Ubuntu
liblockfile package

Merge lp:~gandelman-a/ubuntu/precise/liblockfile/lp941968 into lp:ubuntu/precise/liblockfile

  1. Precise (12.04)
  2. lp941968
  3. Merge into precise
Proposed by Adam Gandelman
Status: Merged
Merge reported by: Martin Pitt
Merged at revision: not available
Proposed branch: lp:~gandelman-a/ubuntu/precise/liblockfile/lp941968
Merge into: lp:ubuntu/precise/liblockfile
Diff against target: 141 lines (+123/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/fix-buffer-overflows.patch (+113/-0)
debian/patches/series (+1/-0)
To merge this branch: bzr merge lp:~gandelman-a/ubuntu/precise/liblockfile/lp941968
Reviewer Review Type Date Requested Status
Martin Pitt Approve
Review via email: mp+171020@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Martin Pitt (pitti) wrote :

Thanks! I uploaded this to the precise-proposed SRU review queue. This can't technically be merged into the "precise" branch (it will be imported into the precise-updates branch), so closing this manually.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2011-08-13 00:18:46 +0000
3+++ debian/changelog 2013-06-24 05:58:08 +0000
4@@ -1,3 +1,12 @@
5+liblockfile (1.09-3.1) precise-proposed; urgency=low
6+
7+ * debian/patches/fix-buffer-overflows.patch: Fix buffer overflows when
8+ building strings
9+ - Protect against overflows caused by long hostnames (LP: #941968)
10+ - Protect against overflows caused by large PID numbers (LP: #1011477)
11+
12+ -- Adam Gandelman <adamg@ubuntu.com> Thu, 20 Jun 2013 12:37:10 -0700
13+
14 liblockfile (1.09-3) unstable; urgency=high
15
16 * add Replaces/Breaks liblockfile1 for liblockfile-bin (closes: #637555)
17
18=== added directory 'debian/patches'
19=== added file 'debian/patches/fix-buffer-overflows.patch'
20--- debian/patches/fix-buffer-overflows.patch 1970-01-01 00:00:00 +0000
21+++ debian/patches/fix-buffer-overflows.patch 2013-06-24 05:58:08 +0000
22@@ -0,0 +1,113 @@
23+Description: Fix buffer overflows when building strings
24+ The first occurs in lockfile_create_save_tmplock() when building the
25+ filename for the temporary lock file. The p buffer may not be large enough to
26+ hold large pid numbers or long hostnames. This issue is fixed by using
27+ snprintf(), rather than sprintf(), and adding appropriate field widths to the
28+ conversion string. Long hostnames will be truncated to fit in the remainder of
29+ the buffer length.
30+ .
31+ The second occurs in lockfile_create_save_tmplock() when buf is not long
32+ enough to store large pid numbers. This issue is fixed by using snprintf().
33+ Also, the length of buf is increased to 40, which is enough to hold a 128 bit
34+ signed int. This will be sufficient for holding pid values for quite some time
35+ into the future.
36+ .
37+ Additionally, the sprintf() in do_extern() is changed to snprintf() for
38+ general security hardening. An overflow of buf is not currently possible.
39+Bug-Debian: http://bugs.debian.org/677225
40+Bug-Ubuntu: https://launchpad.net/bugs/941968
41+Bug-Ubuntu: https://launchpad.net/bugs/1011477
42+Author: Tyler Hicks <tyhicks@canonical.com>
43+Index: liblockfile-1.09/lockfile.c
44+===================================================================
45+--- liblockfile-1.09.orig/lockfile.c 2013-01-09 10:54:49.948588615 -0800
46++++ liblockfile-1.09/lockfile.c 2013-01-09 12:19:07.328708811 -0800
47+@@ -158,7 +158,7 @@
48+ if ((pid = fork()) < 0)
49+ return L_ERROR;
50+ if (pid == 0) {
51+- sprintf(buf, "%d", retries % 1000);
52++ snprintf(buf, sizeof(buf), "%d", retries % 1000);
53+ execl(LOCKPROG, LOCKPROG, opt, "-r", buf, "-q",
54+ (flags & L_PID) ? "-p" : "-N", lockfile, NULL);
55+ _exit(L_ERROR);
56+@@ -185,6 +185,14 @@
57+
58+ #endif
59+
60++#define TMPLOCKSTR ".lk"
61++#define TMPLOCKSTRSZ strlen(TMPLOCKSTR)
62++#define TMPLOCKPIDSZ 5
63++#define TMPLOCKTIMESZ 1
64++#define TMPLOCKSYSNAMESZ 23
65++#define TMPLOCKFILENAMESZ (TMPLOCKSTRSZ + TMPLOCKPIDSZ + \
66++ TMPLOCKTIMESZ + TMPLOCKSYSNAMESZ)
67++
68+ /*
69+ * Create a lockfile.
70+ */
71+@@ -196,7 +204,7 @@
72+ {
73+ struct stat st, st1;
74+ char sysname[256];
75+- char buf[8];
76++ char buf[40];
77+ char *p;
78+ int sleeptime = 0;
79+ int statfailed = 0;
80+@@ -209,13 +217,13 @@
81+ /*
82+ * Safety measure.
83+ */
84+- if (strlen(lockfile) + 32 > MAXPATHLEN) {
85++ if (strlen(lockfile) + TMPLOCKFILENAMESZ > MAXPATHLEN) {
86+ errno = ENAMETOOLONG;
87+ return L_ERROR;
88+ }
89+ #endif
90+
91+- if (strlen(lockfile) + 32 + 1 > tmplocksz) {
92++ if (strlen(lockfile) + TMPLOCKFILENAMESZ + 1 > tmplocksz) {
93+ errno = EINVAL;
94+ return L_ERROR;
95+ }
96+@@ -233,14 +241,16 @@
97+ return L_ERROR;
98+ if ((p = strchr(sysname, '.')) != NULL)
99+ *p = 0;
100+- /* strcpy is safe: length-check above, limited at sprintf below */
101++ /* strcpy is safe: length-check above, limited at snprintf below */
102+ strcpy(tmplock, lockfile);
103+ if ((p = strrchr(tmplock, '/')) == NULL)
104+ p = tmplock;
105+ else
106+ p++;
107+- sprintf(p, ".lk%05d%x%s",
108+- (int)getpid(), (int)time(NULL) & 15, sysname);
109++ snprintf(p, TMPLOCKFILENAMESZ, "%s%0*d%0*x%s", TMPLOCKSTR,
110++ TMPLOCKPIDSZ, (int)getpid(),
111++ TMPLOCKTIMESZ, (int)time(NULL) & 15,
112++ sysname);
113+ i = umask(022);
114+ fd = open(tmplock, O_WRONLY|O_CREAT|O_EXCL, 0644);
115+ e = errno;
116+@@ -251,8 +261,8 @@
117+ return L_TMPLOCK;
118+ }
119+ if (flags & (L_PID | L_PPID)) {
120+- sprintf(buf, "%d\n",
121+- (flags & L_PID) ? (int)getpid() : (int)getppid());
122++ snprintf(buf, sizeof(buf), "%d\n",
123++ (flags & L_PID) ? (int)getpid() : (int)getppid());
124+ p = buf;
125+ len = strlen(buf);
126+ } else {
127+@@ -363,7 +373,7 @@
128+ char *tmplock;
129+ int l, r, e;
130+
131+- l = strlen(lockfile)+32+1;
132++ l = strlen(lockfile)+TMPLOCKFILENAMESZ+1;
133+ if ((tmplock = (char *)malloc(l)) == NULL)
134+ return L_ERROR;
135+ tmplock[0] = 0;
136
137=== added file 'debian/patches/series'
138--- debian/patches/series 1970-01-01 00:00:00 +0000
139+++ debian/patches/series 2013-06-24 05:58:08 +0000
140@@ -0,0 +1,1 @@
141+fix-buffer-overflows.patch

Subscribers

People subscribed via source and target branches