HomeAbout Us A-Z IndexSearch * Contact Us Register LoginPress Shop

The Open Brand -- Problem Reporting and Interpretations System

Problem Report 0995 Details

Help Show help | Quick Search | Submit a Test Suite Support Request | Click here to view your privileges

This page provides all information on Problem Report 0995.

Report 0995 Actions

    Problem Report Number 0995
    Submitter's Classification Test Suite problem
    State Resolved
    Resolution Test Suite Deficiency (TSD)
    Problem Resolution ID TSD.X.0510
    Raised 1999-06-28 08:00
    Updated 2003-03-13 08:00
    Published 1999-06-07 08:00
    Product Standard Commands and Utilities V2 (UNIX 95)
    Certification Program The Open Brand certification program
    Test Suite VSC version 5.0.2
    Test Identification POSIX.cmd/mailx 025
    Problem Summary TSD4C.00228 With long path for HOME, default dead.letter path is too long
    Problem Text
    This documents the problem we are experiencing with mailx's test #25.
    In the past year there has been various methods used by companies to
    fix a buffer problem found in the old Berkeley mailx. The bug is an
    exploitable buffer overflow(using the HOME environment variable) that
    allows any local user to acquire the privileges under which the program
    runs, usually group "mail".

    In general the way the mailx 25 test suite is coded it doesn't check
    to make sure the assumed environment variables paths do no exceed the
    system's maximum defined path length for the OS. If a path is
    assumed to be longer than the maximum path the OS supports we should
    have a problem.

    In general the problems is as follows:
    In mailx 25 the home path size is set to 1015 characters in length.
    When mailx starts, mailx assumes that the path to dead.letter is the
    HOME path + '/dead.letter'(Section 4.40.5.3 and Section 4.40.7), which in
    this case is 1027 characters long since the environment variable DEAD
    is not defined prior to the invocation of mailx.

    The assumption by mailx creates a filename that exceeds the
    FILENAME_MAX valude defined in /usr/include/stdio.h. The value for
    FILENAME_MAX is defined on our system as PATH_MAX+1, which translates
    to 1024 characters in length. POSIX 4.40.5.3 Environment variables
    states '.... The default shall be dead.letter in the directory named
    by the HOME variable.' which in this case is three characters too long.

    In the comments for tp25, it apears you were aware of this situation,
    but did not take into account the dead.letter assumption. Here is
    the comment from the mailx_01.sh:

    Note 2: Currently skipping the GA67 tests, because mailx seems
    to correctly prepend $HOME to the long pathnames, creating
    too-long pathnames. The tests will be modified to deal with
    absolute pathnaes of the exact size.

    The following code fragment shows what is happening in the tp25 case and
    where we forsee a problem in the current coding of the test case:

    . $TS_SHLIB/Ext2PathMax.SH
    longpath=`ExtendPathToPathMax -s $file .mailrc`
    if [ $? -ne 0 ]; then
    SetResult $TET_UNRESOLVED "Command failed: 'longpath=\`ExtendPathToPathMax -s $file .mailrc\`'"
    return
    fi

    HOME=`dirname $longpath` # Trim off last component
    echo exit | mailx -n -f mailx_in > $CT_STDOUT 2> $CT_STDERR
    CT_EXIT_VALUE=$?

    If you add a line to set DEAD to some length less than 1024 AFTER the
    setting of HOME and BEFORE calling mailx it the test would be correct.

    Test Output

    Here is the output from the journal:
    400|199 25 1 14:54:00|IC Start
    200|199 1 14:54:00|TP Start
    520|199 1 85435 1 1|Assertion #25 (C): GA12: pathname resolution
    520|199 1 85435 1 11|Expected exit code = 0; Received 1
    520|199 1 85435 1 12|Standard error isn't empty
    520|199 1 85435 1 13|Contents of out.stderr:
    520|199 1 85435 1 14|cmd-4416 mailx: mailx: Panic -- Internal buffer overflow 0
    520|199 1 85435 1 15| <LC> 07; please contact the vendor.
    220|199 1 1 14:58:34|FAIL
    410|199 25 1 14:58:34|IC End

    or after being parsed:
    -------- mailx 17:29:46 --------

    Assertion #25 (C): GA12: pathname resolution

    Expected exit code = 0; Received 1

    Standard error isn't empty

    Contents of out.stderr:

    cmd-4416 mailx: mailx: Panic -- Internal buffer overflow 0

    07; please contact the vendor.

    Assertion Result: FAIL

    Review Information

    Review Type TSMA Review
    Start Date null
    Completed null
    Status Complete
    Review Recommendation No Resolution Given
    Review Response
    This is accepted as a test suite deficiency.

    Review Type SA Review
    Start Date null
    Completed null
    Status Complete
    Review Resolution Test Suite Deficiency (TSD)
    Review Conclusion
    This is an agreed Test Suite Deficiency.

    Problem Reporting System Options:

     

    Back   

Contact the Certification Authority