Bugzilla – Bug 421849
VUL-0: CVE-2008-3916: ed: Heap Overflow
Last modified: 2018-10-24 08:01:45 UTC
Your friendly security team received the following report via full-disclosure. Please respond ASAP. The issue is public. Date: Mon, 01 Sep 2008 04:14:09 +0300 From: Pınar Yanardağ <pinar@pardus.org.tr> To: pardus-security@pardus.org.tr Subject: [Full-disclosure] [PLSA 2008-34] GNU ed: Heap Overflow CC: full-disclosure@lists.grok.org.uk ------------------------------------------------------------------------ Pardus Linux Security Advisory 2008-34 security@pardus.org.tr ------------------------------------------------------------------------ Date: 2008-09-01 Severity: 2 Type: Remote ------------------------------------------------------------------------ Summary ======= A vulnerability was reported in GNU ed. A remote user can cause arbitrary code to be executed on the target user's system. Description =========== A remote user can create a specially crafted file that, when processed by the target user, will trigger a heap overflow and potentially execute arbitrary code on the target system. The code will run with the privileges of the target user. The vulnerability resides in strip_escapes() in signal.c. Note: This vulnerability found by Alfredo Ortega from Core Security Technologies. Affected packages: Pardus 2008: ed, all before 1.0-9-2 Pardus 2007: ed, all before 1.0-7-8 Resolution ========== There are update(s) for ed. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up ed Pardus 2007: pisi up ed References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=8092 * http://www.securitytracker.com/alerts/2008/Aug/1020734.html * http://lists.gnu.org/archive/html/bug-ed/2008-06/msg00000.html ------------------------------------------------------------------------ -- Pınar Yanardağ Pardus Security Team http://security.pardus.org.tr _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Questionable whether this actually is a security issue Date: Mon, 1 Sep 2008 07:05:54 +0000 From: Tavis Ormandy <taviso@sdf.lonestar.org> To: oss-security@lists.openwall.com Subject: Re: [oss-security] GNU ed heap overflow If you can specify an arbitrary filename, can't you execute commands anyway? $ ed '!ls>&2' bin dev home lost+found misc net proc sbin srv tmp var boot etc lib media mnt opt root selinux sys usr 0 Thanks, Tavis. On Sun, Aug 31, 2008 at 01:13:01PM +0200, Florian Weimer wrote: > Can we get a CVE for this? The overflow is in the command line > processing, and also affects the red command. > > | Alfredo Ortega from Core Security Technologies has found that GNU Ed > | is vulnerable to a heap overflow. > > <http://lists.gnu.org/archive/html/bug-ed/2008-06/msg00000.html> -- ------------------------------------- taviso@sdf.lonestar.org | finger me for my gpg key. -------------------------------------------------------
There is no overflow possible.
Date: Thu, 4 Sep 2008 13:07:08 -0400 (EDT) From: "Steven M. Christey" <coley@linus.mitre.org> To: oss-security@lists.openwall.com Subject: Re: [oss-security] GNU ed heap overflow Use CVE-2008-3916... with caveat. While everything's inter-connected these days and maye ed can be invoked from some URI handler, or behind some application that passes user input to ed, I'm generally uncomfortable assigning a CVE for this type of "local issue" unless there's a reasonable usage scenario under which the application is reachable (WordNet has reasonable usage scenarios as a back end, for example). ====================================================== Name: CVE-2008-3916 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3916 Reference: MLIST:[bug-ed] 20080821 Version 1.0 of GNU ed released Reference: URL:http://lists.gnu.org/archive/html/bug-ed/2008-08/msg00000.html Reference: SECTRACK:1020734 Reference: URL:http://www.securitytracker.com/id?1020734 Reference: XF:gnued-stripescapes-bo(44643) Reference: URL:http://xforce.iss.net/xforce/xfdb/44643 Heap-based buffer overflow in the strip_escapes function in signal.c in GNU ed before 1.0 allows context-dependent or user-assisted attackers to execute arbitrary code via a long filename. NOTE: since ed itself does not typically run with special privileges, this issue only crosses privilege boundaries when ed is invoked as a third-party component.
the overflow is also caught by the memory corruption detection mechanisms. $ ed `perl -e "print 'A'x10000;"` *** glibc detected *** ed: free(): invalid next size (normal): 0x0000000000612af0 *** ======= Backtrace: ========= /lib64/libc.so.6[0x7f00b15adaf8] /lib64/libc.so.6(cfree+0x76)[0x7f00b15af6e6] /lib64/libc.so.6[0x7f00b159e6d9] ed[0x403c59] ed[0x408b25] /lib64/libc.so.6(__libc_start_main+0xe6)[0x7f00b1556436] ed[0x4014b9] ======= Memory map: ======== 00400000-0040d000 r-xp 00000000 fd:03 744887 /bin/ed 0060c000-0060d000 r--p 0000c000 fd:03 744887 /bin/ed 0060d000-0060e000 rw-p 0000d000 fd:03 744887 /bin/ed 0060e000-0062f000 rw-p 0060e000 00:00 0 [heap] ...
Created attachment 271791 [details] ed-overflow.patch patch I quickly coded up that seems to fix the crash
*** Bug 474587 has been marked as a duplicate of this bug. ***
CVE-2008-3916: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)