iDefense has sent us the attached draft advisory. A fist look at the code seem to confirm the problem. Patch should not be too hard. Looking at it. Again probably not a blocker for 7.3 release.
Created attachment 11444 [details] iDefense draft
Created attachment 11451 [details] [review] proposed patch Someone with more knowledge of the FS protocol should check the values I used in the consistency tests ? I'm not sure they are ok and haven't tried to validate them at run time...
Created attachment 11454 [details] [review] update version of patch I did some experiments myself. With proper expression grouping the code now looks correct to me.
Both issues (#12298 and this one) share CVE-2007-4568
CCing Guillem Jover, the xfstt maintainer.
(In reply to comment #3) > Created an attachment (id=11454) [details] > update version of patch > > I did some experiments myself. > With proper expression grouping the code now looks correct to me. The patch seems fine, that's mostly what it's being done in xfstt. You could use sz_fsQueryXExtents8Req and sz_fsQueryXBitmaps8Req istead of the SIZEOF, but I've not checked if those are used in the rest of the code base.
Created attachment 11503 [details] reproducer Simple program to reproduce the problem in QueryExtents16 tfs2 localhost:7100 hello
(In reply to comment #4) > Both issues (#12298 and this one) share CVE-2007-4568 > iDefense has allocated a new ID for this one : CVE-2007-4990
Fixed in commit ec3ca8fd4c599f41e6f977ce912805ac8ac74f32 Public now
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.