From: Pádraig Brady Date: Thu, 18 Jan 2024 00:05:18 +0000 (+0000) Subject: doc: split -C: test and document a heap overflow X-Git-Tag: v9.5~74 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c01ee1893448bdf1bbd81fa15a35472d07a356b8;p=thirdparty%2Fcoreutils.git doc: split -C: test and document a heap overflow This was introduced in coreutils 9.2 through commit v9.1-184-g40bf1591b, and was fixed in coreutils 9.5 through commit v9.4-111-gc4c5ed8f4. This issue has been assigned CVE-2024-0684. * NEWS: Mention the bug fix. * tests/split/line-bytes.sh: Add a test case. Reported by Valentin Metz. --- diff --git a/NEWS b/NEWS index d1be308f70..dc5d875ddc 100644 --- a/NEWS +++ b/NEWS @@ -21,6 +21,10 @@ GNU coreutils NEWS -*- outline -*- character platforms with a 0xA0 (aka  ) grouping character. [bug introduced in coreutils-9.1] + split --line-bytes with a mixture of very long and short lines + no longer overwrites the heap (CVE-2024-0684). + [bug introduced in coreutils-9.2] + tail no longer mishandles input from files in /proc and /sys file systems, on systems with a page size larger than the stdio BUFSIZ. [This bug was present in "the beginning".] diff --git a/tests/split/line-bytes.sh b/tests/split/line-bytes.sh index 6c57ad1a1a..a396cd7972 100755 --- a/tests/split/line-bytes.sh +++ b/tests/split/line-bytes.sh @@ -84,4 +84,16 @@ for b in $(seq 10); do compare no_eol_splits_exp no_eol_splits || fail=1 done +# Test hold buffer management with --lines-bytes. +# The following triggers (with ASAN) a heap overflow issue +# between coreutils 9.2 and 9.4 inclusive. +printf '%131070s\n' '' >expaa || framework_failure_ +printf 'x\n' >expab || framework_failure_ +printf '%131071s\n' '' >expac || framework_failure_ +cat expaa expab expac >bigin || framework_failure_ +split -C 131072 ---io=131072 bigin || fail=1 +compare expaa xaa || fail=1 +compare expab xab || fail=1 +compare expac xac || fail=1 + Exit $fail