View Issue Details

IDProjectCategoryView StatusLast Update
0001210bareos-core[All Projects] directorpublic2020-07-09 22:45
ReporterphasipAssigned Toarogge 
PriorityimmediateSeverityblockReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSCentOSOS Version7
Product Version18.2.7 
Fixed in Version 
Summary0001210: Security vulnerability results in heap overflow in director when doing a Verify job against a file daemon.
DescriptionLine 1119 in https://github.com/bareos/bareos/blob/master/core/src/dird/fd_cmds.cc allows a malicious file daemon to overflow the directors heap by sending a Digest longer than 512 bytes.

This is likely usable to gain remote control over the director from a client.

In other places such issues have been avoided by resizing buffers to be at least fd->message_length long.
Steps To ReproduceRun a Verify job with level InitCatalog against a malicious file daemon that sends arbitrary length Digests. Crash will ocurr in deamon when the connection is closed.
Additional InformationThis issue likely affects Bacula too so be sure to coordinate disclosure. Will update this issue with information about the Bacula report.
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impactyes
bareos-19.2: actionfixed
bareos-18.2: impactyes
bareos-18.2: actionfixed
bareos-17.2: impactyes
bareos-17.2: actionfixed
bareos-16.2: impactyes
bareos-16.2: actionnone
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Relationships

related to 0001230 closedarogge Release Bareos 19.2.8 
related to 0001225 closedarogge Release Bareos 17.2.10 
related to 0001226 closedarogge Release Bareos 18.2.9 

Activities

arogge

arogge

2020-03-20 11:32

developer   ~0003897

You're right. This is an obvious heap-overflow.
arogge

arogge

2020-04-29 12:30

developer   ~0003973

do you have any news on the Bacula bug report?

I have a fix prepared, so we could release and then disclose the issue. Right now everything is on hold as I'm awaiting a date for coordinated disclosure.
We're also happy to give credits, so please tell me what name (and maybe contact information) we should use.
phasip

phasip

2020-04-29 12:46

reporter   ~0003974

Last edited: 2020-04-29 12:48

View 2 revisions

Unfortunately I have not been able to reach the Bacula team at all. I am not sure if the project is completely dead. Maybe you guys have some contact with them?

Please use my name: Pasi Saarinen & my company email: pasi.saarinen@f-secure.com, please make sure to get a CVE number for this.

arogge

arogge

2020-04-29 13:59

developer   ~0003975

There were major disagreements in the past, so we don't have any contact to the Bacula team anymore.
What methods of contacting did you already try? If I can think of any other way, I would give it a short.
phasip

phasip

2020-04-29 15:19

reporter   ~0003976

The relation between bacula.org and baculasystems.com seems unclear to me, however I have now managed to report this to baculasystems.com through their accounting department.
phasip

phasip

2020-04-29 15:47

reporter   ~0003977

Update: Response from Eric Bollengier
Hello Pasi,

Thanks for your notice, we will publish a patch in the git repository for this issue and send a notice to Kern.

Best Regards,
Eric
arogge

arogge

2020-05-05 14:32

developer   ~0003982

I've seen the fixes in the bacula git, so I guess we're good to go then...
arogge

arogge

2020-06-09 16:00

developer   ~0004004

We have a CVE-Number assigned now: CVE-2020-11061
arogge

arogge

2020-06-09 16:01

developer   ~0004005

Is https://github.com/Phasip your github and are you OK if I credit you in the CVE?
phasip

phasip

2020-06-10 11:53

reporter   ~0004006

Great! Yes I am OK with getting credit and that is my github!
arogge

arogge

2020-07-09 10:22

developer   ~0004025

Fix committed to bareos bareos-19.2 branch with changesetid 13530.
arogge

arogge

2020-07-09 13:22

developer   ~0004026

Fix committed to bareos bareos-17.2 branch with changesetid 13531.

Related Changesets

bareos: master 86c6fa47

2020-04-29 12:20:06

arogge

Ported: N/A

Details Diff
dir: avoid heap-overflow during verify job

Fixes 0001210: Security vulnerability results in heap overflow in director
when doing a Verify job against a file daemon.

Previously the code did not check that the target buffer that scanf()
wrote into was big enough to fit the data.
This patch now resizes the buffer to the size of the message buffer that
is being parsed ensuring that there is no heap overflow anymore.
Affected Issues
0001210
mod - core/src/dird/fd_cmds.cc Diff File

bareos: bareos-17.2 d41779a0

2020-04-29 12:20:06

arogge

Ported: N/A

Details Diff
dir: avoid heap-overflow during verify job

Fixes 0001210: Security vulnerability results in heap overflow in director
when doing a Verify job against a file daemon.

Previously the code did not check that the target buffer that scanf()
wrote into was big enough to fit the data.
This patch now resizes the buffer to the size of the message buffer that
is being parsed ensuring that there is no heap overflow anymore.

(backport of 86c6fa479a21a1464366babb74e6cf33770ed7ae)
Affected Issues
0001210
mod - src/dird/fd_cmds.c Diff File

bareos: bareos-18.2 66c3f31f

2020-04-29 12:20:06

arogge

Ported: N/A

Details Diff
dir: avoid heap-overflow during verify job

Fixes 0001210: Security vulnerability results in heap overflow in director
when doing a Verify job against a file daemon.

Previously the code did not check that the target buffer that scanf()
wrote into was big enough to fit the data.
This patch now resizes the buffer to the size of the message buffer that
is being parsed ensuring that there is no heap overflow anymore.

(backport of 86c6fa479a21a1464366babb74e6cf33770ed7ae)
Affected Issues
0001210
mod - core/src/dird/fd_cmds.cc Diff File

bareos: bareos-19.2 1faaffa4

2020-04-29 12:20:06

arogge

Ported: N/A

Details Diff
dir: avoid heap-overflow during verify job

Fixes 0001210: Security vulnerability results in heap overflow in director
when doing a Verify job against a file daemon.

Previously the code did not check that the target buffer that scanf()
wrote into was big enough to fit the data.
This patch now resizes the buffer to the size of the message buffer that
is being parsed ensuring that there is no heap overflow anymore.

(cherry picked from commit 86c6fa479a21a1464366babb74e6cf33770ed7ae)
Affected Issues
0001210
mod - core/src/dird/fd_cmds.cc Diff File

bareos: bareos-17.2 916b63c7

2020-04-29 12:20:06

arogge

Ported: N/A

Details Diff
dir: avoid heap-overflow during verify job

Fixes 0001210: Security vulnerability results in heap overflow in director
when doing a Verify job against a file daemon.

Previously the code did not check that the target buffer that scanf()
wrote into was big enough to fit the data.
This patch now resizes the buffer to the size of the message buffer that
is being parsed ensuring that there is no heap overflow anymore.

(backport of 86c6fa479a21a1464366babb74e6cf33770ed7ae)
Affected Issues
0001210
mod - src/dird/fd_cmds.c Diff File

Issue History

Date Modified Username Field Change
2020-03-13 07:58 phasip New Issue
2020-03-20 11:32 arogge Status new => confirmed
2020-03-20 11:32 arogge Note Added: 0003897
2020-04-28 11:36 arogge Assigned To => arogge
2020-04-28 11:36 arogge Status confirmed => assigned
2020-04-29 12:30 arogge Status assigned => feedback
2020-04-29 12:30 arogge Note Added: 0003973
2020-04-29 12:46 phasip Note Added: 0003974
2020-04-29 12:46 phasip Status feedback => assigned
2020-04-29 12:48 phasip Note Edited: 0003974 View Revisions
2020-04-29 13:59 arogge Note Added: 0003975
2020-04-29 15:19 phasip Note Added: 0003976
2020-04-29 15:47 phasip Note Added: 0003977
2020-05-05 14:32 arogge Note Added: 0003982
2020-06-09 16:00 arogge Note Added: 0004004
2020-06-09 16:01 arogge Note Added: 0004005
2020-06-10 11:53 phasip Note Added: 0004006
2020-07-08 11:21 arogge Relationship added related to 0001230
2020-07-08 11:22 arogge Relationship added related to 0001225
2020-07-08 11:22 arogge Relationship added related to 0001226
2020-07-09 10:22 arogge Changeset attached => bareos master 86c6fa47
2020-07-09 10:22 arogge Changeset attached => bareos bareos-17.2 d41779a0
2020-07-09 10:22 arogge Changeset attached => bareos bareos-18.2 66c3f31f
2020-07-09 10:22 arogge Changeset attached => bareos bareos-19.2 1faaffa4
2020-07-09 10:22 arogge Note Added: 0004025
2020-07-09 10:22 arogge Status assigned => resolved
2020-07-09 10:22 arogge Resolution open => fixed
2020-07-09 13:22 arogge Changeset attached => bareos bareos-17.2 916b63c7
2020-07-09 13:22 arogge Note Added: 0004026
2020-07-09 22:44 arogge Status resolved => new
2020-07-09 22:44 arogge Resolution fixed => reopened
2020-07-09 22:45 arogge Status new => closed
2020-07-09 22:45 arogge Resolution reopened => fixed
2020-07-09 22:45 arogge View Status private => public
2020-07-09 22:45 arogge bareos-19.2: impact => yes
2020-07-09 22:45 arogge bareos-19.2: action => fixed
2020-07-09 22:45 arogge bareos-18.2: impact => yes
2020-07-09 22:45 arogge bareos-18.2: action => fixed
2020-07-09 22:45 arogge bareos-17.2: impact => yes
2020-07-09 22:45 arogge bareos-17.2: action => fixed
2020-07-09 22:45 arogge bareos-16.2: impact => yes
2020-07-09 22:45 arogge bareos-16.2: action => none