Package: fakechroot
Version: 2.5-1.1.20070212-6
Severity: important
(Ignore the version, it's my local build with other fixes, the bug is
clear from reading the source...)
libfakechroot.c, readlink() implementation, in particular the
end-of-buffer handling, can truncate links; coreutils readlink exposes
this because it starts out passing in a bufsiz of 128, and it's easy
to have a FAKECHROOT_BASE nearly that deep...
The fix I propose is to
1. call next_readlink with FAKECHROOT_MAXPATH-1, not bufsiz
2. check strlen(tmpptr) against bufsiz and return -1 if it won't fit
3. use strncpy so as not to overrun the input buffer
3a. return the length of the input, since the output copy might
not have a null at the end.
Following is a rough trace of demonstrating the truncation, using
readlink from coreutils 5.2.1-2, and note that "readlink x130" gives
only 27 characters of the link, instead of 30.
wildcat$ fakeroot fakechroot
wildcat# env | grep FAKE
FAKECHROOT=true
FAKEROOTKEY=1024906132
FAKECHROOT_VERSION=2.5
FAKED_MODE=unknown-is-root
wildcat# mkdir
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
wildcat# echo -n
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
| wc -c
100
wildcat# export
FAKECHROOT_BASE=/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
wildcat# cd
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
wildcat# unset FAKECHROOT_BASE
wildcat# pwd
/
wildcat# cd /
wildcat# ls
afs/ boot/ dev/ home/ lib/ media/ opt/ root/ srv/ tmp/ var/
bin/ cdrom/ etc/ initrd/ lost+found/ mnt/ proc/ sbin/ sys/ usr/
vmlinuz@
wildcat# pwd
/
wildcat# ln -s
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/123456789
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/x110
wildcat# ln -s
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/1234567890123456789
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/x120
wildcat# ln -s
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/12345678901234567890123456789
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/x130
wildcat# readlink
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/x130
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/12345678901234567890123456789
wildcat# readlink
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/x130
| wc -c
131
wildcat# cd
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
wildcat# export
FAKECHROOT_BASE=/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
wildcat# pwd
/tmp/56789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
wildcat# echo *
bin x110 x120 x130
wildcat# readlink x130
/123456789012345678901234567
wildcat# readlink x120
/1234567890123456789
wildcat# readlink x110
/123456789
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.15-mc2
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages fakechroot depends on:
ii libc6 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an
-- debconf-show failed
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
