SECURITY: remotely-exploitable buffer overflow in cfingerd's rfc1413 (ident) client
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cfingerd (Debian) |
Fix Released
|
Unknown
|
|||
cfingerd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
src/rfc1413.c:
if (read(j, buf, 256) <= 0) {
The size of buf is #defined as 2*INET6_ADDRSTRLEN, i.e. 96 bytes. There is an obvious buffer overflow possibility here.
The standard behaviour of cfingerd is to send an ident query to the source of any non-local finger query. So if cfingerd is sent a finger query from a host which is running an identd which responds with more than 96 bytes of data, stack corruption is possible.
Luckily on my system glibc detects this and raises SIGABRT. If it did not, this would be trivially exploitable. On Ubuntu, cfingerd runs as root.
---
The attached patch fixes the bug, and also sanitises the length of the three buffers (buf, buffer and *bleah) -- there is no reason for the receive buffer to be sized based on the length of an IPv6 address as these never feature in the protocol, and the output buffer should be based on the length of a username and an address, not arbitrarily set to double the length of an address.
Changed in cfingerd (Debian): | |
status: | Unknown → Fix Committed |
Changed in cfingerd (Debian): | |
status: | Fix Committed → Fix Released |
This is CVE-2013-1049