In article <20030729210308.15518.qmail@www.securityfocus.com>
on chiark.mail.bugtraq, Vade 79 wrote:

[...]

Thank you for reporting these vulnerabilities in man-db. However, I'm
disappointed that you neither informed me a little beforehand so that I
wasn't taken by surprise by your BugTraq post (preferable), nor sent a
copy of your report to me as the maintainer of man-db (which I would
regard as the minimum of common courtesy). Fortunately, a friend brought
your post to my attention this morning so that I could begin preparing
patches, a little later than I would otherwise have been able to do.

Please inform the maintainer in future. The BugTraq guidelines suggest a
one-week notice period, although in fact I'd personally have been happy
with a few days.

>[part 1: add_to_dirlist() buffer overflow]
>
>man-db contains a buffer overflow vulnerability do to the lack of bounds
>checking in multiple sscanf() calls.  which formats the user supplied file 
>~/.manpath.
[...]
>as you can see; MANDATORY_MANPATH, MANPATH_MAP, and MANDB_MAP do not 
>properly limit the value written to key[50], and/or cont[512]).  however, 
>as far as exploitation by overflowing those buffers goes is limited.  this 
>is do to the way the buffers are allocated in memory, so when 
>overwritten, will just overwrite into another character buffer.
>
>but, this is not all in vain.  do to the size of buf[BUFSIZE], which is 
>8192 bytes(standard), and what key/cont overwrites into.  you can pass 
>enormously long values(~8192) to other functions.  as most checks are done 
>before-hand, and almost all buffers in the program are allocated to 4095 
>bytes; you can make the overflow occur, in many locations, elsewhere in 
>the program.

I've fixed the sscanf() invocations so that these arrays aren't
overflowed. Other PATH_MAX-sized buffers will take a little more work,
but I'll look at them.

>[part 2: ult_src() buffer overflow]
>
>man-db contains a buffer overflow vulnerability do to the size of a buffer
>being half the size it should be(doesn't follow the 4096 trend), for a 
>"path".

Fixed by allocating this buffer dynamically instead.

>[part 3: ".so" link buffer overflow]
>
>man-db contains a buffer overflow vulnerability do to the lack of bounds
>checking for ".so" link/redirection manpages.  this occurs when the 
>function attempts to change memory, without re-calculating the 
>size.

Fixed in the process of fixing part 2 above, by causing the function in
question to return a newly allocated string rather than doing that
grotty hack of writing into a string allocated elsewhere without
reallocation.

>[part 4: PATH/MANPATH argument overflow]
>
>man-db contains a buffer overflow vulnerability do to the lack of bounds
>checking for the amount PATH/MANPATH values given.  the bug is found in 
>multiple routines.
>
>proof/to test for vulnerability existence:
># man -M `perl -e 'print"/tmp:"x260'` x
>Segmentation fault

On my machine it seems to require 432 elements or more, but anyway. I've
applied a stopgap measure for now, namely to check whether the number of
elements in MANPATH is going to overflow the list holding them. I'll add
proper dynamically resized arrays later when I have a little more time.

These fixes are in savannah.nongnu.org CVS for now; I'll prepare a
release for Debian unstable tonight and if possible Debian stable as
well. A full 2.4.2 release will have to wait a little longer, but should
be within the week.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]