From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bzip2-devel-return-3-listarch-bzip2-devel=sourceware.org@sourceware.org>
Received: (qmail 36755 invoked by alias); 23 Jun 2019 22:35:00 -0000
Mailing-List: contact bzip2-devel-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:bzip2-devel@sourceware.org>
List-Help: <mailto:bzip2-devel-help@sourceware.org>
List-Subscribe: <mailto:bzip2-devel-subscribe@sourceware.org>
List-Id: <bzip2-devel.sourceware.org>
Sender: bzip2-devel-owner@sourceware.org
Received: (qmail 36744 invoked by uid 89); 23 Jun 2019 22:35:00 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-19.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1 spammy=stderr, strncpy
X-Spam-Status: No, score=-19.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org
X-Spam-Level: 
X-HELO: gnu.wildebeest.org
From: Mark Wielaard <mark@klomp.org>
To: bzip2-devel@sourceware.org
Cc: Ivana Varekova <varekova@redhat.com>,
	Lubomir Kundrak <lkundrak@redhat.com>,
	=?UTF-8?q?Jakub=20Marti=C5=A1ko?= <jamartis@redhat.com>,
	Mark Wielaard <mark@klomp.org>
Subject: [PATCH] bzip2recover: Fix buffer overflow for large argv[0].
Date: Tue, 01 Jan 2019 00:00:00 -0000
Message-Id: <1561329293-14814-1-git-send-email-mark@klomp.org>
X-Mailer: git-send-email 1.8.3.1
X-Spam-Flag: NO
X-SW-Source: 2019-q2/txt/msg00002.txt.bz2

Hi,

bzip2 lost its domain and got a new home at https://sourceware.org/bzip2/
It also didn't see a release for a very long time. Causing various patches
used by distros to not have been integrated upstream. We are trying to
collect them all and do a new release.

The following patch comes from Fedora.
Please let us know if we missed some others.

Thanks,

Mark

bzip2recover.c (main) copies argv[0] to a statically sized buffer
without checking whether argv[0] might be too big (> 2000 chars).

This patch comes from Fedora and was originally reported at
https://bugzilla.redhat.com/show_bug.cgi?id=226979
---
 bzip2recover.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bzip2recover.c b/bzip2recover.c
index 06ac1f5..1a70e04 100644
--- a/bzip2recover.c
+++ b/bzip2recover.c
@@ -309,7 +309,8 @@ Int32 main ( Int32 argc, Char** argv )
    UInt32      buffHi, buffLo, blockCRC;
    Char*       p;
 
-   strcpy ( progName, argv[0] );
+   strncpy ( progName, argv[0], BZ_MAX_FILENAME-1);
+   progName[BZ_MAX_FILENAME-1]='\0';
    inFileName[0] = outFileName[0] = 0;
 
    fprintf ( stderr, 
-- 
1.8.3.1