bin/149936: [patch] wrong handling of decompression utilities in libmagic

Tue, 24 Aug 2010 06:40:19 -0700 

>Number:         149936
>Category:       bin
>Synopsis:       [patch] wrong handling of decompression utilities in libmagic
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 24 13:40:02 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Martin Beran
>Release:        FreeBSD 8.0-RELEASE-p2 i386
>Organization:
Trusted Network Solutions, a. s.
>Environment:
System: FreeBSD mb.tns.cz 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #11: Thu Jul 29 
16:49:38 CEST 2010 [email protected]:/usr/obj/usr/src/sys/GENERIC i386

Observed also on FreeBSD 7.1.
>Description:
        Function magic_buffer() from libmagic(3) uses external utilities for
        decompression of compressed files. Data from an input in-memory buffer
        should be passed to the external program via a pipe. Due to an
        incorrect condition, the pipe is not initialized, hence no data are
        passed to the program. Moreover, calling close(2) with an argument
        taken from an unitialized memory location causes closing of two
        indeterministically selected file descriptors. If the descriptor
        intended for reading from the decompression process is closed, the
        libmagic code will be stuck in an endless loop, using 100 % CPU,
        calling select(2) that always fails with EBADF.
>How-To-Repeat:
        Call magic_buffer(m, buf, sz) for m obtained by a prior call of
        magic_open(MAGIC_COMPRESS), with buf containing data compressed by
        bzip2.
>Fix:

        Apply the attached patch in /usr/src, recompile and reinstall
        /usr/src/lib/libmagic:

diff -ru contrib.orig/file/compress.c contrib/file/compress.c
--- contrib.orig/file/compress.c        2009-05-19 00:34:33.000000000 +0200
+++ contrib/file/compress.c     2010-08-24 15:09:11.000000000 +0200
@@ -197,6 +197,7 @@
                        if (selrv == -1) {
                                if (errno == EINTR || errno == EAGAIN)
                                        continue;
+                               return -1;
                        } else if (selrv == 0 && cnt >= 5) {
                                return 0;
                        } else
@@ -381,7 +382,7 @@
        (void)fflush(stdout);
        (void)fflush(stderr);
 
-       if ((fd != -1 && pipe(fdin) == -1) || pipe(fdout) == -1) {
+       if ((fd == -1 && pipe(fdin) == -1) || pipe(fdout) == -1) {
                file_error(ms, errno, "cannot create pipe");    
                return NODATA;
        }
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"

Reply via email to