Bugzilla – Bug 485893
VUL-0: CVE-2009-1577: cscope Vulnerability Notification
Last modified: 2021-10-14 08:42:58 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. CRD 7.4. Date: Mon, 16 Mar 2009 16:57:56 -0700 From: Matthew Murphy <matthew.murphy@apple.com> To: vendor-sec@lst.de Subject: [vendor-sec] cscope Vulnerability Notification CC: broeker@users.sourceforge.net, jcduell@users.sourceforge.net, nhorman@users.sourceforge.net Apple has identified a vulnerability in cscope, the interactive, screen-oriented tool for browsing C source files. Apple currently plans to release details of this issue on April 7, 2009, and we ask that you do not publicly disclose the issue(s) prior to that date. If there are any concerns about the proposed embargo date, please let me know. The overflow was discovered by James Peach, an Apple employee. The overflow may be reproduced by running cscope against the attached file 'Makefile.headersinst'. Our investigation concluded that the issue could be potentially exploited for the execution of arbitrary code by a malicious source file. We plan to describe the issue as follows: "A stack buffer overflow exists in cscope's handling of long file system paths. Processing a maliciously crafted source file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking." I have also attached our patch, for your convenience. The patch modifies several sprintf() usages which may or may not be vulnerabilities themselves; the construct which was identified as causing the issue demonstrated by the attached file is: /* search for the file in the #include directory list */ for (i = 0; i < nincdirs; ++i) { /* don't include the file from two directories */ sprintf(name, "%.*s/%s", PATHLEN - 2 - file_len, incnames[i], file); if (infilelist(name) == YES) { break; } /* make sure it exists and is readable */ sprintf(path, "%.*s/%s", PATHLEN - 2 - file_len, incdirs[i], file); if (access(compath(path), READ) == 0) { Apple has assigned CVE-2009-0148 to this issue. The people listed as project administrators for cscope on sourceforge.net are Cc'ed on this message, so that they are aware of the issue. Regards, Matt Murphy Apple Product Security
upstream disputes the problem and dislikes the fix
CVE-ID: CVE-2009-1577 URL: Multiple stack-based buffer overflows in the putstring function in find.c in Cscope before 15.6 allow user-assisted remote attackers to execute arbitrary code via a long (1) function name or (2) symbol in a source-code file. Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=499174 Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=189666 Reference: CONFIRM: http://cscope.cvs.sourceforge.net/viewvc/cscope/cscope/src/find.c?r1=1.18&r2=1.19 Reference: MLIST: http://www.openwall.com/lists/oss-security/2009/05/06/9 Reference: MLIST: http://www.openwall.com/lists/oss-security/2009/05/06/10 Reference: MLIST: http://www.openwall.com/lists/oss-security/2009/05/05/1 Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/cscope/devel/cscope-15.5-putstring-overflow.patch Reference: CONFIRM: http://cscope.cvs.sourceforge.net/viewvc/cscope/cscope/src/find.c?view=log#rev1.19
CVE-2009-1577: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)