This is the mail archive of the
cygwin-developers
mailing list for the Cygwin project.
Re: cygwin1.dll up to 1.5.22 overflow
On Nov 8 14:17, Daniel Fdez. Bleda wrote:
> Dave,
>
> Here you have the requested info of the advisory:
> ----------------------------------------------------------------------
> III. DESCRIPTION
> --------------------------
> Traditionally, linux filesystem allow 255 bytes long, nevertheless
Really? PATH_MAX is 4096 on my Linux system. Or are you talking about
NAME_MAX, the length of a single path component?
> cygwin allow 239 bytes and there is a check that prevents filenames
> equal or major than 240.
Cygwin up to 1.5.x allows filenames up to 259 chars, same as the Ascii
Win32 functions: http://msdn2.microsoft.com/en-us/library/aa365247.aspx
> In spite of the check, there is a 232 bytes long dynamic memory buffer
> where is stored the filename, so that is possible make a evil filename
> with 233-239 bytes long that bypasses the check and overflows the heap
> maximum 7 bytes. So you have to penetrate in machine and put the
> evil-file and then 7 bytes of the private heap and ebx and edi
> registers where mine.
> [...]
> I would like to avoid public discussion if you need (as I expect) more
> information.
As Dave mentioned, Cygwin is inherently insecure, and, given the fact
that you don't have the problem in recent versions, I don't see a need
to keep it such a secret. So, here's Dave's question again: Which is
the vulnerable function?
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat