Buffer overflow in dump, as reported from Bugtraq

[dump.git] / CHANGES

$Id: CHANGES,v 1.45 2000/03/01 10:16:05 stelian Exp $

Changes between versions 0.4b14 and 0.4b15 (released ?????????????????)
=======================================================================

1.	Added a prompt command in interactive restore mode. Thanks
	to Andreas Dilger <adilger@home.com> for the patch.

2.	Fixed a buffer overflow problem in dump (caused by 
	not checking the size of the filesystem parameter). 
	Thanks to Kim Yong-jun <loveyou@hackerslab.org> for
	reporting this on Bugtraq (and to several dump users
	who forwarded me his mail).

Changes between versions 0.4b13 and 0.4b14 (released February 10, 2000)
=======================================================================

1.	Fixed a bug in dump which may have caused invalid deleted 
	directories to be dumped out if they were deleted after the
	mapping pass. This could occure on active filesystem and lead
	to heap corruption (causing dump malfunction in many possible ways).
	Thanks to Jan Sanislo <oystr@cs.washington.edu> for finding this
	bug and submitting the patch.

2.	Fixed the handling of the filesystem parameter in dump. A
	'/mnt/disk' parameter caused the disk contents to be dumped,
	but a '/mnt/disk/' parameter caused the mountpoint directory
	to be dumped (generally an empty directory).

3.	Improved the output of dump in order to tell which directory
	it is currently dumping (when dumping a subtree).

4.	Added the '-e' exclude inode option to dump. Thanks to
	Isaac Chuang <ike@isl.stanford.edu> for contributing with the patch.

5.	Added a REPORTING-BUGS file in order to provide a guide
	on how to correctly report a bug in dump/restore.

6.	Fixed a restore problem when restoring a hard link to an inode
	having the immutable or append-only attribute set. Thanks to
	Ambrose Li <acli@mingpaoxpress.com> for submitting the patch.

7.	Fixed a compatibility problem between dumps made on little
	endian machines (the format was correct) and big endian 
	machines (the format was incorrect). This fix break the
	compatibility with the older dumps made on big endian 
	machines (sparc, m86k, ppc etc). For the first time in
	linux dump's history (I believe), the dumps made by *BSD, 
	Linux/alpha, Linux/sparc and Linux/x86 are compatible, 
	so interchangeable. Thanks to Rob Cermak
	<cermak@ahab.rutgers.edu> for submitting the bug and
	helping me test the fix.

8.	Fixed the way dump reports the remaining percent/time, if
	the number of blocks actually dumped exceeds the estimated
	number of blocks. Thanks to Jean-Paul van der Jagt 
	<jeanpaul@dutepp0.et.tudelft.nl> for reporting the bug.

Changes between versions 0.4b12 and 0.4b13 (released January 21, 2000)
======================================================================

1.	Small Y2K fix in the man pages :). Thanks to Bernhard Sadlowski
	<sadlowsk@Mathematik.Uni-Bielefeld.DE> for reporting the bug.

2.	Removed the requirement to build the RPM as root from the
	spec file. Thanks to Christian Weisgerber 
	<naddy@mips.rhein-neckar.de> for submitting this.

3.	Fixed a bug in dump related to the 'filetype' feature of ext2fs,
	causing dump to block when dumping really huge filesystems.
	Many thanks to Patrik Schindler <poc@pocnet.net> for 
	helping me find this bug.

4.	Fixed the treatment for an interrupt signal when dump access
	the remote tape through RSH. Thanks to Christian Weisgerber
	<naddy@mips.rhein-neckar.de> for providing the patch.

5.	Fixed a bug which was causing dump/restore to display
	garbage characters instead of the remote host name.

Changes between versions 0.4b11 and 0.4b12 (released January 8, 2000)
=====================================================================

1.	Small fix in the dump man page. Thanks to Thorsten Kukuk 
	<kukuk@suse.de> for submitting the patch.

2.	Fix for the exit code when using the size estimate option of
	dump. Thanks to Matti Taskinen <mkt@rni.helsinki.fi> for
	submitting the patch.

3.	Handle EINTR in atomical reads/writes in dump, which was causing
	dump to fail on some systems. Thanks to Eric Jergensen
	<eric@dvns.com> for reporting the bug and submitting the patch.

4.	Handle more than 16 characters for the device names in dumpdates.
	(up to 255 now). Thanks to Rainer Clasen <bj@ncc.cicely.de> for
	tracking down the problem and proposing the solution.

5.	Fixed a bug in dump which prevented the creation of the
	dumpdates file when doing a 0-level dump without already
	having a dumpdates file. Thanks to Patrik Schindler 
	<poc@pocnet.net> for reporting the bug.

6.	Changed the way dump 'S' flag reports the size estimate
	from number of blocks into bytes (making it compatible
	with the Solaris version, and simplifying things for
	amanda users). Thanks to Jason L Tibbitts III 
	<tibbs@math.uh.edu> for reporting the bug.

7.	Fixed a compatibility problem in linux/alpha dump tape format.
	Now the linux/alpha dump are (again) compatible with the
	other dump formats. But this breaks compatibility with
	older dumps made on alpha. Thanks to Mike Tibor 
	<tibor@lib.uaa.alaska.edu> for helping me in finding this bug.  

Changes between versions 0.4b10 and 0.4b11 (released December 5, 1999)
======================================================================

1.	Added a '--enable-kerberos' to configure.

2.	Added a 'S' option to dump which determines the amount of space
	that is needed to perform the dump without actually doing it, similar
	to the Sun's ufsdump 'S' option. Patch contributed by Rob Cermak
	<cermak@ahab.rutgers.edu>.

3.	Added a 'M' multi-volume option to dump and restore which enables
	dumping to multiple files (useful when dumping to an ext2
	partition to make several dump files in order to bypass the 2GB
	file size limitation). The 'f' argument is treated as a prefix and
	the output files will be named <prefix>001, <prefix>002 etc. With
	the 'M' flag, restore automatically selects the right file without
	asking to enter a new tape each time.

4.	Fixed a memory leak which was causing dump to grow very big
	(270MB when dumping a 10GB filesystem...). Thanks to Jason 
	Fearon <jasonf@netrider.org.au> for reporting the bug.

Changes between versions 0.4b9 and 0.4b10 (released November 21, 1999)
======================================================================

1.	Make configure test if the system glob routines support 
	extended syntax (ALTDIRFUNC). If not, use the internal glob
	routines instead of system ones. Thanks to Bernhard Sadlowski 
	<sadlowsk@Mathematik.Uni-Bielefeld.DE> for reporting the bug
	and helping me resolve this and other minor libc5 compiling
	glitches.

2.	Fix a problem when dumping a ext2fs with the 'filetype'
	feature enabled. Thanks to Patrick J. LoPresti 
	<patl@cag.lcs.mit.edu> for reporting the bug and to
	Theodore Y. Ts'o <tytso@mit.edu> for providing the patch.

3.	Made the nodump flag work on directories. A directory which
	has the nodump flag gets never dumped, regardless of its
	contents.

4.	Integrate a patch from Jeremy Fitzhardinge <jeremy@goop.org>
	which allows dump on an active ext3 filesystem. However, this
	is a "quick and dirty" patch which enables backup of an ext3
	filesystem through the ext2 compatibility (by ignoring the
	NEEDS_RECOVERY bit). The journal file is not recognized and
	it is dumped (it should not). 

5.	Test the superblock compatibility flags when dumping, in order
	to be sure that we know how to deal with specific features.

Changes between versions 0.4b8 and 0.4b9 (released November 5, 1999)
====================================================================

1.	Use lchown instead of chown, fixing a possible security problem 
	when restoring symlinks (a malicious user could use this
	to deliberately corrupt the ownership of important system files).
	Thanks to Chris Siebenmann <cks@utcc.utoronto.ca> for detecting
	this and providing the patch.

Changes between versions 0.4b7 and 0.4b8 (released November 3, 1999)
====================================================================

1.	Put dump sources under CVS, added Id tags in all files so
	one can use 'ident' on binary files.

2.	Added the dump/restore version in the usage text so one can
	easily verify the version he is using.

3.	Small patch from Nuno Oliveira <nuno@eq.uc.pt> which fixes
	a va_start/va_end problem on linux-ppc (always call va_start
	va_end in pairs each time we use a vararg function).

4.	Added again the DT_* constants because old libc does not
	contain them :(. Thanks to Eric Maisonobe <virnet@nat.fr>
	for submitting the bug report.

5.	Use ext2fs_llseek instead of llseek. With recent e2fsprogs
	this should enable dumping big (huge) filesystems.

6.	Added the RSH environment variable in order to be able to
	use a rsh replacement like ssh when doing remote backups (and
	bypass the security limitations of rcmd). Now you can do remote
	backups without being root (or making dump setuid root).

7.	Modified again the way dumpdates works. For incremental dumps,
	we need to read dumpdates even if we are not using 'u' option.
	Thanks to Bdale Garbee <bdale@gag.com> for his ideas on how
	this should work.

Changes between versions 0.4b6 and 0.4b7 (released October 8, 1999)
===================================================================

1.	Removed the 'k' flag from the restore 'about' text if kerberos
	was not compiled in.

2.	Prototyped (f)setflags from e2fsprogs and corrected the calls
	to them (fsetflags takes a char*, setflags an open fd!).

3.	(f)setflags is called only if the flags aren't empty. If the
	file is a special file, a warning is printed, because changing
	flags implies opening the device. Normally, a special file
	should not have any flag... (Debian bug #29775, patch provided
	by Abhijit Dasgupta <abhijit@ans.net>).

4.	Made possible to dump a file system not mentioned in /etc/fstab.
	(Debian bug #11904, patch provided by Eirik Fuller <eirik@netcom.com>).

5.	Changed the default behaviour to not create dumpdates
	unless 'u' option is specified. Removed the old "debian-patch"
	which provided the same thing. (Debian bug #38136, #33818).

6.	Removed all those dump*announce, since they were getting old...

7.	Added warning messages if dumpdates does not exist and
	when an inferior level dump does not exist (except for a level 0
	dump).

8.	Debugged the glob calls in interactive mode: restore used a 
	dirent struct which was different from the /usr/include/dirent.h
	one (this used to work, is it a glibc2 change?), so none of the 
	compat glob (which used /usr/include/dirent.h) or the system glob 
	worked. Restore use now the system dirent (and the system 
	DT_* constants), which are compatible with BSD ones.

9.	Added a configure flag (--with-dumpdatespath) to specify
	the location of dumpdates file. By default, it is 
	/etc/dumpdates.

10.	Added the "AUTHOR" and "AVAILABILITY" sections and 
	included the current date/version in man pages.

11.	Corrected the estimation of remaining time when
	the operator doesn't change the tapes quickly enough. This
	was an old bug, I thought I corrected it, and discovered
	that in fact it was corrected in two different places, so
	the results canceled each other...

Changes between versions 0.4b5 and 0.4b6 (released October 1, 1999)
===================================================================

1.	Integrated multiple patches from RedHat, Debian and SuSE:

	- tweak dump/itime.c to not try to read dumpdates if the 'u' option 
	  isn't specified.
	- several fixes in the man pages.
	- update the default tape device to /dev/st0.
	- many updates for Linux Alpha (byte ordering, size_t etc).
	- buffer overruns.
	- use environment variable for TMPDIR (instead of /tmp).
	- use sigjmp_buf instead of jmp_buf (RedHat bug #3260).
	- workaround egcs bug (RedHat bugs #4281 and #2989).
	- wire $(OPT) throughout Makefile's.

2.	Upgrade the dump revision to 1, making possible to dump filesystems
	made with e2fsprogs-1.15 or newer. Nothing seems to break...

3.	Fix some compile warnings, prototype all functions.

4.	Use glibc err/glob instead of internal compatibility
	routines (only if available).

5.	Fix a compile error on Linux 2.2.7 / libc5 (5.4.44) (patch provided
	by Bernhard Sadlowski <sadlowsk@mathematik.uni-bielefeld.de>).

Changes between versions 0.4b4 and 0.4b5 (released September 22, 1999)
======================================================================

1.	Integrated the changes from FreeBSD-3.1-RELEASE
	(mostly bug fixes, buffer overruns, dump has now an "automatic
	tape length calculation" flag, dump/restore can use kerberos now
	(this is NOT tested), use environment variables for TAPE and
	RMT etc.).

2.	Integrated three RedHat patches ("glibc", "kernel" and "bread" patches)

3.	Corrected a bug in restore when using 'C' option with multi-volumes
	tapes (files splited accros two tapes give "size changed" errors
	when comparing).

4.	Corrected the long standing bug when dumping multiple tapes.
	This works for me, needs further testing.

Changes between versions 0.4b3 and 0.4b4 (released January 17, 1997)
====================================================================

1.	Dump now runs correctly on kernels 2.1.x
	Fix made by Gerald Peters <gapeters@worldnet.att.net>

Changes between versions 0.4b2 and 0.4b3
========================================

1.	Use realpath() if available

2.	Report statistics

Changes between versions 0.4b1 and 0.4b2
========================================

1.	Fixed the bug fix from Greg Lutz (I had made a mistake when integrating
	the patch)

2.	Fixed restore to make it able to read FreeBSD 2.x dumps again

3.	Fixed configure.in to correctly handle --enable-rmt

Changes between versions 0.3 and 0.4b1
======================================

1.	Integrated the changes from 4.4BSD-Lite2

2.	Integrated the patches from Debian and Red Hat

3.	Portability changes: use the __u32, __u16, __s32, and __s16 types

4.	Changed dump to use the Ext2fs library to get block addresses.  This
	should solve the endianness problem on SparcLinux.

5.	Created a configure.in file (shamelessly stolen from the e2fsprogs
	distribution's one) to use autoconf

6.	Fixed a few minor bugs

Changes between versions 0.2e and 0.2f
======================================

1.	Added the creation of named pipes (fifos) in restore.

2.	Added the -N flag in the restore manual page.

3.	Added the file kernel.patch which contains the llseek() optimization
	patch for 1.2.x kernels.

4.	Fixed a bug in the restoration of symbolic links: owner and group were
	not restored.

5.	Integrated some changes from FreeBSD 2.2.

6.	Added a call to ftruncate() after restoring each file to restore
	correctly files ending by a hole.

Changes between versions 0.2d and 0.2e
======================================

1.	Fixed a bug in the "set owner/mode" process.  Every file was restored
	with owner = root (0) and group = root/wheel/whatever (0).

Changes between versions 0.2c and 0.2d
======================================

1.	Dump is now able to backup 2GB+ filesystems.

2.	Dump and restore can now be linked as static binaries.

Changes between versions 0.2b and 0.2c
======================================

1.	Fixed a bug when dumping ``slow'' (i.e. normal) symbolic links.

Changes between versions 0.2a and 0.2b
======================================

1.	Really fixed the bug that I should have corrected in 0.2a.

2.	Enabled optimization again.

Changes between versions 0.2 and 0.2a
=====================================

1.	Disabled the optimization during compilation.

Changes between versions 0.1 and 0.2
====================================

1.	Fixed a bug in fstab.c which caused a null pointer to be stored in
	the fs_type field (actually, I modified the file fstab.c to make it
	use the mntent functions).

2.	Dump and restore now use a 4.3 BSD compatible dump format.  Backups
	made by dump should be readable by the BSD restore and backups made
	by the BSD dump should be readable by restore.  Unfortunately, this
	means that the dump format has changed between version 0.1 and version
	0.2 :-(

3.	Dump is now able to backup a subtree, it is no longer limited to whole
	filesystems like the BSD version.

4.	Dump now uses ext2_llseek() so it is able to backup filesystems bigger
	than 2 GB.

Changes between versions 0.0 and 0.1
====================================

1.	Now create links rdump and rrestore during the `make install' step.

2.	Linux port specific bugs added to the manual pages

3.	Incorrect estimation of the number of tapes blocks fixed when doing
	incremental backups.

4.	Better ls-like format in restore in interactive mode.