Ubuntu
bsdmainutils package

calendar crash on natty : buffer overflow detected

Bug #697213 reported by Lucazade on 2011-01-04

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	Bsdmainutils	Fix Released	Unknown	debbugs #610760
	bsdmainutils (Ubuntu)	Fix Released	Undecided	Allison Randal

Bug Description

Binary package hint: bsdmainutils

$ calendar
*** buffer overflow detected ***: calendar terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x50)[0x75acc0]
/lib/libc.so.6(+0xe4b9a)[0x759b9a]
/lib/libc.so.6(+0xe71c5)[0x75c1c5]
/lib/libc.so.6(__swprintf_chk+0x34)[0x75c0b4]
calendar[0x804a785]
calendar[0x80496f5]
/lib/libc.so.6(__libc_start_main+0xe6)[0x68bce6]
calendar[0x8049201]
======= Memory map: ========
00275000-00276000 r-xp 00000000 00:00 0 [vdso]
00675000-007cf000 r-xp 00000000 08:07 136170 /lib/libc-2.12.2.so
007cf000-007d0000 ---p 0015a000 08:07 136170 /lib/libc-2.12.2.so
007d0000-007d2000 r--p 0015a000 08:07 136170 /lib/libc-2.12.2.so
007d2000-007d3000 rw-p 0015c000 08:07 136170 /lib/libc-2.12.2.so
007d3000-007d6000 rw-p 00000000 00:00 0
00efb000-00f17000 r-xp 00000000 08:07 131140 /lib/ld-2.12.2.so
00f17000-00f18000 r--p 0001b000 08:07 131140 /lib/ld-2.12.2.so
00f18000-00f19000 rw-p 0001c000 08:07 131140 /lib/ld-2.12.2.so
00fa8000-00fc2000 r-xp 00000000 08:07 131090 /lib/libgcc_s.so.1
00fc2000-00fc3000 r--p 00019000 08:07 131090 /lib/libgcc_s.so.1
00fc3000-00fc4000 rw-p 0001a000 08:07 131090 /lib/libgcc_s.so.1
08048000-0804d000 r-xp 00000000 08:07 539680 /usr/bin/calendar
0804d000-0804e000 r--p 00004000 08:07 539680 /usr/bin/calendar
0804e000-0804f000 rw-p 00005000 08:07 539680 /usr/bin/calendar
0941b000-0943c000 rw-p 00000000 00:00 0 [heap]
b76e8000-b78e8000 r--p 00000000 08:07 524289 /usr/lib/locale/locale-archive
b78e8000-b78e9000 rw-p 00000000 00:00 0
b78f0000-b78f7000 r--s 00000000 08:07 550112 /usr/lib/gconv/gconv-modules.cache
b78f7000-b78fa000 rw-p 00000000 00:00 0
bfb2e000-bfb4f000 rw-p 00000000 00:00 0 [stack]
Annullato

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: bsdmainutils 8.0.17
ProcVersionSignature: Ubuntu 2.6.37-11.25-generic 2.6.37-rc7
Uname: Linux 2.6.37-11-generic i686
NonfreeKernelModules: nvidia
Architecture: i386
Date: Tue Jan 4 14:09:14 2011
ProcEnviron:
LANGUAGE=it_IT:it:en_GB:en
LANG=it_IT.UTF-8
LC_MESSAGES=it_IT.utf8
SHELL=/bin/bash
SourcePackage: bsdmainutils

Tags:

Related branches

lp:debian/bsdmainutils

lp:ubuntu/natty/bsdmainutils

Revision history for this message

Lucazade (lucazade) wrote on 2011-01-04:

Dependencies.txt Edit (632 bytes, text/plain; charset="utf-8")

Revision history for this message

Hans Joachim Desserud (hjd) wrote on 2011-01-05:

This happens for me as well on Natty. On Maverick (bsdmainutils 8.0.11ubuntu1) it works fine.

Changed in bsdmainutils (Ubuntu):
status:	New → Confirmed
summary:	- calendar crash (natty) + calendar crash on natty : buffer overflow detected

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2011-01-14:

cal/ncal (from the same package) does the same thing fwiw.

Revision history for this message

Allison Randal (allison) wrote on 2011-01-14:

This is caused by the recent version update bsdmainutils of 8.2.1 (Bug #701597). Working on a fix.

Changed in bsdmainutils (Ubuntu):
assignee:	nobody → Allison Randal (allison)

Revision history for this message

Allison Randal (allison) wrote on 2011-01-22:

Fix wide character handling in Debian quilt patches Edit (2.1 KiB, text/plain)

The Debian package patches the calendar source files to support Unicode in the form of wide characters (wchar_t) in place of traditional chars. In a few places, the patches don't completely replace the old char-like behavior, or too aggressively try to use wchar-like behavior on old-style char strings.

The attached patch (to the Debian quilt patches) fixes the buffer overflow, which was caused by using 'sizeof' (which returns a count of bytes) to calculate the maximum size passed to 'swprintf' (which expects the size as a count of wide characters). The patch also fixes some related warnings from the compile, also caused by incorrect handling of wchars:

io.c: In function ‘cal’:
io.c:133:6: warning: format ‘%ls’ expects type ‘wchar_t *’, but argument 3 has type ‘char *’
io.c:216:10: warning: passing argument 1 of ‘swprintf’ from incompatible pointer type
/usr/include/bits/wchar2.h:286:1: note: expected ‘wchar_t * __restrict__’ but argument is of type ‘wchar_t (*)[31]’
io.c:227:12: warning: passing argument 1 of ‘swprintf’ from incompatible pointer type
/usr/include/bits/wchar2.h:286:1: note: expected ‘wchar_t * __restrict__’ but argument is of type ‘wchar_t **’

I'll send these patches upstream to Debian.

Bug Watch Updater (bug-watch-updater) on 2011-01-22

Changed in bsdmainutils:
status:	Unknown → New

Brian Murray (brian-murray) on 2011-01-23

tags:

added: patch

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2011-01-25:

(package with patch is building in ppa:serge-hallyn/bsdmainutils for testing)

Revision history for this message

Allison Randal (allison) wrote on 2011-01-26:

The patches have been applied in Debian and re-released as 8.2.2. Kees says he will sync as soon as the new packages show up in requestsync.

Bug Watch Updater (bug-watch-updater) on 2011-01-26

Changed in bsdmainutils:
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-02-01:

This bug was fixed in the package bsdmainutils - 8.2.2

---------------
bsdmainutils (8.2.2) unstable; urgency=low

* Fix some wide character problems (LP: #697213). (Closes: #610760) -
thanks to Allison Randal <email address hidden>
-- Artur Rona <email address hidden> Tue, 01 Feb 2011 13:55:43 +0000