>Number:         21035
>Category:       bin
>Synopsis:       locate segfaults on bad database binary input
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Apr 05 14:53:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     pancake
>Release:        NetBSD current
>Organization:
	
>Environment:
	
	
>Description:
	locate read the database file without making any kind of checks.
	This will cause to try to write code to an invalid pointer on memory.
	I just check if this pointer is correct and then alert and exit to
	prompt. This is a pseudo-patch...is possible to segfault with other
	but cleans the major possibilities.

	I think that is important to put good permissions on /var/db/locate.
	database, because !root user could change it and write a malicious
	database that executes code itself and gain root privileges if root
	executes locate.

	Is difficult to overflow it, but it's possible. Code revision
	is important. My patch only repairs the most of the cases. But
	stills an ugly solution.

>How-To-Repeat:
	$ locate -d /bin/ls pop
	Segmentation Fault

	Nice :)

>Fix:
	Just try with this patch =)

--- locate.c	Sat Apr  5 05:36:54 2003
+++ locate_bofpatch.c	Sun Apr  6 00:12:09 2003
@@ -217,8 +217,14 @@
 			if (p < path || p >= path + sizeof(path))
 				return(-1);	/* invalid database file */
 			if (c < PARITY)
+			{
+				if (count<0)
+				{
+					warnx("Invalid database file.\n");
+					exit(1);
+				} 
 				*p++ = c;
-			else {		/* bigrams are parity-marked */
+			} else {		/* bigrams are parity-marked */
 				c &= PARITY - 1;
 				/* sanity check */
 				if (c < 0 || c >= sizeof(bigram1)) 



>Release-Note:
>Audit-Trail:
>Unformatted: