acknowledge.c(gi) buffer overrun
list Christoph Berg
Hi,
spotted on 4.3.17 in production:
--- a/web/acknowledge.c
+++ b/web/acknowledge.c
@@ -289,7 +289,7 @@ int main(int argc, char *argv[])
pcre *dummy;
char *re;
- re = (char *)malloc(8 + strlen(pagename));
+ re = (char *)malloc(8 + 2*strlen(pagename));
sprintf(re, "%s$|^%s/.+", pagename, pagename);
dummy = compileregex(re);
if (dummy) {
This might even deserve a CVE number, but as it's a seccgi, it's
not widely exposed.
Christoph
--
user-92157dbc91bf@xymon.invalid | http://www.df7cb.de/
list Japheth Cleaver
▸
On Thu, January 22, 2015 8:14 am, Christoph Berg wrote:
Hi,
spotted on 4.3.17 in production:
--- a/web/acknowledge.c
+++ b/web/acknowledge.c
@@ -289,7 +289,7 @@ int main(int argc, char *argv[])
pcre *dummy;
char *re;
- re = (char *)malloc(8 + strlen(pagename));
+ re = (char *)malloc(8 + 2*strlen(pagename));
sprintf(re, "%s$|^%s/.+", pagename, pagename);
dummy = compileregex(re);
if (dummy) {
This might even deserve a CVE number, but as it's a seccgi, it's
not widely exposed.
Christoph
--This is fixed in (unreleased) 4.3.18, via https://sourceforge.net/p/xymon/code/7483. Originally reported http://lists.xymon.com/pipermail/xymon/2014-August/040003.html HTH, -jc
list Christoph Berg
Re: J.C. Cleaver 2015-01-22 <user-4199642a17cb@xymon.invalid>
▸
On Thu, January 22, 2015 8:14 am, Christoph Berg wrote:This might even deserve a CVE number, but as it's a seccgi, it's not widely exposed.This is fixed in (unreleased) 4.3.18, via https://sourceforge.net/p/xymon/code/7483. Originally reported http://lists.xymon.com/pipermail/xymon/2014-August/040003.html
Oh, ok. I thought about checking svn, but then didn't. Thanks for the pointer! Still, this is a pretty bad buffer overflow, so a new release should be made soonish. We'll push this patch into the 4.3.17 in Debian Jessie. Christoph -- user-92157dbc91bf@xymon.invalid | http://www.df7cb.de/
list Axel Beckert
Hi,
▸
On Fri, Jan 23, 2015 at 02:06:27PM +0100, Christoph Berg wrote:Re: J.C. Cleaver 2015-01-22 <user-4199642a17cb@xymon.invalid>On Thu, January 22, 2015 8:14 am, Christoph Berg wrote:This might even deserve a CVE number, but as it's a seccgi, it's not widely exposed.
It now got a CVE-ID assigned: CVE-2015-1430 See http://www.openwall.com/lists/oss-security/2015/01/31/4
This is fixed in (unreleased) 4.3.18, via https://sourceforge.net/p/xymon/code/7483.
Any news about when 4.3.18 will be officially released? Kind regards, Axel Beckert -- Axel Beckert <user-96d9963fe797@xymon.invalid> support: +41 44 633 26 68 IT Services Group, HPT H 6 voice: +41 44 633 41 89 Departement of Physics, ETH Zurich CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
list Mark Felder
▸
On Sat, Jan 31, 2015, at 09:24, Axel Beckert wrote:
Hi, On Fri, Jan 23, 2015 at 02:06:27PM +0100, Christoph Berg wrote:Re: J.C. Cleaver 2015-01-22 <user-4199642a17cb@xymon.invalid>On Thu, January 22, 2015 8:14 am, Christoph Berg wrote:This might even deserve a CVE number, but as it's a seccgi, it's not widely exposed.It now got a CVE-ID assigned: CVE-2015-1430 See http://www.openwall.com/lists/oss-security/2015/01/31/4This is fixed in (unreleased) 4.3.18, via https://sourceforge.net/p/xymon/code/7483.Any news about when 4.3.18 will be officially released?
It has been unofficially officially released. I am shipping 4.3.18 in FreeBSD.
list Mark Felder
▸
On Sat, Jan 31, 2015, at 09:24, Axel Beckert wrote:
Hi, On Fri, Jan 23, 2015 at 02:06:27PM +0100, Christoph Berg wrote:Re: J.C. Cleaver 2015-01-22 <user-4199642a17cb@xymon.invalid>On Thu, January 22, 2015 8:14 am, Christoph Berg wrote:This might even deserve a CVE number, but as it's a seccgi, it's not widely exposed.It now got a CVE-ID assigned: CVE-2015-1430 See http://www.openwall.com/lists/oss-security/2015/01/31/4This is fixed in (unreleased) 4.3.18, via https://sourceforge.net/p/xymon/code/7483.
This was introduced in 4.3.4, r6691 http://sourceforge.net/p/xymon/code/6691/tree//trunk/web/acknowledge.c?diff=516c17fd34309d2eb14bcb64:6690