Debian Bug report logs -
#340177
CVE-2004-2541: Buffer overflows in parsing file names from #include statements
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 21 Nov 2005 16:03:11 UTC
Severity: grave
Tags: fixed, patch, security
Found in version cscope/15.5+cvs20050816-1
Fixed in version cscope/15.5+cvs20050816-2
Done: Michael Ablassmeier <abi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Anthony Fok <foka@debian.org>:
Bug#340177; Package cscope.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Anthony Fok <foka@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cscope
Version: 15.5+cvs20050816-1
Severity: grave
Tags: security
Justification: user security hole
Source code with overly long file names in #include statements may trigger a
buffer overflow and permit arbitrary code execution. Please see
http://sourceforge.net/tracker/index.php?func=detail&aid=1064875&group_id=4664&atid=104664
for details.
As cscope is a tool frequently used to study external code from untrusted sources
this seems like a valid attack vector to me, thus the RC severity. If you disagree,
feel free to lower the severity.
This has been assigned CVE-2004-2541, please mention it in the changelog when
fixing this.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Versions of packages cscope depends on:
ii libc6 2.3.5-8 GNU C Library: Shared libraries an
ii libncurses5 5.5-1 Shared libraries for terminal hand
cscope recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, secure-testing-team@lists.alioth.debian.org, Anthony Fok <foka@debian.org>:
Bug#340177; Package cscope.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
Extra info received and forwarded to list. Copy sent to security@debian.org, secure-testing-team@lists.alioth.debian.org, Anthony Fok <foka@debian.org>.
(full text, mbox, link).
Message #10 received at 340177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: cscope
Version: 15.5+cvs20050816-1
Followup-For: Bug #340177
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Upstream appears to have stalled on this issue because some cscope
targets platforms do not have snprintf(). Debian has snprintf(), so
this is not a problem for us.
The attached patch CVE-2004-2541.diff converts sprintf() calls to
snprintf(). It applies and compiles, and when patched cscope no longer
segfaults when examining the attached CVE-2004-2541-test.c.
- -- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-alec-laptop
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages cscope depends on:
ii libc6 2.3.6-7 GNU C Library: Shared libraries
ii libncurses5 5.5-2 Shared libraries for terminal hand
cscope recommends no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEaH+JAud/2YgchcQRAj5fAKCjaA733NRcu8TO5tqNN3AAdYlcIQCcCwDQ
fPGtu6bPz2Hu2cuHkNhifw4=
=5d2y
-----END PGP SIGNATURE-----
[CVE-2004-2541.diff (text/x-c, attachment)]
[CVE-2004-2541-test.c (text/x-c, attachment)]
Tags added: patch
Request was from Alec Berryman <alec@thened.net>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Fok <foka@debian.org>:
Bug#340177; Package cscope.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Anthony Fok <foka@debian.org>.
(full text, mbox, link).
Message #17 received at 340177@bugs.debian.org (full text, mbox, reply):
Alec Berryman wrote:
> Package: cscope
> Version: 15.5+cvs20050816-1
> Followup-For: Bug #340177
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Upstream appears to have stalled on this issue because some cscope
> targets platforms do not have snprintf(). Debian has snprintf(), so
> this is not a problem for us.
Thanks, this must have slipped through, I'll prepare a DSA.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Fok <foka@debian.org>:
Bug#340177; Package cscope.
(full text, mbox, link).
Acknowledgement sent to Julien Cristau <julien.cristau@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Anthony Fok <foka@debian.org>.
(full text, mbox, link).
Message #22 received at 340177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Attached is the diff for my cscope 15.5+cvs20050816-1.1 NMU.
(Actually it's just the patch already attached to this bug + a changelog
entry.)
Cheers,
Julien
[cscope-15.5+cvs20050816-1.1-nmu.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Tags added: fixed
Request was from Julien Cristau <julien.cristau@ens-lyon.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Michael Ablassmeier <abi@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #29 received at 340177-close@bugs.debian.org (full text, mbox, reply):
Source: cscope
Source-Version: 15.5+cvs20050816-2
We believe that the bug you reported is fixed in the latest version of
cscope, which is due to be installed in the Debian FTP archive:
cscope_15.5+cvs20050816-2.diff.gz
to pool/main/c/cscope/cscope_15.5+cvs20050816-2.diff.gz
cscope_15.5+cvs20050816-2.dsc
to pool/main/c/cscope/cscope_15.5+cvs20050816-2.dsc
cscope_15.5+cvs20050816-2_amd64.deb
to pool/main/c/cscope/cscope_15.5+cvs20050816-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 340177@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Ablassmeier <abi@debian.org> (supplier of updated cscope package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 1 Aug 2006 11:04:19 +0200
Source: cscope
Binary: cscope
Architecture: source amd64
Version: 15.5+cvs20050816-2
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Michael Ablassmeier <abi@debian.org>
Description:
cscope - Interactively examine a C program source
Closes: 340177
Changes:
cscope (15.5+cvs20050816-2) unstable; urgency=low
.
* QA Upload (Ack NMU, Closes: #340177)
* Set Maintainer to QA Group, Orphaned: #378802
* Conforms to latest Standards Version 3.7.2
Files:
55fc2653e93c76b0f8d7c934f5ca5266 656 devel optional cscope_15.5+cvs20050816-2.dsc
f65f5799c6b2e77d387fa2c87c522b34 79150 devel optional cscope_15.5+cvs20050816-2.diff.gz
b54dbb8d544a778f698e88167a0b60c3 153866 devel optional cscope_15.5+cvs20050816-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEzxmOEFV7g4B8rCURAjVvAJ9++yJB7LPfDjYoveuDTV+vXL+vCACfU50Y
AEcj4nnc0ZX1uFdfNljUHh8=
=HOGI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 15:51:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:34:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon