MinGW - Minimalist GNU for Windows / Issues / #2269 msys-1.0.dll buffer overflow issue

Cesar Strauss - 2015-08-18

If you find the information to be sensitive, you can send the details in private to me at cestrauss@gmail.com.
Thanks,
Cesar

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Anonymous - 2015-08-18
  
  Hi Cesar,
  
  Its pretty straight forward, the vulnerable app is Git SVN for Windows, I
  have already reported the vulnerability to them (Git), but since the
  debugger points to MYSYS DLL as fault module, I wanted to reach out to MSYS
  and whoever handles it.
  
  Gits ssh-agent.exe if called using a malicious start-ssh-agent.cmd file
  under cmds/ directory will cause segfault / crash, also we can control EIP
  register. So, Gits SVN ssh-agent.exe is vulnerable to buffer overflow as
  well as another application. Fault module is always pointing at
  MYSYS-1.0.dll
  
  If you want to reproduce download.
  
  1) http://git-scm.com/docs/git-svn
  
  2) change file extension to ".cmd"
  
  3) put the malicious .cmd file under cmd directory and then run it. use GDB
  or OllyDbg to check registers etc.
  
  Hope this helps, and please let me know your thoughts. please advise.
  
  Regards,
  John
  
  On Mon, Aug 17, 2015 at 8:36 PM, Cesar Strauss cstrauss@users.sf.net
  wrote:
  
  If you find the information to be sensitive, you can send the details in
  private to me at cestrauss@gmail.com.
  Thanks,
  Cesar
  
  [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
  buffer overflow issue*
  
  Status: unread
  Group: MSYS
  Labels: buffer overflow vulnerability
  Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
  Last Updated: Tue Aug 11, 2015 03:51 AM UTC
  Owner: nobody
  
  I found buffer overflow vulnerability in a third party project the fault
  module in register dump from GDB showed it to be strcpy within
  msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
  person.
  
  Hyp3rlinx
  
  Sent from sourceforge.net because you indicated interest in
  https://sourceforge.net/p/mingw/bugs/2269/
  
  To unsubscribe from further messages, please visit
  https://sourceforge.net/auth/subscriptions/
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
  - Cesar Strauss - 2015-09-04
    
    Dear John,
    
    I downloaded and installed Git-1.9.5-preview20150319.exe from https://github.com/msysgit/msysgit/releases. It has a ssh-agent.exe under the bin directory and a start-ssh-agent.cmd under the cmd directory. Is this the software you have in mind?
    
    Regards,
    Cesar
    
    If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
    - Anonymous - 2015-09-04
      
      Hi Cesar,
      
      The Git version I am using is 1.9.5.msysgit.1 MD5 is
      "7ec8aa8295051b1bd04ce5d3bc5c63a3"
      
      https://www.virustotal.com/en/file/d6795fec582538cdb558ecb18821c0fddd5b0b378c41aecb47d488333d26cad5/analysis/1441372577/
      you can check against your version. I believe I downloaded it from
      http://git-scm.com/download/win
      
      Let me know if this was helpful.
      Thanks,
      John
      
      On Thu, Sep 3, 2015 at 8:52 PM, Cesar Strauss cstrauss@users.sf.net wrote:
      
      Dear John,
      
      I downloaded and installed Git-1.9.5-preview20150319.exe from
      https://github.com/msysgit/msysgit/releases. It has a ssh-agent.exe under
      the bin directory and a start-ssh-agent.cmd under the cmd directory. Is
      this the software you have in mind?
      
      Regards,
      Cesar
      
      [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
      buffer overflow issue*
      
      Status: unread
      Group: MSYS
      Labels: buffer overflow vulnerability
      Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
      Last Updated: Tue Sep 01, 2015 03:28 AM UTC
      Owner: nobody
      
      I found buffer overflow vulnerability in a third party project the fault
      module in register dump from GDB showed it to be strcpy within
      msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
      person.
      
      Hyp3rlinx
      
      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/mingw/bugs/2269/
      
      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/
      
      If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
      - Anonymous - 2015-09-11
        
        Hello Cesar,
        
        How did you make out with this?
        
        Best,
        John
        
        On Fri, Sep 4, 2015 at 9:19 AM, hyp3rlinx hyp3rlinx@users.sf.net wrote:
        
        Hi Cesar,
        
        The Git version I am using is 1.9.5.msysgit.1 MD5 is
        "7ec8aa8295051b1bd04ce5d3bc5c63a3"
        
        https://www.virustotal.com/en/file/d6795fec582538cdb558ecb18821c0fddd5b0b378c41aecb47d488333d26cad5/analysis/1441372577/
        you can check against your version. I believe I downloaded it from
        http://git-scm.com/download/win
        
        Let me know if this was helpful.
        Thanks,
        John
        
        On Thu, Sep 3, 2015 at 8:52 PM, Cesar Strauss cstrauss@users.sf.net wrote:
        
        Dear John,
        
        I downloaded and installed Git-1.9.5-preview20150319.exe from
        https://github.com/msysgit/msysgit/releases. It has a ssh-agent.exe under
        the bin directory and a start-ssh-agent.cmd under the cmd directory. Is
        this the software you have in mind?
        
        Regards,
        Cesar
        
        [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/
        http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
        buffer overflow issue*
        
        Status: unread
        Group: MSYS
        Labels: buffer overflow vulnerability
        Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
        Last Updated: Tue Sep 01, 2015 03:28 AM UTC
        Owner: nobody
        
        I found buffer overflow vulnerability in a third party project the fault
        module in register dump from GDB showed it to be strcpy within
        msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
        person.
        Hyp3rlinx
        
        Sent from sourceforge.net because you indicated interest in
        https://sourceforge.net/p/mingw/bugs/2269/
        
        To unsubscribe from further messages, please visit
        https://sourceforge.net/auth/subscriptions/
        
        [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
        buffer overflow issue*
        
        Status: unread
        Group: MSYS
        Labels: buffer overflow vulnerability
        Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
        Last Updated: Tue Sep 01, 2015 03:28 AM UTC
        Owner: nobody
        
        I found buffer overflow vulnerability in a third party project the fault
        module in register dump from GDB showed it to be strcpy within
        msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
        person.
        
        Hyp3rlinx
        
        Sent from sourceforge.net because you indicated interest in
        https://sourceforge.net/p/mingw/bugs/2269/
        
        To unsubscribe from further messages, please visit
        https://sourceforge.net/auth/subscriptions/
        
        If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
      - Cesar Strauss - 2015-10-18
        
        The Git version I am using is 1.9.5.msysgit.1 MD5 is
        "7ec8aa8295051b1bd04ce5d3bc5c63a3"
        
        you can check against your version. I believe I downloaded it from
        http://git-scm.com/download/win
        
        The above link now only points to version 2.6.1. But I found a previous version of that page:
        https://web.archive.org/web/20150810081211/http://git-scm.com/download/win
        
        It pointed to:
        https://github.com/msysgit/msysgit/releases/download/Git-1.9.5-preview20150319/Git-1.9.5-preview20150319.exe
        
        The MD5 of Git-1.9.5-preview20150319.exe is f589e95b61dc76e8702d4c9f8dcb10c4
        After installing the above, the git version is 1.9.5.msysgit.1
        The MD5 of git.exe is 523ad4d0b9eadc5e8d62572df2733d39
        The MD5 of ssh-agent.exe is cd0272821ac64c2e2b3e991e7a3f93d2
        None of these matched the MD5 you gave.
        
        Anyway, I followed your instructions:
        1) Downloaded http://git-scm.com/docs/git-svn
        2) Changed file extension to ".cmd"
        3) Put the git-svn.cmd file under cmd directory and then ran it.
        
        Results (run from git bash):
        
        $ git --version git version 1.9.5.msysgit.1 $ eval `ssh-agent` Agent pid 6356 $ ssh-add Enter passphrase for /c/Users/Cesar/.ssh/id_rsa: Identity added: /c/Users/Cesar/.ssh/id_rsa (/c/Users/Cesar/.ssh/id_rsa) $ git svn init svn+ssh://test@192.168.1.108/home/test/repo Initialized empty Git repository in c:/rascunho/git/.git/ $ git svn fetch A hello.txt r1 = 126d91b0c9012b0e26f761f0bbf9709af523f45a (refs/remotes/git-svn) Checked out HEAD: svn+ssh://test@192.168.1.108/home/test/repo r1
        
        I did not find any crashes. Did I follow your instructions correctly?
        
        Regards,
        Cesar
        
        If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
        
        Cesar Strauss - 2015-10-18
        
        I also tried start-ssh-agent.cmd and git-svn.cmd.
        
        C:\Users\Cesar>PATH=c:\programas\git\cmd;%PATH% C:\Users\Cesar>start-ssh-agent Found ssh-agent at 5072 Found ssh-agent socket at /tmp/ssh-nZj1ueJo3lpb/agent.3844 Starting ssh-agent: done Enter passphrase for /c/Users/Cesar/.ssh/id_rsa: C:\Users\Cesar>git-svn A sintaxe do comando está incorreta. (The command syntax is incorrect) C:\Users\Cesar><!DOCTYPE html> C:\Users\Cesar>
        
        If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
        
        Anonymous - 2015-10-18
        
        No.... try python script below and you can copy the output file that it
        creates to debug in GDB or Immunity etc.
        
        import struct,os,shutil #Git ssh-agent.exe #EIP overwrite at about 972 bytes #====================================================== file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell" payload="CALL ssh-agent.exe " x=open(file,"w") eip="A"*4 payload+="B"*968+eip x.write(payload) x.close() src="C:\\Program Files (x86)\\Git\\bin\\" shutil.move(file,file+".cmd") print "ssh_agent_hell.cmd file created...\n" print "====================================\n"
        
        On Sun, Oct 18, 2015 at 4:55 PM, Cesar Strauss cstrauss@users.sf.net
        wrote:
        
        The Git version I am using is 1.9.5.msysgit.1 MD5 is
        "7ec8aa8295051b1bd04ce5d3bc5c63a3"
        
        you can check against your version. I believe I downloaded it from
        http://git-scm.com/download/win
        
        The above link now only points to version 2.6.1. But I found a previous
        version of that page:
        https://web.archive.org/web/20150810081211/http://git-scm.com/download/win
        
        It pointed to:
        
        https://github.com/msysgit/msysgit/releases/download/Git-1.9.5-preview20150319/Git-1.9.5-preview20150319.exe
        
        The MD5 of Git-1.9.5-preview20150319.exe is
        f589e95b61dc76e8702d4c9f8dcb10c4
        After installing the above, the git version is 1.9.5.msysgit.1
        The MD5 of git.exe is 523ad4d0b9eadc5e8d62572df2733d39
        The MD5 of ssh-agent.exe is cd0272821ac64c2e2b3e991e7a3f93d2
        None of these matched the MD5 you gave.
        
        Anyway, I followed your instructions:
        1) Downloaded http://git-scm.com/docs/git-svn
        2) Changed file extension to ".cmd"
        3) Put the git-svn.cmd file under cmd directory and then ran it.
        
        Results (run from git bash):
        
        $ git --versiongit version 1.9.5.msysgit.1
        $ eval ssh-agentAgent pid 6356
        $ ssh-addEnter passphrase for /c/Users/Cesar/.ssh/id_rsa:Identity added: /c/Users/Cesar/.ssh/id_rsa (/c/Users/Cesar/.ssh/id_rsa)
        $ git svn init svn+ssh://test@192.168.1.108/home/test/repoInitialized empty Git repository in c:/rascunho/git/.git/
        $ git svn fetch
        A hello.txtr1 = 126d91b0c9012b0e26f761f0bbf9709af523f45a (refs/remotes/git-svn)Checked out HEAD:
        svn+ssh://test@192.168.1.108/home/test/repo r1
        
        I did not find any crashes. Did I follow your instructions correctly?
        
        Regards,
        Cesar
        
        [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
        buffer overflow issue*
        
        Status: unread
        Group: MSYS
        Labels: buffer overflow vulnerability
        Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
        Last Updated: Tue Sep 01, 2015 03:28 AM UTC
        Owner: nobody
        
        I found buffer overflow vulnerability in a third party project the fault
        module in register dump from GDB showed it to be strcpy within
        msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
        person.
        
        Hyp3rlinx
        
        Sent from sourceforge.net because you indicated interest in
        https://sourceforge.net/p/mingw/bugs/2269/
        
        To unsubscribe from further messages, please visit
        https://sourceforge.net/auth/subscriptions/
        
        Last edit: Cesar Strauss 2015-10-20
        
        If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
        
        Cesar Strauss - 2015-10-24
        
        No.... try python script below and you can copy the output file that it
        creates to debug in GDB or Immunity etc.
        
        Thanks for the script. I can now produce a crash.
        I will proceed to investigate.
        
        Thanks,
        Cesar
        
        If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
        
        Cesar Strauss - 2015-10-30
        
        I traced the issue to be an unsafe use of strcat within the implementation of execvp in msys-1.0.dll. See:
        https://sourceforge.net/p/mingw/msys-runtime/ci/e3e33a75fabdd401439dc332d492057f7f86a455/tree/newlib/libc/posix/execvp.c#l80
        It tries to append its command name argument to an element of PATH, but does not check that the buffer is big enough.
        Thank you John for the report. I'll provide a fix.
        Regards,
        Cesar
        
        If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Anonymous - 2015-08-18
  
  Hi Cesar,
  
  Its pretty straight forward, the vulnerable app is Git SVN for Windows, I
  have already reported the vulnerability to them (Git), but since the
  debugger points to MYSYS DLL as fault module, I wanted to reach out to MSYS
  and whoever handles it.
  
  Gits ssh-agent.exe if called using a malicious start-ssh-agent.cmd file
  under cmds/ directory will cause segfault / crash, also we can control EIP
  register. So, Gits SVN ssh-agent.exe is vulnerable to buffer overflow as
  well as another application. Fault module is always pointing at
  MYSYS-1.0.dll
  
  If you want to reproduce download.
  
  1) http://git-scm.com/docs/git-svn
  
  2) change file extension to ".cmd"
  
  3) put the malicious .cmd file under cmd directory and then run it. use GDB
  or OllyDbg to check registers etc.
  
  Hope this helps, and please let me know your thoughts. please advise.
  
  Regards,
  John
  
  Hope this helps,
  I
  
  On Mon, Aug 17, 2015 at 8:36 PM, Cesar Strauss cstrauss@users.sf.net
  wrote:
  
  If you find the information to be sensitive, you can send the details in
  private to me at cestrauss@gmail.com.
  Thanks,
  Cesar
  
  [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
  buffer overflow issue*
  
  Status: unread
  Group: MSYS
  Labels: buffer overflow vulnerability
  Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
  Last Updated: Tue Aug 11, 2015 03:51 AM UTC
  Owner: nobody
  
  I found buffer overflow vulnerability in a third party project the fault
  module in register dump from GDB showed it to be strcpy within
  msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
  person.
  
  Hyp3rlinx
  
  Sent from sourceforge.net because you indicated interest in
  https://sourceforge.net/p/mingw/bugs/2269/
  
  To unsubscribe from further messages, please visit
  https://sourceforge.net/auth/subscriptions/
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
  - Anonymous - 2015-08-22
    
    Hello Cesar,
    
    Was just following up on this report....
    
    Best,
    John
    
    On Mon, Aug 17, 2015 at 10:32 PM, hyp3rlinx hyp3rlinx@users.sf.net wrote:
    
    Hi Cesar,
    
    Its pretty straight forward, the vulnerable app is Git SVN for Windows, I
    have already reported the vulnerability to them (Git), but since the
    debugger points to MYSYS DLL as fault module, I wanted to reach out to MSYS
    and whoever handles it.
    
    Gits ssh-agent.exe if called using a malicious start-ssh-agent.cmd file
    under cmds/ directory will cause segfault / crash, also we can control EIP
    register. So, Gits SVN ssh-agent.exe is vulnerable to buffer overflow as
    well as another application. Fault module is always pointing at
    MYSYS-1.0.dll
    
    If you want to reproduce download.
    
    1) http://git-scm.com/docs/git-svn
    
    2) change file extension to ".cmd"
    
    3) put the malicious .cmd file under cmd directory and then run it. use GDB
    or OllyDbg to check registers etc.
    
    Hope this helps, and please let me know your thoughts. please advise.
    
    Regards,
    John
    
    Hope this helps,
    I
    
    On Mon, Aug 17, 2015 at 8:36 PM, Cesar Strauss cstrauss@users.sf.net
    wrote:
    
    If you find the information to be sensitive, you can send the details in
    private to me at cestrauss@gmail.com.
    Thanks,
    Cesar
    
    [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/
    http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
    buffer overflow issue*
    
    Status: unread
    Group: MSYS
    Labels: buffer overflow vulnerability
    Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
    Last Updated: Tue Aug 11, 2015 03:51 AM UTC
    Owner: nobody
    
    I found buffer overflow vulnerability in a third party project the fault
    module in register dump from GDB showed it to be strcpy within
    msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
    person.
    Hyp3rlinx
    
    Sent from sourceforge.net because you indicated interest in
    https://sourceforge.net/p/mingw/bugs/2269/
    
    To unsubscribe from further messages, please visit
    https://sourceforge.net/auth/subscriptions/
    
    [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
    buffer overflow issue*
    
    Status: unread
    Group: MSYS
    Labels: buffer overflow vulnerability
    Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
    Last Updated: Tue Aug 18, 2015 12:36 AM UTC
    Owner: nobody
    
    I found buffer overflow vulnerability in a third party project the fault
    module in register dump from GDB showed it to be strcpy within
    msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
    person.
    
    Hyp3rlinx
    
    Sent from sourceforge.net because you indicated interest in
    https://sourceforge.net/p/mingw/bugs/2269/
    
    To unsubscribe from further messages, please visit
    https://sourceforge.net/auth/subscriptions/
    
    If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2015-09-01

Hello Cesar,

Any findings on this issue? ...

Best,
John

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Keith Marshall - 2015-10-18

I'm confused. Why do you think strcpy() in msys-1.0.dll is responsible for a potential buffer overrun? Sure, a buffer overrun may result in a segfault within the scope of the strcpy() call, but that's inevitable. The vulnerability is within the application which calls strcpy(), without ensuring that sufficient buffer is available. There is nothing which can be done, within the strcpy() implementation itself, to mitigate this; it is always the responsibility of any application which calls strcpy(), to take appropriate steps to protect against buffer overflow, before calling strcpy().

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Anonymous - 2015-10-19
  
  I understand.... thanks
  
  On Sun, Oct 18, 2015 at 5:34 PM, Keith Marshall keithmarshall@users.sf.net
  wrote:
  
  I'm confused. Why do you think strcpy() in msys-1.0.dll is responsible
  for a potential buffer overrun? Sure, a buffer overrun may result in a
  segfault within the scope of the strcpy() call, but that's inevitable.
  The vulnerability is within the application which calls strcpy(), without
  ensuring that sufficient buffer is available. There is nothing which can be
  done, within the strcpy() implementation itself, to mitigate this; it is
  always the responsibility of any application which calls strcpy(), to
  take appropriate steps to protect against buffer overflow, before
  calling strcpy().
  
  [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
  buffer overflow issue*
  
  Status: unread
  Group: MSYS
  Labels: buffer overflow vulnerability
  Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
  Last Updated: Tue Sep 01, 2015 03:28 AM UTC
  Owner: nobody
  
  I found buffer overflow vulnerability in a third party project the fault
  module in register dump from GDB showed it to be strcpy within
  msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
  person.
  
  Hyp3rlinx
  
  Sent from sourceforge.net because you indicated interest in
  https://sourceforge.net/p/mingw/bugs/2269/
  
  To unsubscribe from further messages, please visit
  https://sourceforge.net/auth/subscriptions/
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Anonymous - 2015-10-19
  
  Keith, point was MSYS making avail insecure function strcpy()...and why not
  something like strncpy() etc... should have been better worded
  anyways thanks.
  
  On Sun, Oct 18, 2015 at 5:34 PM, Keith Marshall keithmarshall@users.sf.net
  wrote:
  
  I'm confused. Why do you think strcpy() in msys-1.0.dll is responsible
  for a potential buffer overrun? Sure, a buffer overrun may result in a
  segfault within the scope of the strcpy() call, but that's inevitable.
  The vulnerability is within the application which calls strcpy(), without
  ensuring that sufficient buffer is available. There is nothing which can be
  done, within the strcpy() implementation itself, to mitigate this; it is
  always the responsibility of any application which calls strcpy(), to
  take appropriate steps to protect against buffer overflow, before
  calling strcpy().
  
  [bugs:#2269] http://sourceforge.net/p/mingw/bugs/2269/ msys-1.0.dll
  buffer overflow issue*
  
  Status: unread
  Group: MSYS
  Labels: buffer overflow vulnerability
  Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
  Last Updated: Tue Sep 01, 2015 03:28 AM UTC
  Owner: nobody
  
  I found buffer overflow vulnerability in a third party project the fault
  module in register dump from GDB showed it to be strcpy within
  msys-1.0.dll. Therefore I create this ticket in hopes it gets to correct
  person.
  
  Hyp3rlinx
  
  Sent from sourceforge.net because you indicated interest in
  https://sourceforge.net/p/mingw/bugs/2269/
  
  To unsubscribe from further messages, please visit
  https://sourceforge.net/auth/subscriptions/
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
  - Keith Marshall - 2015-10-19
    
    Why would MSYS not provide strcpy()? It is a standard function, required by the ISO-C Standard since its inception, so it could be considered to be a bug if it were not provided. It is there, and should stay; AFAICT, it works correctly, so there is no MSYS bug directly attributable to it.
    
    The pitfalls of using strcpy(), without verifying that the buffer is sufficient beforehand, are well understood. Certainly, strncpy() offers a more robust API, but it is the ultimate responsibility of individual application developers to make an informed choice, before using either.
    
    This buffer overrun vulnerability would appear to lie within whatever ssh implementation is in use here. It isn't clear, from this report, whether that originates from MinGW.org, or from the MSYS-Git project. There is an MSYS ssh package set, and there may certainly be a case for updating that, to capture updates to OpenSSH in recent months -- there have certainly been vulnerabilities identified there. Ultimately, that will require developer effort -- likely from Cesar -- and the timetable for addressing it will depend on his availability. Please don't keep pinging him for progress reports; dealing with those only serves to increase his workload, and hence delay progress. OTOH, if you can offer constructive assistance to track down, and resolve, the true site(s) of the issue, I'm sure he would appreciate that.
    
    If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
    - Anonymous - 2015-10-19
      
      I really no time, an intent is not want to bother cesar etc. So it is
      clear an yes I are devs responisble for checking buffer lengths etc.
      So should close this ticket then as nothing left to do. Anyway, thanks
      
      On 10/19/15, Keith Marshall keithmarshall@users.sf.net wrote:
      
      Why would MSYS not provide strcpy()? It is a standard function,
      required by the ISO-C Standard since its inception, so it could be
      considered to be a bug if it were not provided. It is there, and should
      stay; AFAICT, it works correctly, so there is no MSYS bug directly
      attributable to it.
      
      The pitfalls of using strcpy(), without verifying that the buffer is
      sufficient beforehand, are well understood. Certainly, strncpy() offers a
      more robust API, but it is the ultimate responsibility of individual
      application developers to make an informed choice, before using either.
      
      This buffer overrun vulnerability would appear to lie within whatever ssh
      implementation is in use here. It isn't clear, from this report, whether
      that originates from MinGW.org, or from the MSYS-Git project. There is an
      MSYS ssh package set, and there may certainly be a case for updating that,
      to capture updates to OpenSSH in recent months -- there have certainly been
      vulnerabilities identified there. Ultimately, that will require developer
      effort -- likely from Cesar -- and the timetable for addressing it will
      depend on his availability. Please don't keep pinging him for progress
      reports; dealing with those only serves to increase his workload, and hence
      delay progress. OTOH, if you can offer constructive assistance to track
      down, and resolve, the true site(s) of the issue, I'm sure he would
      appreciate that.
      
      ** [bugs:#2269] msys-1.0.dll buffer overflow issue**
      
      Status: unread
      Group: MSYS
      Labels: buffer overflow vulnerability
      Created: Tue Aug 11, 2015 03:51 AM UTC by hyp3rlinx
      Last Updated: Sun Oct 18, 2015 09:34 PM UTC
      Owner: nobody
      
      I found buffer overflow vulnerability in a third party project the fault
      module in register dump from GDB showed it to be strcpy within msys-1.0.dll.
      Therefore I create this ticket in hopes it gets to correct person.
      
      Hyp3rlinx
      
      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/mingw/bugs/2269/
      
      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/
      
      If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Cesar Strauss - 2015-10-20
  
  I'm confused. Why do you think strcpy() in msys-1.0.dll is responsible for a potential buffer overrun? Sure, a buffer overrun may result in a segfault within the scope of the strcpy() call, but that's inevitable. The vulnerability is within the application which calls strcpy(), without ensuring that sufficient buffer is available. There is nothing which can be done, within the strcpy() implementation itself, to mitigate this; it is always the responsibility of any application which calls strcpy(), to take appropriate steps to protect against buffer overflow, before calling strcpy().
  
  Indeed, this was my first thought when reading the bug description. However, it occurred to me that ssh-agent could be calling an unrelated, supposedly safe, system call within msys-1.0.dll and that call was internally using strcpy in an unsafe way. I'd have to look at the stack trace to be sure.
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cesar Strauss - 2016-07-15

So, the culprit was the execvp system call, which appended the input file name string to the path element without checking buffer size. I added length checks and fixed-length memory copying operations to solve this.

MSYS 1.0.19 was just released with the fix, can you try it?

Thanks,
Cesar

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cesar Strauss - 2016-07-15

status: unread --> pending
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cesar Strauss - 2016-07-15

labels: buffer overflow vulnerability --> buffer overflow vulnerability, new-in-msys-1.0.19

assigned_to: Cesar Strauss

Category: Unknown --> Waiting_User_Response
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cesar Strauss - 2018-07-15

status: pending --> closed

private: Yes --> No

Resolution: none --> fixed

Category: Waiting_User_Response --> Unknown
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cesar Strauss - 2018-07-15

The fix was released with MSYS 1.0.19. Thanks.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

msys-1.0.dll buffer overflow issue

A native Windows port of the GNU Compiler Collection (GCC)

Group

Searches

Help

#2269 msys-1.0.dll buffer overflow issue

Discussion

Hyp3rlinx

Hyp3rlinx

Hyp3rlinx

Hyp3rlinx

Hyp3rlinx

Hyp3rlinx

Hyp3rlinx

Hyp3rlinx