Vigil@nce: GNU ed, buffer overflow of strip_escapes
September 2008 by Vigil@nce
SYNTHESIS
When a long filename is used, a buffer overflow occurs in GNU ed.
Gravity: 1/4
Consequences: user access/rights
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 23/09/2008
IMPACTED PRODUCTS
– Mandriva Corporate
– Mandriva Linux
– Unix - plateform
DESCRIPTION
The GNU ed program is a text editor, which can be called from a
privileged application to convert documents.
The strip_escapes() function of the signal.c file suppresses
special characters contained in a string. It is used on filenames
or on editor commands.
This function handles the string in a array of size PATH_MAX
(obtained via pathconf() or set to 256). However, if the length of
the filename or the command is longer, a buffer overflow occurs.
An attacker can therefore execute code by inviting the victim to
open a malicious file or to handle malicious commands.
CHARACTERISTICS
Identifiers: CVE-2008-3916, MDVSA-2008:200, VIGILANCE-VUL-8126