- edited description
sed(1) - long pathname with 'w' flag may cause PATH_MAX buffer overflow.
sed w flag(not w command) with too long file name over PATH_MAX=1024 causes buffer overflow.
try following with -fstack-protector:
echo foo | sed -e 's/foo/bar/w <too long file name>'
<too long file name>: Memory fault (core dumped)
OpenBSD already fixed: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/sed/compile.c#rev1.37
Bounds check the file path used in the 'w' command. Modified version of a diff from Sebastien Marie to prevent a crash found by Sebastien with the afl fuzzer.
Comments (3)
-
reporter -
reporter - edited description
-
reporter - changed status to resolved
BUGFIX: Issue
#132- fix sed(1) - long pathname with 'w' flag may cause PATH_MAX buffer overflow.patch retrived from OpenBSD: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/sed/compile.c#rev1.37
Bounds check the file path used in the 'w' command. Modified version of a diff from Sebastien Marie to prevent a crash found by Sebastien with the afl fuzzer.
→ <<cset b30c2a93fa1d>>
- Log in to comment