NetBSD Problem Report #52532
From www@NetBSD.org Fri Sep 8 05:25:45 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 07B537A1BC
for <gnats-bugs@gnats.NetBSD.org>; Fri, 8 Sep 2017 05:25:45 +0000 (UTC)
Message-Id: <20170908052544.4795C7A26A@mollari.NetBSD.org>
Date: Fri, 8 Sep 2017 05:25:44 +0000 (UTC)
From: henning.petersen@t-online.de
Reply-To: henning.petersen@t-online.de
To: gnats-bugs@NetBSD.org
Subject: Fix an incorrectly used conditional causing a stack buffer overflow
X-Send-Pr-Version: www-1.0
>Number: 52532
>Category: bin
>Synopsis: Fix an incorrectly used conditional causing a stack buffer overflow
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: christos
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Sep 08 05:30:00 +0000 2017
>Closed-Date: Wed May 17 09:54:03 +0000 2023
>Last-Modified: Wed May 17 09:54:03 +0000 2023
>Originator: Henning Petersen
>Release: netbsd-current
>Organization:
>Environment:
>Description:
Fix an incorrectly used conditional causing a stack buffer overflow.
Security: CVE-2017-1000249
>How-To-Repeat:
>Fix:
diff -u -u -p -r1.15 readelf.c
--- external/bsd/file/dist/src/readelf.c 25 May 2017 00:11:26 -0000 1.15
+++ external/bsd/file/dist/src/readelf.c 8 Sep 2017 04:41:56 -0000
@@ -517,7 +517,7 @@ do_bid_note(struct magic_set *ms, unsign
size_t noff, size_t doff, int *flags)
{
if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 &&
- type == NT_GNU_BUILD_ID && (descsz >= 4 || descsz <= 20)) {
+ type == NT_GNU_BUILD_ID && (descsz >= 4 && descsz <= 20)) {
uint8_t desc[20];
const char *btype;
uint32_t i;
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->needs-pullups
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 17 Jan 2018 00:01:12 +0000
State-Changed-Why:
It was applied (thanks, not referenced here though), but not pulled up to either -876
Responsible-Changed-From-To: bin-bug-people->christos
Responsible-Changed-By: bsiegert@NetBSD.org
Responsible-Changed-When: Tue, 09 Apr 2019 12:44:01 +0000
Responsible-Changed-Why:
Over to christos, who handles file updates.
State-Changed-From-To: needs-pullups->feedback
State-Changed-By: bsiegert@NetBSD.org
State-Changed-When: Tue, 09 Apr 2019 12:44:01 +0000
State-Changed-Why:
Did this ever get pulled up?
State-Changed-From-To: feedback->needs-pullups
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Wed, 09 Jun 2021 02:50:33 +0000
State-Changed-Why:
It did not get pulled up. It is in -9, but not in -8, and probably should
get into -8.
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 31 Mar 2023 09:43:51 +0000
State-Changed-Why:
pullup-8 #1818 https://releng.netbsd.org/cgi-bin/req-8.cgi?show=1818
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52532 CVS commit: [netbsd-8] src/external/bsd/file/dist/src
Date: Sat, 1 Apr 2023 16:41:00 +0000
Module Name: src
Committed By: martin
Date: Sat Apr 1 16:41:00 UTC 2023
Modified Files:
src/external/bsd/file/dist/src [netbsd-8]: readelf.c
Log Message:
Apply patch, requested by riastradh in ticket #1818:
external/bsd/file/dist/src/readelf.c (apply patch)
PR kern/52532: fix bounds check in ELF header parser.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.15.2.1 src/external/bsd/file/dist/src/readelf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Wed, 17 May 2023 09:54:03 +0000
State-Changed-Why:
pullup completed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.