J-Security Center

Title: Multiple Vendor ReadDir_R Buffer Overflow Vulnerability

Severity: MODERATE

Description:

The 'readdir_r' function is available on multiple platforms, and is similar to the 'readdir' function, in that it is used to fetch directory entries from an open directory file handle. 'readdir_r' is designed for multithreaded use, and utilizes a memory region passed to it from the caller to store its results, rather than a global static buffer.

Certain uses of the 'readdir_r' function may result in a buffer overflow vulnerability. This issue is due to a race condition between the allocation of a memory buffer, and the usage of the buffer in further operations.

Specifically, the 'readdir_r' function fails to specify or require a specific size of memory buffer that it returns its results into. By using a memory buffer that is too small for the result, a buffer overflow may occur.

Attackers may exploit this fact by exploiting a race condition between a call to 'pathconf' which returns the maximum path allowed on a particular file system, the memory allocation for the buffer to be used by 'readdir_r', and the actual call to 'readdir_r'. By replacing a directory symbolic link located on a file system that 'pathconf' will return a large value for, with a directory located on a file system that 'pathconf' will return a small value for. This results in a memory allocation insufficient to hold paths returned by 'readdir_r', leading to a buffer overflow.

Attackers may exploit this issue to execute arbitrary machine code in the context of affected applications. Failed exploit attempts will likely result in crashes, denying service to legitimate users.

Operating systems with no difference in the maximum path lengths among differing file systems are not affected by this issue.

Affected Products:

  • Bernhard R. Link reprepro 0.0.0
  • Conectiva Linux 6.0.0
  • Conectiva Linux 7.0.0
  • Conectiva Linux 8.0.0
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 IA-32
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Debian Linux 3.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • Debian Linux 3.1.0
  • Debian Linux 3.1.0 alpha
  • Debian Linux 3.1.0 amd64
  • Debian Linux 3.1.0 arm
  • Debian Linux 3.1.0 hppa
  • Debian Linux 3.1.0 ia-32
  • Debian Linux 3.1.0 ia-64
  • Debian Linux 3.1.0 m68k
  • Debian Linux 3.1.0 mips
  • Debian Linux 3.1.0 mipsel
  • Debian Linux 3.1.0 ppc
  • Debian Linux 3.1.0 s/390
  • Debian Linux 3.1.0 sparc
  • GNU gjc 0.0.0
  • Gentoo Linux
  • HP Secure OS software for Linux 1.0.0
  • Immunix Immunix OS 6.2.0
  • Immunix Immunix OS 7.0.0
  • Immunix Immunix OS 7.0.0 beta
  • KDE KDE 3.3.0
  • KDE KDE 3.3.1
  • KDE KDE 3.3.2
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 10.0.0 amd64
  • MandrakeSoft Linux Mandrake 10.1.0
  • MandrakeSoft Linux Mandrake 10.1.0 x86_64
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Linux Mandrake 9.0.0
  • Mike Heffner BFBTester 2.0.0
  • Mike Heffner BFBTester 2.0.1
  • NETW netwib 5.1.0.0
  • NETW netwib 5.30.0.0
  • NcFTP Software NcFTP 3.1.8
  • NcFTP Software NcFTP 3.1.9
  • OpenOffice OpenOffice 1.1.3
  • Peter Hofmann xgsmlib 0.0.0
  • Pike Pike 0.4.0 pl8
  • Pike Pike 0.5.0 .x
  • Pike Pike 0.6.0 .x
  • Pike Pike 7.0.0 .x
  • Pike Pike 7.2.0 .x
  • Pike Pike 7.4.0 .x
  • Pike Pike 7.4.327
  • Pike Pike 7.6.0 .x
  • Pike Pike 7.7.0.x
  • RedHat Desktop 3.0.0
  • RedHat Enterprise Linux AS 2.1
  • RedHat Enterprise Linux AS 2.1 IA64
  • RedHat Enterprise Linux AS 3
  • RedHat Enterprise Linux ES 2.1
  • RedHat Enterprise Linux ES 2.1 IA64
  • RedHat Enterprise Linux ES 3
  • RedHat Enterprise Linux WS 2.1
  • RedHat Enterprise Linux WS 2.1 IA64
  • RedHat Enterprise Linux WS 3
  • RedHat Fedora Core3
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.1.0
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.2.0
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 ia64
  • RedHat Linux 7.3.0
  • RedHat Linux 7.3.0 i386
  • RedHat Linux 8.0.0
  • RedHat Linux 8.0.0 i386
  • RedHat Linux Advanced Work Station 2.1.0
  • Roxen WebServer 0.0.03.x
  • Roxen WebServer 0.0.04.x
  • Roxen WebServer 1.1.0.X
  • Roxen WebServer 1.2.0.X
  • Roxen WebServer 1.3.0.X
  • Roxen WebServer 1.3.122
  • Roxen WebServer 1.4.0.X
  • Roxen WebServer 2.0.0
  • Roxen WebServer 2.0.0.X
  • Roxen WebServer 2.0.69
  • Roxen WebServer 2.0.92
  • Roxen WebServer 2.1.0
  • Roxen WebServer 2.1.164
  • Roxen WebServer 2.2.0
  • Roxen WebServer 4.0.402
  • SAOImage DS9 SAOImage DS9 0.0.0
  • TCL/TK TCL/TK 8.4.2
  • TCL/TK TCL/TK 8.4.3
  • TCL/TK TCL/TK 8.5.0 a2
  • Ubuntu Ubuntu Linux 4.1.0 ia32
  • Ubuntu Ubuntu Linux 4.1.0 ia64
  • Ubuntu Ubuntu Linux 4.1.0 ppc
  • Ubuntu Ubuntu Linux 5.0.0 4 amd64
  • Ubuntu Ubuntu Linux 5.0.0 4 i386
  • Ubuntu Ubuntu Linux 5.0.0 4 powerpc
  • W3C Libwww 0.0.04.x
  • W3C Libwww 3.1.0
  • W3C Libwww 5.3.2
  • XMail XMail 1.0.0
  • XMail XMail 1.21.0
  • firstworks Rudiments Library 0.27.0
  • firstworks Rudiments Library 0.28.2
  • teTeX teTeX 1.0.6
  • teTeX teTeX 1.0.7
  • teTeX teTeX 2.0.0
  • teTeX teTeX 2.0.1
  • teTeX teTeX 2.0.2

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.