3 10952 libs optional
libxdg-basedir1_1.2.0-1_amd64.deb
1dc62c53aa95467e57474e8d860e39cd 14738 debug extra
libxdg-basedir1-dbg_1.2.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlL6eNgACgkQfbltLjbuCGHbGgCfS8ghI8ILzbnvcpQHi1CtSJOw
+HsAn29JAz8eivT/con+cQfH2M9qAA9X
=rh70
-----END PGP SIGNATURE-----
--- End Message ---