Ubuntu
findutils package

*** buffer overflow detected ***: find terminated

Bug #1730696 reported by Jay R. Wren
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
findutils (Debian)
Fix Released
Unknown
findutils (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

When running find with -printf "%T+ %p\n"

The -printf "%T+ %p\n" worked in previous versions. This is a new bug in 17.10.

```
> find . -printf "%A+ %p\n"
*** buffer overflow detected ***: find terminated
Aborted (core dumped)
```

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in coreutils (Ubuntu):
status: New → Confirmed
Revision history for this message
C de-Avillez (hggdh2) wrote :

correcting package. /usr/bin/find belong to the findutils package.

affects: coreutils (Ubuntu) → findutils (Ubuntu)
Revision history for this message
Henning Meyer (henning.meyer) wrote :

I can confirm the bug:

There is a blatant stack overflow in the ubuntu 17.10 sources (findutils-4.6.0+git+20170729):
file "find/print.c", function "static char* format_date", line 614 and following

char fmt[6];
/* a few lines later */
strcpy(fmt, "%Y-%m-%d+%T");

that is string is longer than 5 characters
that call should be strncpy anyway

the non-crashing versions (previous ubuntu, also official GNU sources 4.6.0) instead have

strcpy (fmt, "%F+%T");

which does fit exactly into a six byte buffer

The obvious fix is to increase the size of fmt to hold the longer string

there is a comment in the new sources, explaining the motivation

      /* Avoid %F, some Unix versions lack it. For example:
         HP Tru64 UNIX V5.1B (Rev. 2650); Wed Feb 17 22:59:59 CST 2016
         Also, some older HP-UX versions expand %F as the full month (like %B).
         Reported by Steven M. Schweda <email address hidden> */

Revision history for this message
Henning Meyer (henning.meyer) wrote :

I just checked the GNU git sources (https://git.savannah.gnu.org/git/findutils.git)

the bug was fixed upstream

commit febde26dd0e66dda5d4060fa29b85443ddc6a865
Author: Bernhard Voelker <email address hidden>
Date: Mon Aug 28 23:15:12 2017 +0200

    find: avoid buffer-overflow with -printf '%T+'

    * find/print.c (format_date): Increase size of local variable
    FMT to match the longest possible content.

    Fixes https://bugs.debian.org/873032 reported upstream by
    Andreas Metzler in https://savannah.gnu.org/bugs/?51841;
    fix proposed by Kamil Dudka.

    Bug introduced in commit v4.6.0-111-g95816b2, so no released version
    ever saw this; therefore not adding a NEWS entry.

commit 95816b29d46fb6b64754d4a66e7d918b3f134a1f
Author: James Youngman <email address hidden>
Date: Sun Jul 23 22:19:42 2017 +0100

    find: avoid strftime's non-portable %F specifier.

    * find/print.c (format_date): Avoid passing %F to strftime since
    some implementation lack it. Pass the synonymous %Y-%m-%d
    instead. This fixes a bug manifesting on HP Tru64 UNIX V5.1B.
    Reported by Steven M. Schweda <email address hidden>.

Bug Watch Updater (bug-watch-updater)
Changed in findutils (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.