Re: [Bug 1426635] Re: strace stack buffer overflow
Hello, that bug is fixed by the author of trace Please check commit v4.9-356-g1dbd39e in the main strace repository. 2015. 4. 28., 오후 11:41, Launchpad Bug Tracker 1426...@bugs.launchpad.net 작성: Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: strace (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1426635 Title: strace stack buffer overflow Status in strace package in Ubuntu: Confirmed Bug description: Tested Version : strace-4.9 (from strace sourceforge), strace-4.8 (apt-get install strace) Environment : Ubuntu 14.04.1 LTS x86_64 Details: stack buffer overflow in startup_child() strace.c Input length check could be bypassed using long string without having '/' character. So, the strcpy() function in PATH concat processing code starts to overwrite stack data. -- TEST PAYLOAD abc@ubuntu:~$ ./strace `perl -e 'print ax5042'` Segmentation fault -- Backtrace with debugging symbol (gdb) r `perl -e 'print ax5042'` Starting program: /home/abc/strace-4.9/strace `perl -e 'print ax5042'` Program received signal SIGSEGV, Segmentation fault. __GI_getenv (name=0x7fe3b8107b5b NGUAGE, name@entry=0x7fe3b8107b59 LANGUAGE) at getenv.c:85 85 getenv.c: No such file or directory. (gdb) bt #0 __GI_getenv (name=0x7fe3b8107b5b NGUAGE, name@entry=0x7fe3b8107b59 LANGUAGE) at getenv.c:85 #1 0x7fe3b7fbc681 in guess_category_value (categoryname=0x7fe3b80f16b3 _nl_category_names+51 LC_MESSAGES, category=5) at dcigettext.c:1372 #2 __dcigettext (domainname=0x7fe3b8107a99 _libc_intl_domainname libc, msgid1=0x7fe3b81081ac File name too long, msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0, category=category@entry=5) at dcigettext.c:573 #3 0x7fe3b7fbb5df in __GI___dcgettext (domainname=optimized out, msgid=optimized out, category=category@entry=5) at dcgettext.c:52 #4 0x7fe3b801398e in __GI___strerror_r (errnum=errnum@entry=36, buf=buf@entry=0x0, buflen=buflen@entry=0) at _strerror.c:71 #5 0x7fe3b80138cf in strerror (errnum=errnum@entry=36) at strerror.c:32 #6 0x0041230f in verror_msg (err_no=36, fmt=fmt@entry=0x4273da Can't stat '%s', p=p@entry=0x7fff6b28dbf8) at strace.c:277 #7 0x0041315a in perror_msg_and_die (fmt=fmt@entry=0x4273da Can't stat '%s') at strace.c:323 #8 0x0041371e in startup_child (argv=0x7fff6b28f160) at strace.c:1220 #9 0x6161616161616161 in ?? () #10 0x6161616161616161 in ?? () #11 0x6161616161616161 in ?? () #12 0x6161616161616161 in ?? () #13 0x6161616161616161 in ?? () To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strace/+bug/1426635/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1426635 Title: strace stack buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strace/+bug/1426635/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1426635] [NEW] strace stack buffer overflow
*** This bug is a security vulnerability *** Public security bug reported: Tested Version : strace-4.9 (from strace sourceforge), strace-4.8 (apt-get install strace) Environment : Ubuntu 14.04.1 LTS x86_64 Details: stack buffer overflow in startup_child() strace.c Input length check could be bypassed using long string without having '/' character. So, the strcpy() function in PATH concat processing code starts to overwrite stack data. -- TEST PAYLOAD abc@ubuntu:~$ ./strace `perl -e 'print ax5042'` Segmentation fault -- Backtrace with debugging symbol (gdb) r `perl -e 'print ax5042'` Starting program: /home/abc/strace-4.9/strace `perl -e 'print ax5042'` Program received signal SIGSEGV, Segmentation fault. __GI_getenv (name=0x7fe3b8107b5b NGUAGE, name@entry=0x7fe3b8107b59 LANGUAGE) at getenv.c:85 85 getenv.c: No such file or directory. (gdb) bt #0 __GI_getenv (name=0x7fe3b8107b5b NGUAGE, name@entry=0x7fe3b8107b59 LANGUAGE) at getenv.c:85 #1 0x7fe3b7fbc681 in guess_category_value (categoryname=0x7fe3b80f16b3 _nl_category_names+51 LC_MESSAGES, category=5) at dcigettext.c:1372 #2 __dcigettext (domainname=0x7fe3b8107a99 _libc_intl_domainname libc, msgid1=0x7fe3b81081ac File name too long, msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0, category=category@entry=5) at dcigettext.c:573 #3 0x7fe3b7fbb5df in __GI___dcgettext (domainname=optimized out, msgid=optimized out, category=category@entry=5) at dcgettext.c:52 #4 0x7fe3b801398e in __GI___strerror_r (errnum=errnum@entry=36, buf=buf@entry=0x0, buflen=buflen@entry=0) at _strerror.c:71 #5 0x7fe3b80138cf in strerror (errnum=errnum@entry=36) at strerror.c:32 #6 0x0041230f in verror_msg (err_no=36, fmt=fmt@entry=0x4273da Can't stat '%s', p=p@entry=0x7fff6b28dbf8) at strace.c:277 #7 0x0041315a in perror_msg_and_die (fmt=fmt@entry=0x4273da Can't stat '%s') at strace.c:323 #8 0x0041371e in startup_child (argv=0x7fff6b28f160) at strace.c:1220 #9 0x6161616161616161 in ?? () #10 0x6161616161616161 in ?? () #11 0x6161616161616161 in ?? () #12 0x6161616161616161 in ?? () #13 0x6161616161616161 in ?? () ** Affects: strace (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1426635 Title: strace stack buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strace/+bug/1426635/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1426635] Re: strace stack buffer overflow
** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1426635 Title: strace stack buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strace/+bug/1426635/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs