CVE-2007-2835 : Buffer overflow.

Debian Bug report logs - #431336
CVE-2007-2835 : Buffer overflow.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-2835 : Buffer overflow.

Date: Sun, 1 Jul 2007 20:17:15 +0100

Package: unicon-imc2
Version: 3.0.4-11
Severity: grave
Usertags: sourcescan

*** Please type your report below this line ***

  CVE-2007-2835 : Allows local root compromise via zhcon.

  Anyway, the setuid(0) zhcon application links to this library,
 which contains a buffer overflow which may be used to gain root.
 (Actually any application using this library can be exploited; 
 this is the only setuid one I could spot.)

  The source of this problem is ./unicon/ImmModules/cce/CCE_pinyin.c:

static int
IMM_Flush ()
{
  char name[256];
  sprintf(name,"%s/.pyinput/usrphrase.tab",getenv("HOME"));
  SaveUsrPhrase(name);
  sprintf(name,"%s/.pyinput/sysfrequency.tab",getenv("HOME"));
  SavePhraseFrequency(name);

  return 1;
}

  There are similar problems in the file /unicon/ImmModules/cce/xl_pinyin.c
 too.


Steve
-- 
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/

Message #10 received at 431336@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: 431336@bugs.debian.org

Subject: Patch

Date: Sun, 1 Jul 2007 20:52:01 +0100

  Patch we used for the DSA.

diff -u unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
--- unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
+++ unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
@@ -159,9 +159,9 @@
 IMM_Flush ()
 {
   char name[256];
-  sprintf(name,"%s/.pyinput/usrphrase.tab",getenv("HOME"));
+  snprintf(name,sizeof(name)-1,"%s/.pyinput/usrphrase.tab",getenv("HOME"));
   SaveUsrPhrase(name);
-  sprintf(name,"%s/.pyinput/sysfrequency.tab",getenv("HOME"));
+  snprintf(name,sizeof(name)-1,"%s/.pyinput/sysfrequency.tab",getenv("HOME"));
   SavePhraseFrequency(name);
 
   return 1;
diff -u unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
--- unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
+++ unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
@@ -138,21 +138,21 @@
   //Rat: modified for processing user-defined dictionaries
   if ((usrhome = getenv ("HOME")) != NULL)
 	{
-      sprintf (buf, "%s/%s", usrhome, ".pyinput");
+      snprintf (buf,sizeof(buf)-1, "%s/%s", usrhome, ".pyinput");
       retval = stat (buf, &statbuf);
 
       if ((retval == 0))
 	{
 	  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
 	    {
-	      sprintf (buf, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
+	      snprintf (buf, sizeof(buf)-1, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
 
 	      if ( (retval = stat(buf, &statbuf)) == 0)
 		{
 		  if ( statbuf.st_size < MIN_USRPHR_SIZE || LoadUsrPhrase (buf) == -1)
 		    {
 		      printf ("Couldn't load %s. Please fix it. size or load error\n", buf);
-				  sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+				  snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
 				  if ((retval = access (buf, R_OK)) == 0)
 				{
 				  if (LoadUsrPhrase (buf) == -1)
@@ -164,7 +164,7 @@
 			  else
 			{
 			  creat (buf, 0600);
-			  sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+			  snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
 		  if ((retval = access (buf, R_OK)) == 0)
 		    {
 		      if (LoadUsrPhrase (buf) == -1)
@@ -181,10 +181,10 @@
       else
 	{
 	  mkdir (buf, 0700);	//Rat: making $HOME/.pyinput
-	  sprintf (buf, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
+	  snprintf (buf, sizeof(buf)-1, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
 	  creat (buf, 0600);	//Rat: making $HOME/.pyinput/usrphrase.tab
 
-	  sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+	  snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
 	  if ((retval = access (buf, R_OK)) == 0)
 	    {
 	      if (LoadUsrPhrase (buf) == -1)
@@ -197,7 +197,7 @@
   else
     {
       printf ("Sorry, I couldn't find your $HOME.\n");
-      sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+      snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
       printf ("Turn to access %s", buf);
 
       if ((retval = access (buf, R_OK)) != 0)
@@ -210,7 +210,7 @@
 
     }
 
-  sprintf(buf,"%s/%s/%s",usrhome,".pyinput","sysfrequency.tab");
+  snprintf(buf,sizeof(buf)-1,"%s/%s/%s",usrhome,".pyinput","sysfrequency.tab");
   if(LoadPhraseFrequency(buf) == -1)
   {
 	  creat(buf,0700);
@@ -229,7 +229,7 @@
   AdjustPhraseFreq ();		// lower the freq to [0,50)
   if (usrhome != NULL)
     {
-      sprintf (szFileName, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
+      snprintf (szFileName, sizeof(szFileName)-1, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
       SaveUsrPhrase (szFileName);
     }
   else
diff -u unicon-3.0.4/debian/changelog unicon-3.0.4/debian/changelog
--- unicon-3.0.4/debian/changelog
+++ unicon-3.0.4/debian/changelog
@@ -1,3 +1,11 @@
+unicon (3.0.4-11etch4) stable-security; urgency=high
+
+  * Non-maintainer upload by The Security Team.
+  * Fix the unsafe use of environmental variables.
+    [CVE-2007-2835]
+
+ -- Steve Kemp <skx@debian.org>  Sun,  24 Jul 2007 15:02:42 +0000
+
 unicon (3.0.4-11) unstable; urgency=low
 
   * Changed TLS_PthSocket ::read ::write to Read, Write.


Steve
-- 
http://www.steve.org.uk/

Message #21 received at 431336-close@bugs.debian.org (full text, mbox, reply):

From: Yu Guanghui <ygh@debian.org>

To: 431336-close@bugs.debian.org

Subject: Bug#431336: fixed in unicon 3.0.4-12

Date: Mon, 06 Aug 2007 06:47:08 +0000

Source: unicon
Source-Version: 3.0.4-12

We believe that the bug you reported is fixed in the latest version of
unicon, which is due to be installed in the Debian FTP archive:

unicon-imc2_3.0.4-12_i386.deb
  to pool/main/u/unicon/unicon-imc2_3.0.4-12_i386.deb
unicon_3.0.4-12.diff.gz
  to pool/main/u/unicon/unicon_3.0.4-12.diff.gz
unicon_3.0.4-12.dsc
  to pool/main/u/unicon/unicon_3.0.4-12.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 431336@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yu Guanghui <ygh@debian.org> (supplier of updated unicon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 06 Aug 2007 13:50:51 +0800
Source: unicon
Binary: unicon-imc2
Architecture: source i386
Version: 3.0.4-12
Distribution: unstable
Urgency: low
Maintainer: Yu Guanghui <ygh@debian.org>
Changed-By: Yu Guanghui <ygh@debian.org>
Description: 
 unicon-imc2 - Chinese Input Method Library
Closes: 431336
Changes: 
 unicon (3.0.4-12) unstable; urgency=low
 .
   * Merged CVE-2007-2835  to unstable. (Closes:Bug#431336)
Files: 
 208ba9b1abe26852dbe8e016ff4f2504 593 utils optional unicon_3.0.4-12.dsc
 5615bce4b7c9544764d2e9bae7b9a6df 15934 utils optional unicon_3.0.4-12.diff.gz
 42c5f502a17a93394a7f0ebffbb3cf0f 4151994 utils optional unicon-imc2_3.0.4-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGtriaKNPoKRflcycRAojoAJ9230xGlLWPFHcvXJoRZE6zaGcR+gCfXZ+C
Kpb9rIyItTqXtuCP+PsljuU=
=VQWt
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.