alpine 3.6
buffer weakness #171

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

nedit/src/nedit-5.6.orig/source/file.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

       
    backupFileName(window, name, sizeof(name));
    remove(name);
}

/*
** Generate the name of the backup file for this window from the filename
** and path in the window data structure & write into name
*/
static void backupFileName(WindowInfo *window, char *name, size_t len)
{
    char bckname[MAXPATHLEN];
#ifdef VMS
    if (window->filenameSet)
    	sprintf(name, "%s_%s", window->path, window->filename);
    else
    	sprintf(name, "%s_%s", "SYS$ LOGIN:", window->filename);
#else
    if (window->filenameSet)
    {
        sprintf(name, "%s~%s", window->path, window->filename);
    } else
    {
        strcpy(bckname, "~");
        strncat(bckname, window->filename, MAXPATHLEN - 1);
        PrependHome(bckname, name, len);
    }
#endif /*VMS*/
}

/*
** If saveOldVersion is on, copies the existing version of the file to
** <filename>.bck in anticipation of a new version being saved.  Returns
** True if backup fails and user requests that the new file not be written.
*/
static int writeBckVersion(WindowInfo *window)
{
#ifndef VMS
    char fullname[MAXPATHLEN], bckname[MAXPATHLEN];
    struct stat statbuf;
    int in_fd, out_fd;
    char *io_buffer;
#define IO_BUFFER_SIZE ((size_t)(1024*1024))

    /* Do only if version backups are turned on */
    if (!window->saveOldVersion) {
    	return False;
    }
    
    /* Get the full name of the file */ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.