Ticket #5835 (closed Bugs: wontfix)

Opened 6 years ago

Last modified 5 years ago

cregex.cpp, fileiter.cpp, posix_api.cpp using unsafe sprintf

Reported by: noloader@… Owned by: asutton
Milestone: To Be Determined Component: graph
Version: Boost 1.47.0 Severity: Problem
Keywords: Cc: noloader@…


Folks performing a security audit on Boost will have to take a look at cregex.cpp, fileiter.cpp and posix.cpp since it is using unsafe function such as sprintf.

The same folks will have to fail Boost because its ignoring return values from sprintf (MAX_PATH is easy to overflow in practice, especially when the attacker controls the input).

cregex.cpp BuildFileList?:

char buf[MAX_PATH];

    (::sprintf_s)(buf, sizeof(buf), "%s%s%s", dstart.path(), directory_iterator::separator(), ptr);
    (std::sprintf)(buf, "%s%s%s", dstart.path(), directory_iterator::separator(), ptr);

Ditto for fileiter.cpp _fi_attributes:

unsigned _fi_attributes(const char* root, const char* name)
  char buf[MAX_PATH];
  if( ( (root[0] == *_fi_sep) || (root[0] == *_fi_sep_alt) ) && (root[1] == '\0') )
    (std::sprintf)(buf, "%s%s", root, name);
    (std::sprintf)(buf, "%s%s%s", root, _fi_sep, name);
    DIR* d = opendir(buf);
      return _fi_dir;
  return 0;

In general, I would expect an ostringstream to be a more appropriate choice for a c++ library (rather than sprintf and snprintf). At minimum, the original authors and/or Boost QA team should place comments in the code for assurance purposes.

I can't really comment on iohb.c since I'm not familiar with the Harwell-Boeing File format. However, I expect that an attacker *will* manipulate the header, and I don't trust NIST's use of unchecked sprintf, sscanf, and friends under adverse conditions and a hostile environment. For example, in readHB_header, the authors continue to parse even if sscanf encounters an error:

    if ( sscanf(line,"%i",&Totcrd) != 1) Totcrd = 0;
    if ( sscanf(line,"%*i%i",Ptrcrd) != 1) *Ptrcrd = 0;
    if ( sscanf(line,"%*i%*i%i",Indcrd) != 1) *Indcrd = 0;
    if ( sscanf(line,"%*i%*i%*i%i",Valcrd) != 1) *Valcrd = 0;
    if ( sscanf(line,"%*i%*i%*i%*i%i",Rhscrd) != 1) *Rhscrd = 0;

For iohb.c, I would reject the submission until the authors port it to c++ (there are too many little problems lurking in the C code). At minimum, don't distribute iohb.c until its known to be safe (place the honus on the authors who claim its ready for production).


Change History

comment:1 Changed 6 years ago by Jeffrey Walton <noloader@…>

  • Cc noloader@… added
  • Owner set to johnmaddock
  • Component changed from None to regex

comment:2 Changed 6 years ago by johnmaddock

(In [74897]) Improve sprintf usage. Stop passing UDT's through (...) even in meta programs. Fixes #5958. Refs #5835.

comment:3 Changed 6 years ago by johnmaddock

  • Owner changed from johnmaddock to asutton
  • Component changed from regex to graph

Fixed in Boost.Regex, reassigning to the Graph lib.

comment:4 Changed 5 years ago by jewillco

  • Status changed from new to closed
  • Resolution set to wontfix

This code (iohb.[ch]) is in an example that is not even compiled by default, and the example (minimum_degree_ordering.cpp) never calls the functions in iohb.c that use sprintf. Thus, I see no reason to change anything unless there are problems in the Harwell-Boeing reader code.

comment:5 Changed 5 years ago by noloader@…

set to wontfix

+1 for the freetards

Provide broken code, waste a persons time who has to audit the broken code, and then claim its not even used. WTF?


Add a comment

Modify Ticket

Change Properties
<Author field>
as closed
The resolution will be deleted. Next status will be 'reopened'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.