From: [email protected]

This message is in MIME format.

Subject: sharutils: shar obscure fscanf() buffer overflow
Package: sharutils
Version: 1:4.2.1-11
Severity: normal
Tags: patch

Hello,

I have found an obscure buffer overflow in shar from the sharutils 4.2.1 package.

The shar command executes wc when creating shar archives. In the rather unlikely scenario where there is a malicious wc command installed that
prints lots of output, a buffer overflow will occur in shar, because of a
"%s" format string in an fscanf() call in shar.c.

This is of course no serious security threat. Nevertheless, I think it
is worth fixing, as the Right Thing for a program should be not to assume anything about its input and to handle various problems well.

I have attached a patch against sharutils-4.2.1 upstream and an evil wc
command that exhibits this problem in shar on my machine.

I have already reported this upstream:

http://lists.gnu.org/archive/html/bug-gnu-utils/2004-08/msg00014.html

// Ulf Harnhammar
http://www.advogato.org/person/metaur/

-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-686
Locale: LANG=en_GB, LC_CTYPE=en_GB

Versions of packages sharutils depends on:
ii debianutils 2.8.4 Miscellaneous utilities specific t ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an

-- no debconf information


[SoupGate killed MIME-encoded file sharutils.patch (634 bytes)]
[SoupGate killed MIME-encoded file wc (116 bytes)]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)