Path: csiph.com!3.us.feeder.erje.net!feeder.erje.net!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail From: Salvatore Bonaccorso Newsgroups: gnu.utils.bug Subject: Re: Vulnerability Report on Sharutils 4.15.2 Date: Sat, 14 Apr 2018 11:30:21 +0200 Lines: 68 Sender: Salvatore Bonaccorso Approved: bug-gnu-utils@gnu.org Message-ID: References: <47a93dc0-b0f9-9dc7-593e-ce7f96f56e19@gmail.com> <20180325175147.GA13587@eldamar.local> <20180326044616.f4aouw6a2k5px4jq@lorien.valinor.li> <20180406042611.GA3637@eldamar.local> NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: usenet.stanford.edu 1523698241 13253 208.118.235.17 (14 Apr 2018 09:30:41 GMT) X-Complaints-To: action@cs.stanford.edu To: bug-gnu-utils@gnu.org Envelope-to: bug-gnu-utils@gnu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=hUnPO0fVO3r/oT9kIY8BsvEcAyOZSSHYgrDqkbwOjhQ=; b=rSbhYxdXKhNLwa2/TC8lGXbdYGdYK9wQUMu5pyQWarQaRFJCf/fOgPizu11rs4UjX+ NSveN5ifhETVTk6ZUQWvrTkZYXje8GkQoCxSwSHcvtEQc1XU+mBJlqsvgoouk6yTcUDC q6JEd/pv8jFTK9PbPPHZowNVlAlPDAd5hKC6Cx/hWOW/vTSpotxu0GEoiFmNjwqyECtZ otBNMI8Dyr3cVa7ZP4kR8JiP5nUefhGY28FSkryiQ0xVn6KkFcK5OmabGS33TQDx+bis mR2XZgR6vM4WP4BITNaY751O2NXXaKc355rEbAg9A0ZzOHV+cpkMiT7m2dRBBRj1wuNQ DClw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=hUnPO0fVO3r/oT9kIY8BsvEcAyOZSSHYgrDqkbwOjhQ=; b=fiuM9owLHXhvUlSMWyOKeqYRmbGkB22/xhdiu7JiMG30mATcxvn6Q7iMBAleq2hINx shWDj0n8l0oEoTWzORZZKm6hketMoXRhQkqC8CAG0MQ3bHkuLOPFMKFZr5CFeKob3hXk pR5cVGhUBI5OPx1DWW46wntHZ25w/D+/vyJFLkRHHAibn0e25iYEnu0hjuGAMkP/u04J 3yMU8pV6f2qO+5n62MQL/QGPHdXJNHDvOarv9rtI53CptbwFqqQ7yXHBa18l9j/FlFmH pzHPPSLFOssoBqoNMFZUKPOMAiM+pIzQ9WnWSZzVmmiEO/lqngCEBnZ3V60TvcL435p4 LfYw== X-Gm-Message-State: ALQs6tC/JFYLgb7/0l5KaHKzvyb0I9Rjv5YZ06qWO9OFA8KwFgpIW8zk MrjEZ4AFfnMveOXJPeznW8x+jg== X-Google-Smtp-Source: AIpwx4/GpOOhLl6qpL9EF7joqjn8A+/L3sAWCK3fY37YPGZJvxfuksC1ZkbSVGoiYgS6UDuGzod8Kg== X-Received: by 10.223.219.198 with SMTP id e6mr6212198wrj.212.1523698226030; Sat, 14 Apr 2018 02:30:26 -0700 (PDT) Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c0c::235 X-BeenThere: bug-gnu-utils@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Bug reports for the GNU utilities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.utils.bug:2243 Hi Petr On Tue, Apr 10, 2018 at 02:54:32PM +0000, Petr Pisar wrote: > On 2018-04-06, Salvatore Bonaccorso wrote: > > AFAICT for this issue still no proposed fix is available for the > > issues raised in > > https://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00003.html, > > Well, I cannot reproduce it. Maybe the attachent with the reproducer is > wrong. The message reads 2.fuzz, but the attachent contains four > SIGSEGV*.fuzz files. Runnning unshar on any of them results in: > > sh: line 14386: warning: here-document at line 37 delimited by end-of-file (wanted `_EOF_') > sh: line 14387: syntax error: unexpected end of file > > (the line numbers differ) and valgrdind does not show any issue in the > unshar process. That you were not able to reproduce let me look again at it. So I can reproduce it on an up-to-date Debian unstable (amd64) system, with sharutils updated up to 1:4.15.2-3. Valgrind shows: $ valgrind unshar SIGSEGV.PC.80018413.STACK.1dab0c403.CODE.1.ADDR.0xbf7fe258.INSTR.push___%ecx.fuzz ==3784== Memcheck, a memory error detector ==3784== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3784== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==3784== Command: unshar SIGSEGV.PC.80018413.STACK.1dab0c403.CODE.1.ADDR.0xbf7fe258.INSTR.push___%ecx.fuzz ==3784== SIGSEGV.PC.80018413.STACK.1dab0c403.CODE.1.ADDR.0xbf7fe258.INSTR.push___%ecx.fuzz: Segmentation fault ==3784== ==3784== Process terminating with default action of signal 13 (SIGPIPE) ==3784== at 0x4F21134: write (write.c:27) ==3784== by 0x4EB24BC: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1203) ==3784== by 0x4EB17DE: new_do_write (fileops.c:457) ==3784== by 0x4EB3648: _IO_do_write@@GLIBC_2.2.5 (fileops.c:433) ==3784== by 0x4EB2B7E: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1266) ==3784== by 0x4EB13BF: fwrite_unlocked (iofwrite_u.c:43) ==3784== by 0x10C3E6: unshar_file (unshar.c:396) ==3784== by 0x10BC4E: validate_fname (unshar-opts.c:604) ==3784== by 0x10BC4E: main (unshar-opts.c:639) ==3784== ==3784== HEAP SUMMARY: ==3784== in use at exit: 4,920 bytes in 4 blocks ==3784== total heap usage: 55 allocs, 51 frees, 167,287 bytes allocated ==3784== ==3784== LEAK SUMMARY: ==3784== definitely lost: 0 bytes in 0 blocks ==3784== indirectly lost: 0 bytes in 0 blocks ==3784== possibly lost: 0 bytes in 0 blocks ==3784== still reachable: 4,920 bytes in 4 blocks ==3784== suppressed: 0 bytes in 0 blocks ==3784== Rerun with --leak-check=full to see details of leaked memory ==3784== ==3784== For counts of detected and suppressed errors, rerun with: -v ==3784== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) and actually sh/dash segfaults. Since you were not able to reproduce, I switched to bash as /bin/sh, and indeed I land were you got: $ unshar SIGSEGV.PC.80018413.STACK.1dab0c403.CODE.1.ADDR.0xbf7fe258.INSTR.push___%ecx.fuzz SIGSEGV.PC.80018413.STACK.1dab0c403.CODE.1.ADDR.0xbf7fe258.INSTR.push___%ecx.fuzz: sh: line 13462: warning: here-document at line 37 delimited by end-of-file (wanted `_EOF_') sh: line 13463: syntax error: unexpected end of file Regards, Salvatore