Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

PATCH: buffer overflow from MAILCHECK environment variable

X-seq: zsh-workers 42607
From: Oliver Kiddle <okiddle@xxxxxxxxxxx>
To: Zsh workers <zsh-workers@xxxxxxx>
Subject: PATCH: buffer overflow from MAILCHECK environment variable
Date: Sat, 07 Apr 2018 12:45:43 +0200
Authentication-results: amavisd4.gkg.net (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.co.uk
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1523118279; bh=OlXrDr1infYE3WQOciFC/0Mh72kOhXh3DoOPn7GjpOc=; h=From:To:Subject:Date:From:Subject; b=IFJkPts92BsOlD2go0DaxeArwldcDG9OfB3pisPNMr8i1jElB3Eh8XCG7isb5UhC3PArZeCE+NGtd1pgbHrv+a0wSYYjxWYt7W1zzo34Yo9Fo61KO+CyV/v6W+KztEUj5jsSKjQoAv+rKP2LygJizH0k6qfbLM3qV/hGq/AQKBFOlg6f397Q7WvYM8MneHp1hP1A3t1RkjTN5qDo1K5eWZKSkkY6SFpwdhcAVO67SSyD4WBWRGpjORHaG4oYzhupJmW6wXitsepjwz2zoXBayJLFrOuKVdKm+dQRBZ2c6mEPWMGV9Elhw6A4uKposQPexHthQSMffP/2T0wKjrpjVQ==
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm

There's a potential buffer overflow in utils.c:checkmailpath() function
where unchecked strings from the MAILCHECK variable are copied to a
buffer. This bug corresponds to CVE-2018-1100 and credit to Richard
Maciel Costa for finding it.

This patch uses snprintf instead of sprintf when writing to the buffer.

Oliver

diff --git a/Src/utils.c b/Src/utils.c
index 3587c3622..fd6aa9ab4 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1653,7 +1653,7 @@ checkmailpath(char **s)
 	    LinkList l;
 	    DIR *lock = opendir(unmeta(*s));
 	    char buf[PATH_MAX * 2 + 1], **arr, **ap;
-	    int ct = 1;
+	    int buflen, ct = 1;
 
 	    if (lock) {
 		char *fn;
@@ -1662,9 +1662,11 @@ checkmailpath(char **s)
 		l = newlinklist();
 		while ((fn = zreaddir(lock, 1)) && !errflag) {
 		    if (u)
-			sprintf(buf, "%s/%s?%s", *s, fn, u);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
 		    else
-			sprintf(buf, "%s/%s", *s, fn);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+		    if (buflen < 0 || buflen >= (int)sizeof(buf))
+			continue;
 		    addlinknode(l, dupstring(buf));
 		    ct++;
 		}

Messages sorted by: Reverse Date, Date, Thread, Author