group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1835596] Re: incorrect argument to file_printable in [PATCH] PR/62

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1835596@xxxxxxxxxxxxxxxxxx>
Date: Wed, 13 May 2020 11:40:12 -0000
Reply-to: Bug 1835596 <1835596@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package file - 1:5.25-2ubuntu1.4

---------------
file (1:5.25-2ubuntu1.4) xenial-security; urgency=medium

  * SECURITY REGRESSION: truncated interpreter name (LP: #1835596)
    - debian/patches/CVE-2019-8905_8907.patch: updated to use correct
      length in src/readelf.c.

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Tue, 12 May 2020
09:33:55 -0400

** Changed in: file (Ubuntu Xenial)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-8905

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1835596

Title:
  incorrect argument to file_printable in [PATCH] PR/62

Status in file package in Ubuntu:
  Fix Released
Status in file source package in Xenial:
  Fix Released
Status in file source package in Bionic:
  In Progress
Status in file source package in Eoan:
  Fix Released
Status in file source package in Focal:
  Fix Released
Status in file source package in Groovy:
  Fix Released

Bug description:
  In last patch below

  +From d65781527c8134a1202b2649695d48d5701ac60b Mon Sep 17 00:00:00 2001
  +From: Christos Zoulas <christos@xxxxxxxxxx>
  +Date: Mon, 18 Feb 2019 17:46:56 +0000
  +Subject: [PATCH] PR/62: spinpx: limit size of file_printable.

  +===================================================================
  +--- file-5.32.orig/src/readelf.c	2019-03-13 12:38:58.854781641 -0400
  ++++ file-5.32/src/readelf.c	2019-03-13 12:39:43.450945506 -0400
  +@@ -725,7 +725,7 @@ do_core_note(struct magic_set *ms, unsig
  + 			if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
  + 			    "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
  + 			    file_printable(sbuf, sizeof(sbuf),
  +-			    CAST(char *, pi.cpi_name)),
  ++			    RCAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
  + 			    elf_getu32(swap, pi.cpi_pid),
  + 			    elf_getu32(swap, pi.cpi_euid),
  + 			    elf_getu32(swap, pi.cpi_egid),
  +@@ -1564,7 +1564,8 @@ dophn_exec(struct magic_set *ms, int cla
  + 		return -1;
  + 	if (interp[0])
  + 		if (file_printf(ms, ", interpreter %s",
  +-		    file_printable(ibuf, sizeof(ibuf), interp)) == -1)
  ++		    file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp)))
  ++			== -1)
  + 			return -1;
  + 	return 0;
  + }

  sizeof(interp) is passed to file_printable as the `slen' parameter, since interp is of 
  type `char *', sizeof(interp) will be 8 or 4 const value for different pointer types, 
  this makes the `interpreter' extraction for elf file limited to 8 bytes under x64. 

  A example for this, under ubuntu 18.04:
  $ file /bin/dash
  /bin/dash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked,
  interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=a783260e3a5fe0afdae77417eea7f
  bf8d645219e, stripped

  notice that the interpreter portion is `/lib64/l', which is 8 bytes long and only a part
  of the actual interpreter path. 

  the `slen' parameter here should be something like `sizeof(char) * length_of_buffer'
  instead of sizeof(char *).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/file/+bug/1835596/+subscriptions