CAN-2003-0848: heap overflow in slocate

Automatically imported from Debian bug report #226103 http://bugs.debian.org/226103

Message-ID: <email address hidden>
Date: Sun, 4 Jan 2004 01:24:25 -0800
From: Matt Zimmerman <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2003-0848: heap overflow in slocate

Package: slocate
Version: 2.7-2
Severity: grave
Tags: security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0848
http://www.ebitech.sk/patrik/SA/SA-20031006.txt
http://www.ebitech.sk/patrik/SA/SA-20031006-A.txt

The strange thing is, this advisory claims that slocate 2.7 is not
vulnerable. However, I see no changelog entries, nor actual code changes,
to indicate that this bug has been fixed. Neither the advisory's suggested
change, nor any other that I can see which would affect this bug, has been
made. So, I currently have little confidence that this bug is actually
fixed in 2.7. Furthermore, we ship slocate 2.6 in woody, which would seem
to be certainly affected by this bug.

Any additional information or assistance that you can provide would be
appreciated. See:

http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-bug-security

for some guidelines.

-- System Information:
Debian Release: unstable
Architecture: i386
Kernel: Linux mizar 2.4.22-deb5-evms2.1.1-skas3-1 #1 Mon Dec 22 14:08:31 PST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages slocate depends on:
ii adduser 3.51 Add and remove users and groups
ii dpkg 1.10.18 Package maintenance system for Deb
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an

-- no debconf information

--
 - mdz

Message-Id: <email address hidden>
Date: Mon, 05 Jan 2004 01:34:00 +0100
From: Petter Reinholdtsen <email address hidden>
To: <email address hidden>
Subject: Re: CAN-2003-0848: heap overflow in slocate

This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
DSA-005-1. <URL: http://www.debian.org/security/2000/20001217a >.

Perhaps there are more problems with the database handling in slocate?

Message-ID: <email address hidden>
Date: Sun, 4 Jan 2004 18:07:33 -0800
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Subject: Bug#226103: CAN-2003-0848: heap overflow in slocate

--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

This bug was the same as CAN-2003-0056 which was fixed in 2.6-1.3.1 in woody
and 2.7-1 in unstable/testing.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0056

There never was a bug report assigned to the package since it was found and
fixed quickly.

If there is a way to cause a heap overflow in these versions please let me
know, until then I know it to be safe.

---------------------------------------------------
Kevin Lindsay
Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4
Key Id: 746C51F4

--6c2NcOVqGQ03X4Wi
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQE/+MblUZpV8HRsUfQRAibfAJ902dS2M1+H8XFOBcd29Y5S8Y/HWgCgzAWj
w3VI84M8NRb12Ag/f6Y9bBk=
=F/vG
-----END PGP SIGNATURE-----

--6c2NcOVqGQ03X4Wi--

Message-ID: <email address hidden>
Date: Sun, 4 Jan 2004 23:38:01 -0800
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: Re: Bug#226103 acknowledged by developer (Bug#226103: CAN-2003-0848: heap overflow in
 slocate)

reopen 226103
thanks

On Sun, Jan 04, 2004 at 09:49:00PM -0600, Debian Bug Tracking System wrote:

> This bug was the same as CAN-2003-0056 which was fixed in 2.6-1.3.1 in woody
> and 2.7-1 in unstable/testing.
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0056
>
> There never was a bug report assigned to the package since it was found and
> fixed quickly.

No, this is not the same bug. CAN-2003-0056 is about a buffer overflow
caused by a long command line argument. CAN-2003-0848 is about an overflow
caused by the contents of a user-supplied database.

--
 - mdz

Message-ID: <email address hidden>
Date: Wed, 7 Jan 2004 11:04:22 -0800
From: Matt Zimmerman <email address hidden>
To: Petter Reinholdtsen <email address hidden>, <email address hidden>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate

On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:

> This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> DSA-005-1. <URL: http://www.debian.org/security/2000/20001217a >.
>
> Perhaps there are more problems with the database handling in slocate?

Probably. I think that it is not a good idea for slocate to read and
interpret a user-supplied database while running with setgid privileges.
Since slocate indexes all files on the system, I don't see why this should
be needed either.

--
 - mdz

Message-ID: <email address hidden>
Date: Wed, 7 Jan 2004 12:56:53 -0800
From: Kevin Lindsay <email address hidden>
To: Matt Zimmerman <email address hidden>, <email address hidden>
Cc: Petter Reinholdtsen <email address hidden>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate

On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:

> On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
>
> > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > DSA-005-1. <URL: http://www.debian.org/security/2000/20001217a >.
> >
> > Perhaps there are more problems with the database handling in slocate?
>
> Probably. I think that it is not a good idea for slocate to read and
> interpret a user-supplied database while running with setgid privileges.
> Since slocate indexes all files on the system, I don't see why this should
> be needed either.

I agree. I took a more careful look at the advisory and I will be doing an
audit on the necessary code. User defined databases were requested to handle
lookups on remote file systems which had their own databases. I think a
good plan would be to drop privileges when searching databases which do not
have the 'slocate' group assigned. Let me know if I'm missing anything.

Kevin-

---------------------------------------------------
Kevin Lindsay
Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4
Key Id: 746C51F4

Message-ID: <email address hidden>
Date: Wed, 7 Jan 2004 13:20:18 -0800
From: Matt Zimmerman <email address hidden>
To: Kevin Lindsay <email address hidden>
Cc: <email address hidden>, Petter Reinholdtsen <email address hidden>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate

On Wed, Jan 07, 2004 at 12:56:53PM -0800, Kevin Lindsay wrote:

> On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:
>
> > On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
> >
> > > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > > DSA-005-1. <URL: http://www.debian.org/security/2000/20001217a >.
> > >
> > > Perhaps there are more problems with the database handling in slocate?
> >
> > Probably. I think that it is not a good idea for slocate to read and
> > interpret a user-supplied database while running with setgid privileges.
> > Since slocate indexes all files on the system, I don't see why this should
> > be needed either.
>
> I agree. I took a more careful look at the advisory and I will be doing an
> audit on the necessary code. User defined databases were requested to handle
> lookups on remote file systems which had their own databases. I think a
> good plan would be to drop privileges when searching databases which do not
> have the 'slocate' group assigned. Let me know if I'm missing anything.

Ah, that makes sense. In that case, yes, it would be ideal if slocate
could:

1. Read the system slocate database

2. Drop privileges irrevocably

3. Read the user-supplied database and continue

--
 - mdz

Message-ID: <email address hidden>
Date: Sun, 18 Jan 2004 13:28:06 -0800
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: Status?

Have you had a chance to look into this bug further? If it is not feasible
to implement relinquishing privileges, we need to at least fix the overflow.

--
 - mdz

Message-Id: <email address hidden>
Date: Tue, 20 Jan 2004 13:48:39 -0500
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Cc: Kevin Lindsay <email address hidden>, R Garth Wood <email address hidden>
Subject: Fixed in NMU of slocate 2.6-1.3.2

tag 226103 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 19 Jan 2004 06:16:54 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.6-1.3.2
Distribution: stable-security
Urgency: high
Maintainer: R Garth Wood <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
 slocate - a secure locate replacement
Closes: 226103
Changes:
 slocate (2.6-1.3.2) stable-security; urgency=high
 .
   * 'slocate' sgid privileges are now dropped when searching databases that
     are not apart of the 'slocate' group. This will prevent malicious user
     supplied databases from elevating user access to the 'slocate' group.
     See CAN-2003-0848, (closes: #226103)
Files:
 c7f271bba7c5a72afb00d43c23a04b79 550 utils optional slocate_2.6-1.3.2.dsc
 4e7a025fe5ec8239ae851dc68a533332 7956 utils optional slocate_2.6-1.3.2.diff.gz
 f933cdc3212314e1ac466c9c7a475783 25236 utils optional slocate_2.6-1.3.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFADDGKArxCt0PiXR4RAomQAJ9iYTMoK09C2SP2G6s613WKuGWR4wCgpGQ/
DDv+nkZUdDptl1/XVm1xawI=
=hO9d
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Wed, 07 Apr 2004 13:32:22 -0400
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Cc: Kevin Lindsay <email address hidden>, R Garth Wood <email address hidden>
Subject: Fixed in NMU of slocate 2.6-1.3.2

tag 226103 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 19 Jan 2004 06:16:54 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.6-1.3.2
Distribution: stable-security
Urgency: high
Maintainer: R Garth Wood <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
 slocate - a secure locate replacement
Closes: 226103
Changes:
 slocate (2.6-1.3.2) stable-security; urgency=high
 .
   * 'slocate' sgid privileges are now dropped when searching databases that
     are not apart of the 'slocate' group. This will prevent malicious user
     supplied databases from elevating user access to the 'slocate' group.
     See CAN-2003-0848, (closes: #226103)
Files:
 c7f271bba7c5a72afb00d43c23a04b79 550 utils optional slocate_2.6-1.3.2.dsc
 4e7a025fe5ec8239ae851dc68a533332 7956 utils optional slocate_2.6-1.3.2.diff.gz
 f933cdc3212314e1ac466c9c7a475783 25236 utils optional slocate_2.6-1.3.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFADDGKArxCt0PiXR4RAomQAJ9iYTMoK09C2SP2G6s613WKuGWR4wCgpGQ/
DDv+nkZUdDptl1/XVm1xawI=
=hO9d
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Mon, 9 Aug 2004 22:11:14 -0300
From: Joey Hess <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: not fixed in unstable

--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tag 226103 - fixed
thanks

This bug was tagged fixed with an upload to "stable-security", whatever
that is. Since I can see no evidence of 2.6-1.3.2 in the archive, I
assume it was rejected or fell into a black hole. However, I see no
indication that CAN-2003-0848 is fixed in unstable. As noted at the top
of the bug, 2.7 is probably vulnerable. The sgid dropping should
certainly be forward ported from 2.6-1.3.2.

--=20
see shy jo

--h31gzZEtNLTqOjlF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBGCCxd8HHehbQuO8RAkNmAJ9c+73glPECg9DXI63WeVPmCpHtNwCgwkfp
I/eSPhKFnFnylgqYaDLGrso=
=gxJJ
-----END PGP SIGNATURE-----

--h31gzZEtNLTqOjlF--

Message-ID: <20040820204212.GU2041@live>
Date: Fri, 20 Aug 2004 22:42:12 +0200
From: Florian Ernst <email address hidden>
To: <email address hidden>
Subject: Re: not fixed in unstable

--HKOZ/JADkehwFk9I
Content-Type: multipart/mixed; boundary="2tWkrNKppd65XSnD"
Content-Disposition: inline

--2tWkrNKppd65XSnD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

package slocate
tags 226103 patch
thanks

On Mon, 9 Aug 2004 22:11:14 -0300, Joey Hess wrote:
> However, I see no
> indication that CAN-2003-0848 is fixed in unstable. As noted at the top
> of the bug, 2.7 is probably vulnerable. The sgid dropping should
> certainly be forward ported from 2.6-1.3.2.

Forward porting the patch is easy, it applies cleanly (just some
offset), except for the debian/changelog part. I don't know whether
this patch will be sufficient for v2.7, though, but I'd assume so as
the attached patch and the diff between v2.6 and v2.7 don't seem to
intersect...
Find attached the patch from DSA-428-1 (diff between v2.6-1.3.1 and
v2.6-1.3.2)

Cheers,
Flo

PS: Please lart me if I went to far in tagging this bug "patch".

--2tWkrNKppd65XSnD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="DSA-428-1.diff"
Content-Transfer-Encoding: quoted-printable

diff -u slocate-2.6/main.c slocate-2.6/main.c
--- slocate-2.6/main.c
+++ slocate-2.6/main.c
@@ -339,6 +339,9 @@
  char *part;
  int i;
  int res_errno;
+ char *tmp_ptr =3D NULL;
+ int last_sgid =3D 0;
+ struct stat db_stat;
=20
  /* Make sure path is not empty */
  if (!path || strlen(path) =3D=3D 0) return;
@@ -382,6 +385,28 @@
=20
  /* Null terminate array */
  SLOCATE_PATH[i] =3D NULL;
+=09
+ /* Sort sgid slocate db's to the top */
+ for (i =3D 0; SLOCATE_PATH[i]; i++) {
+ if (stat(SLOCATE_PATH[i], &db_stat) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not stat DB: %s: %s\n", progna=
me, SLOCATE_PATH[i], strerror(errno));
+
+ if (db_stat.st_gid !=3D SLOC_GID)
+ continue;
+ =09
+ if (i !=3D last_sgid) {
+ tmp_ptr =3D SLOCATE_PATH[last_sgid];
+ SLOCATE_PATH[last_sgid] =3D SLOCATE_PATH[i];
+ SLOCATE_PATH[i] =3D tmp_ptr;
+ }
+ =09
+ last_sgid +=3D 1;
+ =09
+ }
+=09
+ /* for (i =3D 0; SLOCATE_PATH[i]; i++)
+ printf("%s\n", SLOCATE_PATH[i]); */
+
 }
=20
 /* Parse Dash */
@@ -1152,6 +1177,22 @@
  char *cp=3DNULL;
 #endif
  char *bucket_of_holding=3DNULL;
+ gid_t cur_gid;
+ struct stat db_stat;
+
+ cur_gid =3D getegid();
+
+ if (stat(database, &db_stat) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not stat '%d': %s\n", progname,=
 strerror(errno));
+=09
+ /* If the database's file group is not apart of the 'slocate' group,
+ * drop privileges. When multiple databases are specified, the ones
+ * apart of the 'slocate' group will be searched first before the
+ * privileges are dropped. */ =20
+ if (cur_gid =3D=3D SLOC_GID && db_stat.st_gid !=3D SLOC_GID) {
+ if (setgid(GID) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not drop privileges.", prognam=
e);
+ }
=20
  if ((fd =3D open(database,O_RDONLY)) =3D=3D -1) {
   report_error(WARNING,QUIET,"%s: decode_db(): %s: %s\n",progname,database=
,strerror(errno));
@@ -1409,6 +145...

Fixed in 2.7-2ubuntu1

Message-Id: <email address hidden>
Date: Tue, 07 Sep 2004 02:32:03 -0400
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Subject: Bug#226103: fixed in slocate 2.7-3

Source: slocate
Source-Version: 2.7-3

We believe that the bug you reported is fixed in the latest version of
slocate, which is due to be installed in the Debian FTP archive:

slocate_2.7-3.dsc
  to pool/main/s/slocate/slocate_2.7-3.dsc
slocate_2.7-3.tar.gz
  to pool/main/s/slocate/slocate_2.7-3.tar.gz
slocate_2.7-3_i386.deb
  to pool/main/s/slocate/slocate_2.7-3_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kevin Lindsay <email address hidden> (supplier of updated slocate package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 7 Sep 2004 03:20:42 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.7-3
Distribution: unstable
Urgency: high
Maintainer: Kevin Lindsay <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
 slocate - A secure replacment of findutil's locate
Closes: 226103 234563
Changes:
 slocate (2.7-3) unstable; urgency=high
 .
   * 'slocate' sgid privileges are now dropped when searching databases that
      are not apart of the 'slocate' group. This will prevent malicious user
      supplied databases from elevating user access to the 'slocate' group.
      See CAN-2003-0848, (closes: #226103)
   * Changed diversion /etc/cron.daily.find.notslocate to
     /etc/cron.daily/find.notslocate (closes: #234563)
   * I also made the database creation feature drop privileges so that the
     SGID binary can't chown the group of the database to 'slocate' unless
     the user has explicit access.
   * Added a patch which caused LOCATE_PATH to be ignored when '-d' was used,
     and vice versa. This also fixed an off by 1 overflow bug.
Files:
 2223bfb26ade197154ce17f424e84743 482 utils optional slocate_2.7-3.dsc
 b5b1997b35abbd56db737bca8f54a174 101576 utils optional slocate_2.7-3.tar.gz
 c95e2195a2da8660f935bf4485ebcce6 26896 utils optional slocate_2.7-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBPUSUUZpV8HRsUfQRAp8GAJkByTZwF+XRVrcYtoMC9bp1crRVTACg2ql3
RoAH22JMDBQeYXJqIEx0SD0=
=prVz
-----END PGP SIGNATURE-----