Bug#731151: marked as done (librxtx-java: Buffer overflow detected with large path)

[Debian Bug Tracking System]

Your message dated Wed, 26 Feb 2014 05:48:35 +0000
with message-id <e1wixmb-00010l...@franck.debian.org>
and subject line Bug#731151: fixed in rxtx 2.2pre2-12
has caused the Debian Bug report #731151,
regarding librxtx-java: Buffer overflow detected with large path
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
731151: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731151
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: librxtx-java
Version: 2.2pre2-10
Severity: important

Dear Maintainer,

I've noticed that large system paths produce a buffer overflow (other than 
reported in #673778). This error 
is produced if you use serial devices out of /dev/tty* (ie. 
/dev/serial/by-path/pci-0000:00:1d.0-usb-0:1.2:1.0).

I've detected the overflow in message buffer and lock file buffer. So, I've 
avaluated the solution used in #673778 
but this patch truncates messages (not very important) but lock files 
(critical). So, finally, I've replaced 
sprintf and snprintf funtions involving file[] and message[] by asprintf and 
free.

This patch was tested in Linux platform but not others.

Please, check this solution to fix overflows.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise'), (100, 'precise-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 3.5.0-41-generic (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to C.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages librxtx-java depends on:
ii  libc6  2.15-0ubuntu10.5

librxtx-java recommends no packages.

librxtx-java suggests no packages.

-- no debconf information

--- a/src/SerialImp.c
+++ b/src/SerialImp.c
@@ -5821,7 +5821,7 @@ int is_device_locked( const char *port_f
 		LOCKDIR, NULL
 	};
 	const char *lockprefixes[] = { "LCK..", "lk..", "LK.", NULL };
-	char *p, file[80], pid_buffer[20], message[80];
+	char *p, *file, pid_buffer[20], *message;
 	int i = 0, j, k, fd , pid;
 	struct stat buf, buf2, lockbuf;
 
@@ -5862,19 +5862,22 @@ int is_device_locked( const char *port_f
 			while ( lockprefixes[k] )
 			{
 				/* FHS style */
-				sprintf( file, "%s/%s%s", lockdirs[i],
+				asprintf( &file, "%s/%s%s", lockdirs[i],
 					lockprefixes[k], p );
 				if( stat( file, &buf ) == 0 )
 				{
-					sprintf( message, UNEXPECTED_LOCK_FILE,
+					asprintf( &message, UNEXPECTED_LOCK_FILE,
 						file );
 					report_warning( message );
+					free( message );
+					free( file );
 					return 1;
 				}
+				free( file );
 
 				/* UUCP style */
 				stat(port_filename , &buf );
-				sprintf( file, "%s/%s%03d.%03d.%03d",
+				asprintf( &file, "%s/%s%03d.%03d.%03d",
 					lockdirs[i],
 					lockprefixes[k],
 					(int) major( buf.st_dev ),
@@ -5883,11 +5886,14 @@ int is_device_locked( const char *port_f
 				);
 				if( stat( file, &buf ) == 0 )
 				{
-					sprintf( message, UNEXPECTED_LOCK_FILE,
+					asprintf( &message, UNEXPECTED_LOCK_FILE,
 						file );
 					report_warning( message );
+					free( message );
+					free( file );
 					return 1;
 				}
+				free( file );
 				k++;
 			}
 		}
@@ -5911,7 +5917,7 @@ int is_device_locked( const char *port_f
 #endif /* __unixware__ */
 		p--;
 	}
-	sprintf( file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
+	asprintf( &file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
 #else
 	/*  UUCP standard locks */
 	if ( stat( port_filename, &buf ) != 0 )
@@ -5919,7 +5925,7 @@ int is_device_locked( const char *port_f
 		report( "RXTX is_device_locked() could not find device.\n" );
 			return 1;
 	}
-	sprintf( file, "%s/LK.%03d.%03d.%03d",
+	asprintf( &file, "%s/LK.%03d.%03d.%03d",
 		LOCKDIR,
 		(int) major( buf.st_dev ),
  		(int) major( buf.st_rdev ),
@@ -5940,21 +5946,25 @@ int is_device_locked( const char *port_f
 
 		if( kill( (pid_t) pid, 0 ) && errno==ESRCH )
 		{
-			sprintf( message,
+			asprintf( &message,
 				"RXTX Warning:  Removing stale lock file. %s\n",
 				file );
 			report_warning( message );
+			free( message );
 			if( unlink( file ) != 0 )
 			{
-				snprintf( message, 80, "RXTX Error:  Unable to \
+				asprintf( &message, "RXTX Error:  Unable to \
 					remove stale lock file: %s\n",
 					file
 				);
 				report_warning( message );
+				free( message );
+				free( file );
 				return 1;
 			}
 		}
 	}
+	free(file);
 	return 0;
 }
 #endif /* WIN32 */
--- a/src/lfd/lockdaemon.c
+++ b/src/lfd/lockdaemon.c
@@ -120,8 +120,8 @@ int fhs_lock( const char *filename, int
 	 *
 	 */
 	int fd,j;
-	char lockinfo[12], message[80];
-	char file[80], *p;
+	char lockinfo[12];
+	char *file, *p, *message;
 
 	j = strlen( filename );
 	p = ( char * ) filename + j;
@@ -136,24 +136,28 @@ int fhs_lock( const char *filename, int
 #endif /* __unixware__ */
 		p--;
 	}
-	sprintf( file, "%s/LCK..%s", LOCKDIR, p );
 	if ( check_lock_status( filename ) )
 	{
 		/* syslog( LOG_INFO, "fhs_lock() lockstatus fail\n" ); */
 		return 1;
 	}
+	asprintf( &file, "%s/LCK..%s", LOCKDIR, p );
 	fd = open( file, O_CREAT | O_WRONLY | O_EXCL, 0444 );
 	if( fd < 0 )
 	{
-		sprintf( message,
+		asprintf( &message,
 			"RXTX fhs_lock() Error: creating lock file: %s: %s\n",
 			file, strerror(errno) );
 		syslog( LOG_INFO, message );
+		free(message);
+		free(file);
 		return 1;
 	}
 	sprintf( lockinfo, "%10d\n", pid );
-	sprintf( message, "fhs_lock: creating lockfile: %s\n", lockinfo );
+	//asprintf( &message, "fhs_lock: creating lockfile: %s\n", lockinfo );
 	//syslog( LOG_INFO, message );
+	//free(message);
+	free(file);
 	write( fd, lockinfo, 11 );
 	close( fd );
 	return 0;
@@ -563,7 +567,7 @@ int is_device_locked( const char *port_f
 		LOCKDIR, NULL
 	};
 	const char *lockprefixes[] = { "LCK..", "lk..", "LK.", NULL }; 
-	char *p, file[80], pid_buffer[20], message[80];
+	char *p, *file, pid_buffer[20], *message;
 	int i = 0, j, k, fd , pid;
 	struct stat buf;
 	struct stat buf2;
@@ -602,19 +606,22 @@ int is_device_locked( const char *port_f
 			while ( lockprefixes[k] )
 			{
 				/* FHS style */
-				sprintf( file, "%s/%s%s", lockdirs[i],
+				asprintf( &file, "%s/%s%s", lockdirs[i],
 					lockprefixes[k], p );
 				if( stat( file, &buf ) == 0 )
 				{
-					sprintf( message, UNEXPECTED_LOCK_FILE,
+					asprintf( &message, UNEXPECTED_LOCK_FILE,
 						file );
 					syslog( LOG_INFO, message );
+					free( message );
+					free( file );
 					return 1;
 				}
+				free( file );
 
 				/* UUCP style */
 				stat(port_filename , &buf );
-				sprintf( file, "%s/%s%03d.%03d.%03d",
+				asprintf( &file, "%s/%s%03d.%03d.%03d",
 					lockdirs[i],
 					lockprefixes[k],
 					(int) major( buf.st_dev ),
@@ -623,11 +630,14 @@ int is_device_locked( const char *port_f
 				);
 				if( stat( file, &buf ) == 0 )
 				{
-					sprintf( message, UNEXPECTED_LOCK_FILE,
+					asprintf( &message, UNEXPECTED_LOCK_FILE,
 						file );
 					syslog( LOG_INFO, message );
+					free( message );
+					free( file );
 					return 1;
 				}
+				free( file );
 				k++;
 			}
 		}
@@ -651,10 +661,10 @@ int is_device_locked( const char *port_f
 #endif /* __unixware__ */
 		p--;
 	}
-	sprintf( file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
+	asprintf( &file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
 #else 
 	/*  UUCP standard locks */
-	sprintf( file, "%s/LK.%03d.%03d.%03d",
+	asprintf( &file, "%s/LK.%03d.%03d.%03d",
 		LOCKDIR,
 		(int) major( buf.st_dev ),
  		(int) major( buf.st_rdev ),
@@ -672,32 +682,39 @@ int is_device_locked( const char *port_f
 		/* FIXME null terminiate pid_buffer? need to check in Solaris */
 		close( fd );
 		sscanf( pid_buffer, "%d", &pid );
-		sprintf( message, "found lock for %s with pid %i\n", file, pid );
+		/* asprintf( &message, "found lock for %s with pid %i\n", file, pid ); */
 		/* syslog( LOG_INFO, message ); */
+		/* free( message ); */
 
 		if( kill( (pid_t) pid, 0 ) && errno==ESRCH )
 		{
-			sprintf( message,
+			asprintf( &message,
 				"RXTX Warning:  Removing stale lock file. %s\n",
 				file );
 			syslog( LOG_INFO, message );
+			free( message );
 			if( unlink( file ) != 0 )
 			{
-				snprintf( message, 80, "RXTX Error:  Unable to \
+				asprintf( &message, "RXTX Error:  Unable to \
 					remove stale lock file: %s\n",
 					file
 				);
 				syslog( LOG_INFO, message );
+				free( message );
+				free( file );
 				return 0;
 			}
 		}
 		else
 		{
-			sprintf( message, "could not kill %i\n", pid );
+			/* asprintf( &message, "could not kill %i\n", pid ); */
 			/* syslog( LOG_INFO, message ); */
+			/* free( message ); */
+			free( file );
 			return 1;
 		}
 	}
+	free( file );
 	return 0;
 }
 int init( void )
--- a/src/lfd/lockdaemon.c.noinetd
+++ b/src/lfd/lockdaemon.c.noinetd
@@ -119,8 +119,8 @@ int fhs_lock( const char *filename, int
 	 *
 	 */
 	int fd,j;
-	char lockinfo[12], message[80];
-	char file[80], *p;
+	char lockinfo[12];
+	char *file, *p, *message;
 
 	j = strlen( filename );
 	p = ( char * ) filename + j;
@@ -135,24 +135,28 @@ int fhs_lock( const char *filename, int
 #endif /* __unixware__ */
 		p--;
 	}
-	sprintf( file, "%s/LCK..%s", LOCKDIR, p );
 	if ( check_lock_status( filename ) )
 	{
 		syslog( LOG_INFO, "fhs_lock() lockstatus fail\n" );
 		return 1;
 	}
+	asprintf( &file, "%s/LCK..%s", LOCKDIR, p );
 	fd = open( file, O_CREAT | O_WRONLY | O_EXCL, 0444 );
 	if( fd < 0 )
 	{
-		sprintf( message,
+		asprintf( &message,
 			"RXTX fhs_lock() Error: creating lock file: %s: %s\n",
 			file, strerror(errno) );
 		syslog( LOG_INFO, message );
+		free(message);
+		free(file);
 		return 1;
 	}
 	sprintf( lockinfo, "%10d\n", pid );
-	sprintf( message, "fhs_lock: creating lockfile: %s\n", lockinfo );
+	asprintf( &message, "fhs_lock: creating lockfile: %s\n", lockinfo );
 	syslog( LOG_INFO, message );
+	free( message );
+	free( file );
 	write( fd, lockinfo, 11 );
 	close( fd );
 	return 0;
@@ -556,7 +560,7 @@ int is_device_locked( const char *port_f
 		LOCKDIR, NULL
 	};
 	const char *lockprefixes[] = { "LCK..", "lk..", "LK.", NULL }; 
-	char *p, file[80], pid_buffer[20], message[80];
+	char *p, *file, pid_buffer[20], *message;
 	int i = 0, j, k, fd , pid;
 	struct stat buf;
 	struct stat buf2;
@@ -595,19 +599,22 @@ int is_device_locked( const char *port_f
 			while ( lockprefixes[k] )
 			{
 				/* FHS style */
-				sprintf( file, "%s/%s%s", lockdirs[i],
+				asprintf( &file, "%s/%s%s", lockdirs[i],
 					lockprefixes[k], p );
 				if( stat( file, &buf ) == 0 )
 				{
-					sprintf( message, UNEXPECTED_LOCK_FILE,
+					asprintf( &message, UNEXPECTED_LOCK_FILE,
 						file );
 					syslog( LOG_INFO, message );
+					free( message );
+					free( file );
 					return 1;
 				}
+				free( file );
 
 				/* UUCP style */
 				stat(port_filename , &buf );
-				sprintf( file, "%s/%s%03d.%03d.%03d",
+				asprintf( &file, "%s/%s%03d.%03d.%03d",
 					lockdirs[i],
 					lockprefixes[k],
 					(int) major( buf.st_dev ),
@@ -616,11 +623,14 @@ int is_device_locked( const char *port_f
 				);
 				if( stat( file, &buf ) == 0 )
 				{
-					sprintf( message, UNEXPECTED_LOCK_FILE,
+					asprintf( &message, UNEXPECTED_LOCK_FILE,
 						file );
 					syslog( LOG_INFO, message );
+					free( message );
+					free( file );
 					return 1;
 				}
+				free( file );
 				k++;
 			}
 		}
@@ -644,7 +654,7 @@ int is_device_locked( const char *port_f
 #endif /* __unixware__ */
 		p--;
 	}
-	sprintf( file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
+	asprintf( &file, "%s/%s%s", LOCKDIR, LOCKFILEPREFIX, p );
 #else 
 	/*  UUCP standard locks */
 	if ( stat( port_filename, &buf ) != 0 )
@@ -656,7 +666,7 @@ int is_device_locked( const char *port_f
 		syslog( LOG_INFO, message );
 		return 1;
 	}
-	sprintf( file, "%s/LK.%03d.%03d.%03d",
+	asprintf( &file, "%s/LK.%03d.%03d.%03d",
 		LOCKDIR,
 		(int) major( buf.st_dev ),
  		(int) major( buf.st_rdev ),
@@ -677,10 +687,11 @@ int is_device_locked( const char *port_f
 
 		if( kill( (pid_t) pid, 0 ) && errno==ESRCH )
 		{
-			sprintf( message,
+			asprintf( &message,
 				"RXTX Warning:  Removing stale lock file. %s\n",
 				file );
 			syslog( LOG_INFO, message );
+			free( message );
 			if( unlink( file ) != 0 )
 			{
 				snprintf( message, 80, "RXTX Error:  Unable to \
@@ -688,10 +699,13 @@ int is_device_locked( const char *port_f
 					file
 				);
 				syslog( LOG_INFO, message );
+				free( message );
+				free( file );
 				return 1;
 			}
 		}
 	}
+	free( file );
 	return 0;
 }
 int init( void )

--- End Message ---

--- Begin Message ---

Source: rxtx
Source-Version: 2.2pre2-12

We believe that the bug you reported is fixed in the latest version of
rxtx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated rxtx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 25 Feb 2014 20:46:17 -0800
Source: rxtx
Binary: librxtx-java librxtx-java-dbg
Architecture: source amd64
Version: 2.2pre2-12
Distribution: unstable
Urgency: medium
Maintainer: Debian Java maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Description: 
 librxtx-java - Full Java CommAPI implementation
 librxtx-java-dbg - Full Java CommAPI implementation, Debugging Symbols
Closes: 731151 740098
Changes: 
 rxtx (2.2pre2-12) unstable; urgency=medium
 .
   * Team upload.
   * Apply patch for USB serial adapters at 38400 (Closes: #740098)
     - Thank you to Jan Niehusmann for the analysis and patch.
   * Apply patch for buffer overflow with long paths.  (Closes: #731151)
     - Thank you to Jose Luis Guardiola for the patch.
   * Remove DMUA field from debian/control.
   * Bump DH dependency from 8 to 9.
     - Add patch for compilation with format-security as error.
   * Bump Standards-Version to 3.9.5.
Checksums-Sha1: 
 f887b97bcddaf8f4ca94da1f56c176b11103770a 1978 rxtx_2.2pre2-12.dsc
 6030e8cf05bf76b8ccc48e8aa8fcf154d0fcb3fb 19748 rxtx_2.2pre2-12.debian.tar.xz
 78777f8ac2c90716c5248b3613ee551b424b33bc 173130 
librxtx-java_2.2pre2-12_amd64.deb
 029c39096642bec1d8f01211a39cd80f3a027377 152768 
librxtx-java-dbg_2.2pre2-12_amd64.deb
Checksums-Sha256: 
 2c1cf5826df366336126f79e5d1863cf9119d7239b34a82afb6da662677c32d9 1978 
rxtx_2.2pre2-12.dsc
 fbfb1c36cfe83e7c17ecdb28b8fe2ee5a0b3227d4f4c0384351adfae7a84ae85 19748 
rxtx_2.2pre2-12.debian.tar.xz
 c0554bb4bdebc5f7356a54c9388e8b114c877f15ff869d640a8c60260138de67 173130 
librxtx-java_2.2pre2-12_amd64.deb
 a8ad504324d992d45664317c980d97cf51d1dbe426275f71eb0440df77cce31f 152768 
librxtx-java-dbg_2.2pre2-12_amd64.deb
Files: 
 61fa19601b6e4c7a046b084dbc2bf182 1978 java optional rxtx_2.2pre2-12.dsc
 d00bb582094033d9da59e8ccda6616da 19748 java optional 
rxtx_2.2pre2-12.debian.tar.xz
 6232a654988265af2d2356a6ccdf7413 173130 java optional 
librxtx-java_2.2pre2-12_amd64.deb
 31827d07849c540f56eeb2571983a048 152768 debug extra 
librxtx-java-dbg_2.2pre2-12_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTDX+4AAoJECHSBYmXSz6WI50QAMn3QFbRF+C02epWgvH3BboI
XDXDJhiCfun/X08q5ECpmMoXAC8DST1D44gUEgyH7zpVkj4TINtzUj1gAsZTXqrG
d7iIXu4KpV4P2zchSiU+PQyjy7cSyqX+aLa3qxaJh52A0HQoSsBFnrTPyntmcoti
5F69WYkZQFEp/QwBEHJ1Y2lCpLq2wonAHwcae7++LrM+0IsjzxLQBuF5u9tViJuk
SmOHpdBKWu1HHvC30rOliNpk3UtvLt+zHof+kft5Tomd9uk25Qllwy9Z0VaSrJjI
fIvs6+upUUB9bDmN5Llrsx6qNUhNZq2GqjatpP8O+HnoNmXT8xgsvNMWUpxb9wn7
dg6g9XPNVThE0jGUnzKZDB9j5VdeVohQhSgmehlCmdA1z0QTXCC9g5zfpE0tD2Hr
QZEA25An7XkJ/EZ/w24mXM7vyZDmTPVYw45s8+3NlJGLBNj33+ITAL093u4KqdYS
aHt3+qnU58+Ihoxex8BkI+DhlUfAFjz5q8RjTh4Zl4LAWVIqNEsMcMPiIpgNuXih
JMh874uj4Hx/CPrzH6igaHwMlS8HOQXgFMu8OI3q1hzwL1DEaDxz2m66QhYm0SuB
jKWnAOGrac0/5ZtZsN9fA6dK5lbzrk+R+grib++sXksA1Li/i6VVFcB7bztfVOCz
aQ/ubJDu2pSDzQtC7Qqv
=Qa6x
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.