[bug #20014] buffer overrun in locate while reading old-format database

[James Youngman]

Update of bug #20014 (project findutils):

                Severity:              3 - Normal => 6 - Security           
                  Status:             In Progress => Fixed                  
                 Privacy:                 Private => Public                 
                 Summary:             Placeholder => buffer overrun in locate
while reading old-format database

    _______________________________________________________

Follow-up Comment #1:

This problem has been assigned the CVS number CVE-2007-2452.

Findutils supports three different formats of locate database, its native
format "LOCATE02", the slocate variant of LOCATE02, and a traditional ("old")
format that locate uses on other Unix systems.

When locate reads filenames from a LOCATE02 database (the default format),
the buffer into which data is read is automatically extended to accommodate
the length of the filenames.

This automatic buffer extension does not happen for old-format
databases.  Instead a 1026-byte buffer is used.  When a longer
pathname appears in the locate database, the end of this buffer is overrun. 
The buffer is allocated on the heap (not the stack).

If the locate database is in the default LOCATE02 format, the locate program
does perform automatic buffer extension, and the program is not vulnerable to
this problem.  The software used to build the old-format locate database is
not itself vulnerable to the same attack.

Most installations of GNU findutils do not use the old database
format, and so will not be vulnerable.

(file #12905)
    _______________________________________________________

Additional Item Attachment:

File name: savannah-bug-20014.patch       Size:3 KB


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?20014>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/