~michel-slm/coreutils

c01ee1893448bdf1bbd81fa15a35472d07a356b8 — Pádraig Brady 7 months ago aa50ea5
doc: split -C: test and document a heap overflow

This was introduced in coreutils 9.2 through commit v9.1-184-g40bf1591b,
and was fixed in coreutils 9.5 through commit v9.4-111-gc4c5ed8f4.
This issue has been assigned CVE-2024-0684.

* NEWS: Mention the bug fix.
* tests/split/line-bytes.sh: Add a test case.
Reported by Valentin Metz.
2 files changed, 16 insertions(+), 0 deletions(-)

M NEWS
M tests/split/line-bytes.sh
M NEWS => NEWS +4 -0
@@ 21,6 21,10 @@ GNU coreutils NEWS                                    -*- outline -*-
  character platforms with a 0xA0 (aka &nbsp) grouping character.
  [bug introduced in coreutils-9.1]

  split --line-bytes with a mixture of very long and short lines
  no longer overwrites the heap (CVE-2024-0684).
  [bug introduced in coreutils-9.2]

  tail no longer mishandles input from files in /proc and /sys file systems,
  on systems with a page size larger than the stdio BUFSIZ.
  [This bug was present in "the beginning".]

M tests/split/line-bytes.sh => tests/split/line-bytes.sh +12 -0
@@ 84,4 84,16 @@ for b in $(seq 10); do
  compare no_eol_splits_exp no_eol_splits || fail=1
done

# Test hold buffer management with --lines-bytes.
# The following triggers (with ASAN) a heap overflow issue
# between coreutils 9.2 and 9.4 inclusive.
printf '%131070s\n' '' >expaa || framework_failure_
printf 'x\n' >expab || framework_failure_
printf '%131071s\n' '' >expac || framework_failure_
cat expaa expab expac >bigin || framework_failure_
split -C 131072 ---io=131072 bigin || fail=1
compare expaa xaa || fail=1
compare expab xab || fail=1
compare expac xac || fail=1

Exit $fail