[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #20014] buffer overrun in locate while reading old-format database

From: James Youngman
Subject: [bug #20014] buffer overrun in locate while reading old-format database
Date: Wed, 30 May 2007 22:11:43 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20060830 Firefox/ (Debian-1.5.dfsg+

Update of bug #20014 (project findutils):

                Severity:              3 - Normal => 6 - Security           
                  Status:             In Progress => Fixed                  
                 Privacy:                 Private => Public                 
                 Summary:             Placeholder => buffer overrun in locate
while reading old-format database


Follow-up Comment #1:

This problem has been assigned the CVS number CVE-2007-2452.

Findutils supports three different formats of locate database, its native
format "LOCATE02", the slocate variant of LOCATE02, and a traditional ("old")
format that locate uses on other Unix systems.

When locate reads filenames from a LOCATE02 database (the default format),
the buffer into which data is read is automatically extended to accommodate
the length of the filenames.

This automatic buffer extension does not happen for old-format
databases.  Instead a 1026-byte buffer is used.  When a longer
pathname appears in the locate database, the end of this buffer is overrun. 
The buffer is allocated on the heap (not the stack).

If the locate database is in the default LOCATE02 format, the locate program
does perform automatic buffer extension, and the program is not vulnerable to
this problem.  The software used to build the old-format locate database is
not itself vulnerable to the same attack.

Most installations of GNU findutils do not use the old database
format, and so will not be vulnerable.

(file #12905)

Additional Item Attachment:

File name: savannah-bug-20014.patch       Size:3 KB


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]