[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: Help needed with bufferoverflow in cvs]
From: |
Larry Jones |
Subject: |
Re: [Fwd: Help needed with bufferoverflow in cvs] |
Date: |
Thu, 21 Feb 2002 10:21:05 -0500 (EST) |
Tollef Fog Heen writes:
>
> * (Larry Jones)
> |
> | It's not a buffer overflow (-Cx will produce the same result), it's an
> | improperly initialized global variable (the code calls longjmp() with a
> | global jmp_buf that was never initialized by setjmp() and thus is all
> | zeros). It's not exploitable and it was fixed long ago in CVS 1.10.8.
>
> I am not too sure about that, please see the strace output from the
> server:
You're not too sure about *what*, that it's not a buffer overflow, that
it's caused by calling longjmp() with an all-zero jmp_buf, that it's not
exploitable, or that it was fixed long ago?!?
> This is 1.10.7-7; do you have the patch for this problem handy?
The best fix is to upgrade to a reasonably current release of CVS, which
you can get from www.cvshome.org. The current release is 1.11.1p1. If
you insist on patching an obsolete version:
Index: diff.c
===================================================================
RCS file: /cvs/ccvs/diff/diff.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- diff.c 29 Apr 1999 21:08:13 -0000 1.9
+++ diff.c 15 Sep 1999 21:11:31 -0000 1.10
@@ -247,11 +247,21 @@
/* Do our initializations. */
initialize_main (&argc, &argv);
-
- /* Decode the options. */
-
optind_old = optind;
optind = 0;
+
+ /* Set the jump buffer, so that diff may abort execution without
+ terminating the process. */
+ val = setjmp (diff_abort_buf);
+ if (val != 0)
+ {
+ optind = optind_old;
+ if (opened_file)
+ fclose (outfile);
+ return val;
+ }
+
+ /* Decode the options. */
while ((c = getopt_long (argc, argv,
"0123456789abBcC:dD:efF:hHiI:lL:nNpPqrsS:tTuU:vwW:x:X:y",
longopts, 0)) != EOF)
@@ -684,17 +694,6 @@
}
opened_file = 1;
}
- }
-
- /* Set the jump buffer, so that diff may abort execution without
- terminating the process. */
- val = setjmp (diff_abort_buf);
- if (val != 0)
- {
- optind = optind_old;
- if (opened_file)
- fclose (outfile);
- return val;
}
val = compare_files (0, argv[optind], 0, argv[optind + 1], 0);
-Larry Jones
It's like SOMEthing... I just can't think of it. -- Calvin
Re: [Fwd: Help needed with bufferoverflow in cvs], Larry Jones, 2002/02/20
Re: [Fwd: Help needed with bufferoverflow in cvs], Tollef Fog Heen, 2002/02/22