cygwin1.dll up to 1.5.22 overflow

Corinna Vinschen
Thu Nov 8 16:04:00 GMT 2007

On Nov  8 14:17, Daniel Fdez. Bleda wrote:
> Dave,
> Here you have the requested info of the advisory:
> ----------------------------------------------------------------------
> --------------------------
> Traditionally, linux filesystem allow 255 bytes long, nevertheless

Really?  PATH_MAX is 4096 on my Linux system.  Or are you talking about
NAME_MAX, the length of a single path component?

> cygwin allow 239 bytes and there is a check that prevents filenames
> equal or major than 240.

Cygwin up to 1.5.x allows filenames up to 259 chars, same as the Ascii
Win32 functions:

> In spite of the check, there is a 232 bytes long dynamic memory buffer
> where is stored the filename, so that is possible make a evil filename
> with 233-239 bytes long that bypasses the check and overflows the heap
> maximum 7 bytes. So you have to penetrate in machine and put the
> evil-file and then 7 bytes of the private heap and ebx and edi
> registers where mine.
> [...]
> I would like to avoid public discussion if you need (as I expect) more
> information.

As Dave mentioned, Cygwin is inherently insecure, and, given the fact
that you don't have the problem in recent versions, I don't see a need
to keep it such a secret.  So, here's Dave's question again:  Which is
the vulnerable function?


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

More information about the Cygwin-developers mailing list