Ubuntu
gw6c package

gw6c crashes with buffer overflow on start

Bug #418176 reported by ooze
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gw6c (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: tspc

$ lsb_release -rd
Description: Ubuntu 9.10
Release: 9.10

$ apt-cache policy gw6c
gw6c:
  Installé : 6.0.1dfsg.1-3
  Candidat : 6.0.1dfsg.1-3
 Table de version :
 *** 6.0.1dfsg.1-3 0
        500 http://archive.ubuntu.com karmic/universe Packages
        100 /var/lib/dpkg/status

How to reproduce:
0. Run Ubuntu on a 64-bit architecture.
1. Edit the configuration in /etc/gw6c/gw6c.conf by setting the "client_v4" parameter to an IP address.
2. Restart the gw6c daemon.
3. Check that the gw6c daemon is running.

The gw6c daemon crashes when started if the client_v4 is set to an IP address instead of the default value of "auto". The reason is a buffer overflow caused by a memcpy from an integer with a length that is dependent of the architecture to an inet_addr_t structure that is always 32-bit long.

See original description
ooze (zoe-gauthier)
affects: tspc (Ubuntu) → gw6c (Ubuntu)
Revision history for this message
ooze (zoe-gauthier) wrote :

This bug is still affecting me on Karmic release. As far as I know, it is not possible to use this package on a 64-bit platform.

Apport report has just been attached to bug #475511.

Revision history for this message
ooze (zoe-gauthier) wrote :

This is the same problem as in bug #323288 that has been re-imported with the change from tspc to gw6c.

The call to inet_addr (3) is stored in a unsigned long, which length is passed to memcpy. Since the destination is strictly 32-bit long, when the code is run on a 64-bit platform, the size of unsigned long is 64-bit, and a buffer overflow occurs.

ooze (zoe-gauthier)
Changed in gw6c (Ubuntu):
status: New → In Progress
Revision history for this message
ooze (zoe-gauthier) wrote :

Added branch fixes this bug. This version of the gw6c package runs correctly on my server.

ooze (zoe-gauthier)
description: updated
description: updated
Revision history for this message
ooze (zoe-gauthier) wrote :
Changed in gw6c (Ubuntu):
status: In Progress → Confirmed
Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

This patch has been applied in Debian, and will be synced into Ubuntu once it enters Testing:

gw6c (6.0.1dfsg.1-6) unstable; urgency=low

   [ ???????? ???????????????? (Ahmed El-Mahmoudy) ]
   * debian/rules:
     + Simplify rules file.
     + Fix make invocation to properly generate gw6c.sample.conf
     + Install gw6c.sample.conf also in /etc/gw6c/gw6c.conf (LP: #438658)
   * debian/patches: remove old dpatch files.
   * debian/control:
     + Build-Depend on debhelper >= 7.0.50~ to support debhelper overrides.
     + Remove quilt from Build-Depends.
     + Added ${misc:Depends} to Depends.
   * debian/dirs: Remove dirs that will be created by dh_install anyways.

   [ Craig Small ]
   * Added a keyfile check bypass to init
   * Documented default file

 -- Craig Small <email address hidden> Fri, 11 Dec 2009 16:58:31 +1100

gw6c (6.0.1dfsg.1-5) unstable; urgency=low

   * Adjust README and init script to die if no server key or config file
   * Closes: #554911
   * Added Ubuntu patch LP:418176
   * Removed -c option and fixed default config file path in gw6c.8
   * clarified GPL version of debian files
   * Changed to quilt patching and source format

 -- Craig Small <email address hidden> Mon, 07 Dec 2009 21:42:35 +1100

Changed in gw6c (Ubuntu):
status: Confirmed → Fix Committed
Daniel Holbach (dholbach)
Changed in gw6c (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.