buffer overflow in values.c

Bug #485194 reported by Raphael Geissert on 2009-11-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ureadahead
Invalid
High
Unassigned
ureadahead (Ubuntu)
Low
Kees Cook

Bug Description

The get_value and set_value functions both set the null character at buf[len], but len can be up to sizeof buf, which results in a buffer overflow.
In practice this seems unlikely, if not impossible, to have any effect as the files these functions operate on only contain one or a couple of bytes. Nevertheless, it is a bug.

Related branches

Changed in ureadahead:
status: New → Triaged
importance: Undecided → High

Moved to Ubuntu bug tracker

Changed in ureadahead (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in ureadahead:
status: Triaged → Invalid
Kees Cook (kees) on 2011-03-16
Changed in ureadahead (Ubuntu):
assignee: nobody → Kees Cook (kees)
importance: High → Low
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ureadahead - 0.100.0-11

---------------
ureadahead (0.100.0-11) natty; urgency=low

  * src/trace.c: leave room for string termination on reads (LP: #485194).
  * man/ureadahead.8: fix typo and update bug reporting URL (LP: #697770).
  * debian/rules: don't bother with /var/lib/ureadahead mode.
 -- Kees Cook <email address hidden> Wed, 16 Mar 2011 17:19:01 -0700

Changed in ureadahead (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers