Page MenuHomeFreeBSD
Differential D2475

Document CVE-2015-1774
ClosedPublic
Actions

Authored by truckman on May 7 2015, 9:48 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Mar 31, 10:31 PM
Unknown Object (File)
Mar 5 2025, 11:10 AM
Unknown Object (File)
Mar 5 2025, 10:43 AM
Unknown Object (File)
Mar 5 2025, 10:21 AM
Unknown Object (File)
Mar 5 2025, 2:41 AM
Unknown Object (File)
Feb 18 2025, 1:41 AM
Unknown Object (File)
Feb 14 2025, 6:42 PM
Unknown Object (File)
Feb 3 2025, 10:01 AM
View All 61 Files
Subscribers
None

Details

Reviewers
pfg
mat
Commits
rP385716: Document HWP filter vulnerability in editors/libreoffice < 4.3.7 and
Summary

CVE-2015-1774 affects libreoffice and apache-openoffice-*

Test Plan

Test with "make validate" and "pkg audit"

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

truckman updated this revision to Diff 5264.May 7 2015, 9:48 PM
truckman retitled this revision from to Document CVE-2015-1774.
truckman updated this object.
truckman edited the test plan for this revision. (Show Details)
truckman added reviewers: mat, pfg.
mat accepted this revision.May 7 2015, 9:52 PM
mat edited edge metadata.

I'm going to say yes, and assuming you got it right, I added a vuxml entry once, got shot down because it was not correctly indented, or something similarly silly, and never touched it again :-)

This revision is now accepted and ready to land.May 7 2015, 9:52 PM
Closed by commit rP385716: Document HWP filter vulnerability in editors/libreoffice < 4.3.7 and (authored by truckman). · Explain WhyMay 7 2015, 11:56 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
security/
vuxml/
37 lines

Diff 5264

View Options

security/vuxml/vuln.xml

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines
static char sccsid[] = "@(#)xargs.c 8.1 (Berkeley) 6/6/93"; static char sccsid[] = "@(#)xargs.c 8.1 (Berkeley) 6/6/93";
#endif /* not lint */ #endif /* not lint */
#endif #endif
#include <sys/cdefs.h> #include <sys/cdefs.h>
__FBSDID("$FreeBSD$"); __FBSDID("$FreeBSD$");
#include <sys/param.h> #include <sys/param.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/types.h>
jbeichUnsubmitted
Done
Inline Actions

style(9) doesn't allow both <sys/types.h> and <sys/param.h> included at the same time.

jbeich: style(9) doesn't allow both `<sys/types.h>` and `<sys/param.h>` included at the same time.
mjgUnsubmitted
Not Done
Inline Actions

sys/types.h must be included prior to sys/wait.h.

mjg: sys/types.h must be included prior to sys/wait.h.
#include <sys/sysctl.h>
#include <err.h> #include <err.h>
#include <errno.h> #include <errno.h>
#include <fcntl.h> #include <fcntl.h>
#include <langinfo.h> #include <langinfo.h>
#include <locale.h> #include <locale.h>
#include <paths.h> #include <paths.h>
#include <regex.h> #include <regex.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
#include "pathnames.h" #include "pathnames.h"
#define BASE_DECIMAL 10
jbeichUnsubmitted
Not Done
Inline Actions

Why? Other uses of strtou*() in the file or across the base don't use macros for integer bases.

usr.bin/xargs/xargs.c:                  Rflag = strtol(optarg, &endptr, 10);
usr.bin/xargs/xargs.c:                  Sflag = strtoul(optarg, &endptr, 10);

http://bxr.su/search?refs=strtou*&project=FreeBSD

jbeich: Why? Other uses of `strtou*()` in the file or across the base don't use macros for integer…
allanjudeAuthorUnsubmitted
Not Done
Inline Actions

This was recommended by davide@
I can change all of the references, or remove the macro.

allanjude: This was recommended by davide@ I can change all of the references, or remove the macro.
jbeichUnsubmitted
Not Done
Inline Actions

@davide has phabricator account. Let's ask him for the the rationale. I don't see his feedback here, in the bug or on freebsd-current maillist.

jbeich: @davide has phabricator account. Let's ask him for the the rationale. I don't see his feedback…
allanjudeAuthorUnsubmitted
Not Done
Inline Actions

Yeah, it was on IRC:
<davide> AllanJude: you don't do upper bound validation on the number of processes
<davide> AllanJude: '10' is hardcoded and makes hard to understand what that's actually about
<AllanJude> the 10 is the 'base'
<AllanJude> it is a standard argument to strtol
<davide> AllanJude: I can read the manpage
<davide> AllanJude: it should be a macro
<AllanJude> there is a macro for decimal?
<davide> #define BLAH 10 ?
<AllanJude> so, I should make one?
<davide> otherwise, lgtm

allanjude: Yeah, it was on IRC: <davide> AllanJude: you don't do upper bound validation on the number of…
mjgUnsubmitted
Not Done
Inline Actions

I also don't see what's the point of of this deifne.

mjg: I also don't see what's the point of of this deifne.
static void parse_input(int, char *[]); static void parse_input(int, char *[]);
static void prerun(int, char *[]); static void prerun(int, char *[]);
static int prompt(void); static int prompt(void);
static void run(char **); static void run(char **);
static void usage(void); static void usage(void);
void strnsubst(char **, const char *, const char *, size_t); void strnsubst(char **, const char *, const char *, size_t);
static pid_t xwait(int block, int *status); static pid_t xwait(int block, int *status);
static void xexit(const char *, const int); static void xexit(const char *, const int);
Show All 21 Lines
extern char **environ; extern char **environ;
int int
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {
long arg_max; long arg_max;
int ch, Jflag, nargs, nflag, nline; int ch, Jflag, nargs, nflag, nline;
size_t linelen; size_t linelen;
size_t proclen;
mjgUnsubmitted
Not Done
Inline Actions

I would rename this to rl or rlimit, as a nit.

mjg: I would rename this to rl or rlimit, as a nit.
int proclim;
char *endptr; char *endptr;
inpline = replstr = NULL; inpline = replstr = NULL;
ep = environ; ep = environ;
eofstr = ""; eofstr = "";
Jflag = nflag = 0; Jflag = nflag = 0;
mjgUnsubmitted
Not Done
Inline Actions

Why is this set here?

mjg: Why is this set here?
(void)setlocale(LC_ALL, ""); (void)setlocale(LC_ALL, "");
/* /*
* POSIX.2 limits the exec line length to ARG_MAX - 2K. Running that * POSIX.2 limits the exec line length to ARG_MAX - 2K. Running that
* caused some E2BIG errors, so it was changed to ARG_MAX - 4K. Given * caused some E2BIG errors, so it was changed to ARG_MAX - 4K. Given
* that the smallest argument is 2 bytes in length, this means that * that the smallest argument is 2 bytes in length, this means that
* the number of arguments is limited to: * the number of arguments is limited to:
* *
Show All 36 Lines case 'n':
nflag = 1; nflag = 1;
if ((nargs = atoi(optarg)) <= 0) if ((nargs = atoi(optarg)) <= 0)
errx(1, "illegal argument count"); errx(1, "illegal argument count");
break; break;
case 'o': case 'o':
oflag = 1; oflag = 1;
break; break;
case 'P': case 'P':
if ((maxprocs = atoi(optarg)) <= 0) proclen = sizeof(proclim);
errx(1, "max. processes must be >0"); sysctlbyname("kern.maxproc", &proclim, &proclen, NULL, 0);
jbeichUnsubmitted
Done
Inline Actions

Why allow value larger than RLIMIT_NPROC or _SC_CHILD_MAX? Soft limit would cap number of processes sooner. And kern.maxproc can be larger than "infinity" hard limit.

$ limits -Su 50 sh -c "yes | xargs -n1 -P0 yes foo" >/dev/null &
$ pgrep -f foo | wc -l
       6

$ limits -Su
Resource limits (current):
  maxprocesses-cur          100
$ limits -Hu
Resource limits (current):
  maxprocesses-max         1458
$ sysctl kern.max{proc,users}
kern.maxproc: 1620 # (20 + 16 * maxusers)
kern.maxusers: 100
jbeich: Why allow value larger than `RLIMIT_NPROC` or `_SC_CHILD_MAX`? Soft limit would cap number of…
maxprocs = strtol(optarg, &endptr, BASE_DECIMAL);
if (*endptr != '\0')
errx(1, "max processes must be a number");
allanjudeAuthorUnsubmitted
Not Done
Inline Actions

We should probably use the same sysctl instead of nargs for the upper bounds as well

allanjude: We should probably use the same sysctl instead of nargs for the upper bounds as well
if (maxprocs >= proclim)
errx(1, "max processes must be less than kern.maxproc: %d", proclim);
bjkUnsubmitted
Done
Inline Actions

I do not see how nargs is the correct value to use here; it has a different meaning to the program, and can be overridden by other command-line arguments, giving a bizzare behavior change if -n 1 -P 0 are passed in different orders.

bjk: I do not see how nargs is the correct value to use here; it has a different meaning to the…
lifanov_mail.lifanov.comUnsubmitted
Done
Inline Actions

Good point. I didn't trip this up by pure coincidence.
Let me think of a different value to use.

lifanov_mail.lifanov.com: Good point. I didn't trip this up by pure coincidence. Let me think of a different value to use.
lifanov_mail.lifanov.comUnsubmitted
Not Done
Inline Actions

RLIMIT_NPROC won't mean anything to the end user.
How about changing the line to just:
errx(1, "max processes must be less than %d", proclim);?

lifanov_mail.lifanov.com: RLIMIT_NPROC won't mean anything to the end user. How about changing the line to just: errx(1…
if (maxprocs < 1)
maxprocs = proclim;
break; break;
mjgUnsubmitted
Not Done
Inline Actions

The code form user perspective should behave just like gnu xargs, unless there is a good reason to deviate, which I don't see.

In this particular case, they have "unlimited" for an argument == 0, specified limit for > 0 and error out for non-numbers and negative values. Here negative values are accepted for some reason.

One big not-user-visible difference is the fact that gnu xargs dynamically resizes the process table, while our xargs allocates it upfront. This means we have to have a reasonable limit which can pose as "unlimited" for practical purposes.

getrlimit seen here is fine enough.

However, the code must not complain about passed limit being bigger. It should internally cap it to getrlimit so that user-visible behaviour is identical with gnu in this respect.

As a result the code should explicitly coompare maxprocs to 0 (as opposed to < 1), proclim variable has no use. Fetch rlimit /after/ maxprocs is validated. If (maxprocs == 0 || maxprocs > reslimit.rlim_cur) maxprocs = reslimit.rlim_cur;

getrlimit realistically should never fail, so a failure with err(1, "getrlimit"); should be fine enough for surprising cases.

mjg: The code form user perspective should behave just like gnu xargs, unless there is a good reason…
case 'p': case 'p':
pflag = 1; pflag = 1;
break; break;
case 'R': case 'R':
Rflag = strtol(optarg, &endptr, 10); Rflag = strtol(optarg, &endptr, 10);
if (*endptr != '\0') if (*endptr != '\0')
errx(1, "replacements must be a number"); errx(1, "replacements must be a number");
break; break;
▲ Show 20 LinesShow All 600 LinesShow Last 20 Lines