[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-ed] GNU Ed heap overflow
|
From: |
Core Security Advisories Team (CS) |
|
Subject: |
[Bug-ed] GNU Ed heap overflow |
|
Date: |
Mon, 30 Jun 2008 18:15:46 -0300 |
Hello,
Alfredo Ortega from Core Security Technologies has found that GNU Ed is
vulnerable to a heap overflow.
The technical details of this bug are included below. We would
appreciate to receive information about your plans for fixing this bug.
The error is located in the file signal.c:
203 /* return copy of escaped string of at most length PATH_MAX */
204 const char *strip_escapes( const char *s )
205 {
206 static char *file = 0;
207 static int filesz = 0;
208
209 int i = 0;
210
211 if( !resize_buffer( &file, &filesz, path_max( 0 ) + 1 ) ) return 0;
212 /* assert: no trailing escape */
213 while( ( file[i++] = ( (*s == '\\' ) ? *++s : *s ) ) )
214 s++;
215 return file;
216 }
The strip_escapes() function is called with the name of a file. The
length of the file is not checked, and the resize_buffer() function will
allocate a buffer with the size provided by the function path_max(),
that never exceeds 8192 bytes. If the file name length is greater than
this value, the function will overwrite the heap-allocated buffer in the
while loop at line 213. The strip_escapes() function is called from
several points in the source code, all vulnerable to this heap overflow,
but an easy way to reproduce the overflow is with the following python
script:
###
import os;
cmd='/bin/ed %s' % (10000*'A');
os.system(cmd)
###
Thanks in advance,
-Carlos
--
Carlos Sarraute
Advisories Team
Core Security Technologies
www.coresecurity.com
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug-ed] GNU Ed heap overflow,
Core Security Advisories Team (CS) <=