Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
[dev.icinga.com #5434] CVE-2014-1878: Possible segfault in cmd.cgi #1418
This issue has been migrated from Redmine: https://dev.icinga.com/issues/5434
Created by mfrosch on 2014-01-10 11:41:01 +00:00
Here is a potential security issue I've got in private.
Props to the GitHub security team and Dirkjan Bussink <firstname.lastname@example.org>.
Please keep it private for now! We also try to share information mit Naemon Team...
This patch should fix it.
2014-01-10 12:40:09 +00:00 by (unknown) 37fc766
2014-01-10 12:40:37 +00:00 by (unknown) cf0d20a
2014-01-10 12:41:35 +00:00 by (unknown) f1c4f36
2014-01-10 12:42:12 +00:00 by (unknown) eedf4f7
2014-01-10 12:42:40 +00:00 by (unknown) 10aeffc
2014-01-23 15:15:33 +00:00 by (unknown) 144a0b7
Updated by mfrosch on 2014-01-10 11:50:32 +00:00
Updated by mfrosch on 2014-01-10 12:32:03 +00:00
This is the patch against current git master:
Updated by crfriend on 2014-01-11 17:55:46 +00:00
In looking at the documentation for the snprintf() call -- at least for Solaris -- it is stated that the default behavior for snprintf() when trying to copy more data than allowed by the second argument is to copy one octet less than that value and then to null-terminate the resulting string. So, I'm not sure where the original reporter's segfault comes into play unless somebody then tries to append to it (which would overflow the space). This behavior may be different in Linux.
Ultimately, we're paying the price for the entire UNIX-like "null-terminated string" concept. If we're to defend against string-related overflows we'll either be paying a huge price in CPU cycles with never-ending strlen() calls or we'll have to come up with another mechanism for storing strings. I recall a number of years ago faced with overflow problems finally abandoning the null-terminated string almost completely and instead used a structure which led off with an int that described the current length of the string in the area immediately following the int which made length-checking very inexpensive indeed for calculating whether a new allocation (and copying the "string-struct" thereto, and freeing the old) was required (along with changing the int to reflect the new length).
In any event, and in digging through the code found that the patch in question addresses the single instance where the return-value from snprintf() is used in the CGIs. Testing for an oversize return-value makes good sense, however, in all cases as it'll catch instances where data gets corrupted (by virtue of the truncation) by the program and probably should get flagged as an error.
Updated by mfriedrich on 2014-02-11 10:03:53 +00:00
Will be released as 1.8.6, 1.9.5 and 1.10.3 while the latter includes more bug fixes, 1.9 and 1.8 support branches only get the important fixes.
Will ask for a CVE number once the release is tagged and available for users.
Updated by mfriedrich on 2014-02-11 15:33:40 +00:00
Assigned CVE number: CVE-2014-1878