Ubuntu
tracker package

multiple stack overflows

Bug #164150 reported by Kees Cook
8
Affects Status Importance Assigned to Milestone
o3read (Ubuntu)
Invalid
Undecided
Unassigned
tracker (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Binary package hint: tracker

At least two stack overflows are present. While not an issue in Ubuntu (due to stack protections), these could cause crashes, and generally need to be fixed:

    src/text-filters/ooo_converter/o3read.c
        line 203: unbounded copy across stack? might destroy q... (but it isn't used for later overwrites)

    src/tracker-thumbnailer/tracker-thumbnailer.c:
        line 145: bug; 1 byte NULL-overwrite (uri_hash is 20 chars long, needs 21)

Related branches

lp:ubuntu/lucid/tracker
Emilio Pozuelo Monfort (pochu)
Changed in tracker:
importance: Undecided → High
Revision history for this message
Jamie McCracken (jamiemcc-blueyonder) wrote :

inlined O3read has been removed from tracker - it now uses the system one which is in main repo

I will investigate the tracker-thumbnailer.c one though

Revision history for this message
Kees Cook (kees) wrote :

Just for note, I realize "line 203" isn't useful without mentioning version (0.0.4-1 o3read), but the line is:

         while (*q && !isspace(*q)) b[n++] = toupper(*q++);

Strings longer than 1024 (without spaces) will cause this loop to walk past the end of "b". Checking "n" should solve the issue.

Revision history for this message
Emilio Pozuelo Monfort (pochu) wrote :

Michael was working on this.

Changed in tracker:
assignee: nobody → mbiebl
Revision history for this message
Emilio Pozuelo Monfort (pochu) wrote :

No, he wasn't. I mixed up this report and the tempfile usage one.

Changed in tracker:
assignee: mbiebl → nobody
Revision history for this message
Jamie McCracken (jamiemcc-blueyonder) wrote :

Fixed the potential stack overflow in tracker source

Changed in tracker:
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tracker - 0.6.4-1ubuntu2

---------------
tracker (0.6.4-1ubuntu2) hardy; urgency=low

  * debian/tracker.py:
    - Added an apport hook to ignore tracker-extract crashes, since they
      are caused by setrlimit terminating tracker-extract when it raises
      it's cpu/memory limit.
  * debian/tracker.install:
    - Install tracker.py in /usr/share/apport/package-hooks/
  * debian/patches/07_disable_xmp_metadata_extracting.patch:
    - Disable xmp metadata extraction for now, as it's buggy and is causing
      tracker-extract to get stuck indexing the same file.
      Patch backported from trunk. LP: #194221.
  * debian/patches/08_fix_potential_stack_overflow.patch:
    - Fix a potential stack overflow, backported from trunk. LP: #164150.

 -- Emilio Pozuelo Monfort <email address hidden> Mon, 25 Feb 2008 09:46:41 +0100

Changed in tracker:
status: Fix Committed → Fix Released
Revision history for this message
Thomas Hotz (thotz-deactivatedaccount) wrote :

Any update on the stack overflow in o3read? Thank you for telling us!

Thomas Hotz (thotz-deactivatedaccount)
Changed in o3read (Ubuntu):
status: New → Incomplete
Kees Cook (kees)
Changed in o3read (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Phillip Susi (psusi) wrote :

Closing this task since the o3read package no longer exists.

Changed in o3read (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.