Bug 111365

Summary: CVE-2007-1719 - mcweject buffer overflow
Product: Ports & Packages Reporter: Jeff Forsythe <tornandfilthy2006>
Component: Individual Port(s)Assignee: Stefan Walter <stefan>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Jeff Forsythe 2007-04-08 02:20:01 UTC
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1719


Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD,
and possibly other versions, allows local users to execute arbitrary
code via a long command line argument, possibly involving the device name.


----

Didn't see any bug reports or responses from FreeBSD, thought I'd check
if this was known, and if a fix is in place.

How-To-Repeat: Exploit: http://milw0rm.com/exploits/3578
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2007-04-08 02:23:56 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-ports-bugs

Ports PR
Comment 2 Stefan Walter freebsd_committer freebsd_triage 2007-04-08 20:32:37 UTC
Responsible Changed
From-To: freebsd-ports-bugs->stefan

Take.
Comment 3 dfilter service freebsd_committer freebsd_triage 2007-04-08 20:46:02 UTC
stefan      2007-04-08 19:45:58 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Add entry for exploitable buffer overflow in mcweject.
  
  PR:             111365
  Submitted by:   Jeff Forsythe<tornandfilthy2006@yahoo.com>
  
  Revision  Changes    Path
  1.1307    +31 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Stefan Walter freebsd_committer freebsd_triage 2007-04-08 20:55:47 UTC
[Cc'd Jason Bacon, the author of the software and maintainer of the port.]

Hi Jeff,

thanks for your report; the portaudit database didn't have an entry, yet.
I have added one and marked sysutils/mcweject FORBIDDEN to prevent
installation without knowing about the vulnerability.

I cannot say anything about a fix. - Jason? ;)

Regards,
Stefan
Comment 5 Jason Bacon 2007-04-09 14:01:03 UTC
I'll look into it and submit a patch asap.  Thanks for the tip...

    Jason

Stefan Walter wrote:
> [Cc'd Jason Bacon, the author of the software and maintainer of the port.]
>
> Hi Jeff,
>
> thanks for your report; the portaudit database didn't have an entry, yet.
> I have added one and marked sysutils/mcweject FORBIDDEN to prevent
> installation without knowing about the vulnerability.
>
> I cannot say anything about a fix. - Jason? ;)
>
> Regards,
> Stefan
>
Comment 6 Jason Bacon 2007-04-09 17:39:26 UTC
Well, I must have been half-asleep when I wrote that segment (which is, 
unfortunately, not that uncommon).  The code contained 2 calls to 
sprintf(), a function I've been harping on people not to use since the 
late 80s (and specifically flagged on p470 of my book).  I even wrote my 
own strlcat(), strlcpy(), etc. functions way back when, before they 
became part of the standard dist.  One more anecdote to support the "do 
as I say, not as I do" philosophy...

I've replaced the calls with snprintf() and updated the distfile on 
MASTER_SITES.

Anyone with the v0.9 port in their tree should run the following to 
reinstall the port from the patched source code:

cd /usr/ports/sysutils/mcweject
make distclean makesum deinstall reinstall

I've been testing v1.0 for some time, and have patched that source as 
well.  I'll submit a diff to update the official port to v1.0 shortly.

I've also added

egrep "strcpy|strcat|sprintf|gets| yada yada" *.c *.h

to my pre-commit checklist to help filter out mistakes like this one in 
the future.

Thanks to all the hackers out there searching for bugs like this one.  
Apologies for the inconvenience.

    Jason

Stefan Walter wrote:
> [Cc'd Jason Bacon, the author of the software and maintainer of the port.]
>
> Hi Jeff,
>
> thanks for your report; the portaudit database didn't have an entry, yet.
> I have added one and marked sysutils/mcweject FORBIDDEN to prevent
> installation without knowing about the vulnerability.
>
> I cannot say anything about a fix. - Jason? ;)
>
> Regards,
> Stefan
>
Comment 7 Jason Bacon 2007-04-09 18:00:06 UTC
Please see PR 111421 regarding the port update to v1.0.

The v0.9 distfile has also been patched on MASTER_SITES to address the 
buffer overflow.

Packages regenerated from either version should eliminate the 
vulnerability for "pkg_add -r" users.

Regards,

    Jason

Stefan Walter wrote:
> [Cc'd Jason Bacon, the author of the software and maintainer of the port.]
>
> Hi Jeff,
>
> thanks for your report; the portaudit database didn't have an entry, yet.
> I have added one and marked sysutils/mcweject FORBIDDEN to prevent
> installation without knowing about the vulnerability.
>
> I cannot say anything about a fix. - Jason? ;)
>
> Regards,
> Stefan
>
Comment 8 Stefan Walter freebsd_committer freebsd_triage 2007-04-10 12:52:14 UTC
State Changed
From-To: open->closed

Vulnerability of old version was registered, new version is in the tree.