Ubuntu

SECURITY: remotely-exploitable buffer overflow in cfingerd's rfc1413 (ident) client

Reported by Malcolm Scott on 2013-01-24
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cfingerd (Debian)
Fix Released
Unknown
cfingerd (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned

Bug Description

src/rfc1413.c:

   if (read(j, buf, 256) <= 0) {

The size of buf is #defined as 2*INET6_ADDRSTRLEN, i.e. 96 bytes. There is an obvious buffer overflow possibility here.

The standard behaviour of cfingerd is to send an ident query to the source of any non-local finger query. So if cfingerd is sent a finger query from a host which is running an identd which responds with more than 96 bytes of data, stack corruption is possible.

Luckily on my system glibc detects this and raises SIGABRT. If it did not, this would be trivially exploitable. On Ubuntu, cfingerd runs as root.

---

The attached patch fixes the bug, and also sanitises the length of the three buffers (buf, buffer and *bleah) -- there is no reason for the receive buffer to be sized based on the length of an IPv6 address as these never feature in the protocol, and the output buffer should be based on the length of a username and an address, not arbitrarily set to double the length of an address.

Malcolm Scott (malcscott) wrote :
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2013-1049

Malcolm Scott (malcscott) wrote :

Any update on the publication of a fixed package? The embargo on this vulnerability lapsed a week ago.

Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

information type: Private Security → Public Security
Changed in cfingerd (Ubuntu):
status: New → Incomplete

The attachment "cfingerd.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Malcolm Scott (malcscott) wrote :

Attaching a debdiff.

I'm not convinced upstream is active as the last release was in 1999, but I'll contact them regardless.

Changed in cfingerd (Ubuntu):
status: Incomplete → New
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff. Since we have basically the same version of cfingerd in lucid-raring, I'll apply it to all releases with a slight changes file adjustment.

Packages will build now and will be released in the next few days. Thanks!

Marc Deslauriers (mdeslaur) wrote :

Actually, it would appear the version in Lucid isn't affected by this flaw. The vulnerability seems to originate from this debian-specific patch:

cfingerd (1.4.3-3) unstable; urgency=low
   * Applied IPv6 patch from Mats Erik Andersson
     <email address hidden> (closes: Bug#570024)

Changed in cfingerd (Ubuntu Lucid):
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cfingerd - 1.4.3-3ubuntu2

---------------
cfingerd (1.4.3-3ubuntu2) raring; urgency=high

  * SECURITY UPDATE: fix buffer overflow in rfc1413 (ident) client
    (LP: #1104425).
    - CVE-2013-1049
 -- Malcolm Scott <email address hidden> Thu, 24 Jan 2013 20:19:56 +0000

Changed in cfingerd (Ubuntu Raring):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cfingerd - 1.4.3-3ubuntu1.12.04.1

---------------
cfingerd (1.4.3-3ubuntu1.12.04.1) precise-security; urgency=high

  * SECURITY UPDATE: fix buffer overflow in rfc1413 (ident) client
    (LP: #1104425).
    - CVE-2013-1049
 -- Malcolm Scott <email address hidden> Thu, 24 Jan 2013 20:19:56 +0000

Changed in cfingerd (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cfingerd - 1.4.3-3ubuntu1.12.10.1

---------------
cfingerd (1.4.3-3ubuntu1.12.10.1) quantal-security; urgency=high

  * SECURITY UPDATE: fix buffer overflow in rfc1413 (ident) client
    (LP: #1104425).
    - CVE-2013-1049
 -- Malcolm Scott <email address hidden> Thu, 24 Jan 2013 20:19:56 +0000

Changed in cfingerd (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cfingerd - 1.4.3-3ubuntu1.11.10.1

---------------
cfingerd (1.4.3-3ubuntu1.11.10.1) oneiric-security; urgency=high

  * SECURITY UPDATE: fix buffer overflow in rfc1413 (ident) client
    (LP: #1104425).
    - CVE-2013-1049
 -- Malcolm Scott <email address hidden> Thu, 24 Jan 2013 20:19:56 +0000

Changed in cfingerd (Ubuntu Oneiric):
status: New → Fix Released
Changed in cfingerd (Debian):
status: Unknown → Fix Committed
Changed in cfingerd (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.