Buffer overflow in dump, as reported from Bugtraq

[dump.git] / CHANGES

$Id: CHANGES,v 1.45 2000/03/01 10:16:05 stelian Exp $

Changes between versions 0.4b14 and 0.4b15 (released ?????????????????)
=======================================================================

1.      Added a prompt command in interactive restore mode. Thanks
        to Andreas Dilger <adilger@home.com> for the patch.

2.      Fixed a buffer overflow problem in dump (caused by 
        not checking the size of the filesystem parameter). 
        Thanks to Kim Yong-jun <loveyou@hackerslab.org> for
        reporting this on Bugtraq (and to several dump users
        who forwarded me his mail).

Changes between versions 0.4b13 and 0.4b14 (released February 10, 2000)
=======================================================================

1.      Fixed a bug in dump which may have caused invalid deleted 
        directories to be dumped out if they were deleted after the
        mapping pass. This could occure on active filesystem and lead
        to heap corruption (causing dump malfunction in many possible ways).
        Thanks to Jan Sanislo <oystr@cs.washington.edu> for finding this
        bug and submitting the patch.

2.      Fixed the handling of the filesystem parameter in dump. A
        '/mnt/disk' parameter caused the disk contents to be dumped,
        but a '/mnt/disk/' parameter caused the mountpoint directory
        to be dumped (generally an empty directory).

3.      Improved the output of dump in order to tell which directory
        it is currently dumping (when dumping a subtree).

4.      Added the '-e' exclude inode option to dump. Thanks to
        Isaac Chuang <ike@isl.stanford.edu> for contributing with the patch.

5.      Added a REPORTING-BUGS file in order to provide a guide
        on how to correctly report a bug in dump/restore.

6.      Fixed a restore problem when restoring a hard link to an inode
        having the immutable or append-only attribute set. Thanks to
        Ambrose Li <acli@mingpaoxpress.com> for submitting the patch.

7.      Fixed a compatibility problem between dumps made on little
        endian machines (the format was correct) and big endian 
        machines (the format was incorrect). This fix break the
        compatibility with the older dumps made on big endian 
        machines (sparc, m86k, ppc etc). For the first time in
        linux dump's history (I believe), the dumps made by *BSD, 
        Linux/alpha, Linux/sparc and Linux/x86 are compatible, 
        so interchangeable. Thanks to Rob Cermak
        <cermak@ahab.rutgers.edu> for submitting the bug and
        helping me test the fix.

8.      Fixed the way dump reports the remaining percent/time, if
        the number of blocks actually dumped exceeds the estimated
        number of blocks. Thanks to Jean-Paul van der Jagt 
        <jeanpaul@dutepp0.et.tudelft.nl> for reporting the bug.

Changes between versions 0.4b12 and 0.4b13 (released January 21, 2000)
======================================================================

1.      Small Y2K fix in the man pages :). Thanks to Bernhard Sadlowski
        <sadlowsk@Mathematik.Uni-Bielefeld.DE> for reporting the bug.

2.      Removed the requirement to build the RPM as root from the
        spec file. Thanks to Christian Weisgerber 
        <naddy@mips.rhein-neckar.de> for submitting this.

3.      Fixed a bug in dump related to the 'filetype' feature of ext2fs,
        causing dump to block when dumping really huge filesystems.
        Many thanks to Patrik Schindler <poc@pocnet.net> for 
        helping me find this bug.

4.      Fixed the treatment for an interrupt signal when dump access
        the remote tape through RSH. Thanks to Christian Weisgerber
        <naddy@mips.rhein-neckar.de> for providing the patch.

5.      Fixed a bug which was causing dump/restore to display
        garbage characters instead of the remote host name.

Changes between versions 0.4b11 and 0.4b12 (released January 8, 2000)
=====================================================================

1.      Small fix in the dump man page. Thanks to Thorsten Kukuk 
        <kukuk@suse.de> for submitting the patch.

2.      Fix for the exit code when using the size estimate option of
        dump. Thanks to Matti Taskinen <mkt@rni.helsinki.fi> for
        submitting the patch.

3.      Handle EINTR in atomical reads/writes in dump, which was causing
        dump to fail on some systems. Thanks to Eric Jergensen
        <eric@dvns.com> for reporting the bug and submitting the patch.

4.      Handle more than 16 characters for the device names in dumpdates.
        (up to 255 now). Thanks to Rainer Clasen <bj@ncc.cicely.de> for
        tracking down the problem and proposing the solution.

5.      Fixed a bug in dump which prevented the creation of the
        dumpdates file when doing a 0-level dump without already
        having a dumpdates file. Thanks to Patrik Schindler 
        <poc@pocnet.net> for reporting the bug.

6.      Changed the way dump 'S' flag reports the size estimate
        from number of blocks into bytes (making it compatible
        with the Solaris version, and simplifying things for
        amanda users). Thanks to Jason L Tibbitts III 
        <tibbs@math.uh.edu> for reporting the bug.

7.      Fixed a compatibility problem in linux/alpha dump tape format.
        Now the linux/alpha dump are (again) compatible with the
        other dump formats. But this breaks compatibility with
        older dumps made on alpha. Thanks to Mike Tibor 
        <tibor@lib.uaa.alaska.edu> for helping me in finding this bug.  

Changes between versions 0.4b10 and 0.4b11 (released December 5, 1999)
======================================================================

1.      Added a '--enable-kerberos' to configure.

2.      Added a 'S' option to dump which determines the amount of space
        that is needed to perform the dump without actually doing it, similar
        to the Sun's ufsdump 'S' option. Patch contributed by Rob Cermak
        <cermak@ahab.rutgers.edu>.

3.      Added a 'M' multi-volume option to dump and restore which enables
        dumping to multiple files (useful when dumping to an ext2
        partition to make several dump files in order to bypass the 2GB
        file size limitation). The 'f' argument is treated as a prefix and
        the output files will be named <prefix>001, <prefix>002 etc. With
        the 'M' flag, restore automatically selects the right file without
        asking to enter a new tape each time.

4.      Fixed a memory leak which was causing dump to grow very big
        (270MB when dumping a 10GB filesystem...). Thanks to Jason 
        Fearon <jasonf@netrider.org.au> for reporting the bug.

Changes between versions 0.4b9 and 0.4b10 (released November 21, 1999)
======================================================================

1.      Make configure test if the system glob routines support 
        extended syntax (ALTDIRFUNC). If not, use the internal glob
        routines instead of system ones. Thanks to Bernhard Sadlowski 
        <sadlowsk@Mathematik.Uni-Bielefeld.DE> for reporting the bug
        and helping me resolve this and other minor libc5 compiling
        glitches.

2.      Fix a problem when dumping a ext2fs with the 'filetype'
        feature enabled. Thanks to Patrick J. LoPresti 
        <patl@cag.lcs.mit.edu> for reporting the bug and to
        Theodore Y. Ts'o <tytso@mit.edu> for providing the patch.

3.      Made the nodump flag work on directories. A directory which
        has the nodump flag gets never dumped, regardless of its
        contents.

4.      Integrate a patch from Jeremy Fitzhardinge <jeremy@goop.org>
        which allows dump on an active ext3 filesystem. However, this
        is a "quick and dirty" patch which enables backup of an ext3
        filesystem through the ext2 compatibility (by ignoring the
        NEEDS_RECOVERY bit). The journal file is not recognized and
        it is dumped (it should not). 

5.      Test the superblock compatibility flags when dumping, in order
        to be sure that we know how to deal with specific features.

Changes between versions 0.4b8 and 0.4b9 (released November 5, 1999)
====================================================================

1.      Use lchown instead of chown, fixing a possible security problem 
        when restoring symlinks (a malicious user could use this
        to deliberately corrupt the ownership of important system files).
        Thanks to Chris Siebenmann <cks@utcc.utoronto.ca> for detecting
        this and providing the patch.

Changes between versions 0.4b7 and 0.4b8 (released November 3, 1999)
====================================================================

1.      Put dump sources under CVS, added Id tags in all files so
        one can use 'ident' on binary files.

2.      Added the dump/restore version in the usage text so one can
        easily verify the version he is using.

3.      Small patch from Nuno Oliveira <nuno@eq.uc.pt> which fixes
        a va_start/va_end problem on linux-ppc (always call va_start
        va_end in pairs each time we use a vararg function).

4.      Added again the DT_* constants because old libc does not
        contain them :(. Thanks to Eric Maisonobe <virnet@nat.fr>
        for submitting the bug report.

5.      Use ext2fs_llseek instead of llseek. With recent e2fsprogs
        this should enable dumping big (huge) filesystems.

6.      Added the RSH environment variable in order to be able to
        use a rsh replacement like ssh when doing remote backups (and
        bypass the security limitations of rcmd). Now you can do remote
        backups without being root (or making dump setuid root).

7.      Modified again the way dumpdates works. For incremental dumps,
        we need to read dumpdates even if we are not using 'u' option.
        Thanks to Bdale Garbee <bdale@gag.com> for his ideas on how
        this should work.

Changes between versions 0.4b6 and 0.4b7 (released October 8, 1999)
===================================================================

1.      Removed the 'k' flag from the restore 'about' text if kerberos
        was not compiled in.

2.      Prototyped (f)setflags from e2fsprogs and corrected the calls
        to them (fsetflags takes a char*, setflags an open fd!).

3.      (f)setflags is called only if the flags aren't empty. If the
        file is a special file, a warning is printed, because changing
        flags implies opening the device. Normally, a special file
        should not have any flag... (Debian bug #29775, patch provided
        by Abhijit Dasgupta <abhijit@ans.net>).

4.      Made possible to dump a file system not mentioned in /etc/fstab.
        (Debian bug #11904, patch provided by Eirik Fuller <eirik@netcom.com>).

5.      Changed the default behaviour to not create dumpdates
        unless 'u' option is specified. Removed the old "debian-patch"
        which provided the same thing. (Debian bug #38136, #33818).

6.      Removed all those dump*announce, since they were getting old...

7.      Added warning messages if dumpdates does not exist and
        when an inferior level dump does not exist (except for a level 0
        dump).

8.      Debugged the glob calls in interactive mode: restore used a 
        dirent struct which was different from the /usr/include/dirent.h
        one (this used to work, is it a glibc2 change?), so none of the 
        compat glob (which used /usr/include/dirent.h) or the system glob 
        worked. Restore use now the system dirent (and the system 
        DT_* constants), which are compatible with BSD ones.

9.      Added a configure flag (--with-dumpdatespath) to specify
        the location of dumpdates file. By default, it is 
        /etc/dumpdates.

10.     Added the "AUTHOR" and "AVAILABILITY" sections and 
        included the current date/version in man pages.

11.     Corrected the estimation of remaining time when
        the operator doesn't change the tapes quickly enough. This
        was an old bug, I thought I corrected it, and discovered
        that in fact it was corrected in two different places, so
        the results canceled each other...

Changes between versions 0.4b5 and 0.4b6 (released October 1, 1999)
===================================================================

1.      Integrated multiple patches from RedHat, Debian and SuSE:

        - tweak dump/itime.c to not try to read dumpdates if the 'u' option 
          isn't specified.
        - several fixes in the man pages.
        - update the default tape device to /dev/st0.
        - many updates for Linux Alpha (byte ordering, size_t etc).
        - buffer overruns.
        - use environment variable for TMPDIR (instead of /tmp).
        - use sigjmp_buf instead of jmp_buf (RedHat bug #3260).
        - workaround egcs bug (RedHat bugs #4281 and #2989).
        - wire $(OPT) throughout Makefile's.

2.      Upgrade the dump revision to 1, making possible to dump filesystems
        made with e2fsprogs-1.15 or newer. Nothing seems to break...

3.      Fix some compile warnings, prototype all functions.

4.      Use glibc err/glob instead of internal compatibility
        routines (only if available).

5.      Fix a compile error on Linux 2.2.7 / libc5 (5.4.44) (patch provided
        by Bernhard Sadlowski <sadlowsk@mathematik.uni-bielefeld.de>).

Changes between versions 0.4b4 and 0.4b5 (released September 22, 1999)
======================================================================

1.      Integrated the changes from FreeBSD-3.1-RELEASE
        (mostly bug fixes, buffer overruns, dump has now an "automatic
        tape length calculation" flag, dump/restore can use kerberos now
        (this is NOT tested), use environment variables for TAPE and
        RMT etc.).

2.      Integrated three RedHat patches ("glibc", "kernel" and "bread" patches)

3.      Corrected a bug in restore when using 'C' option with multi-volumes
        tapes (files splited accros two tapes give "size changed" errors
        when comparing).

4.      Corrected the long standing bug when dumping multiple tapes.
        This works for me, needs further testing.

Changes between versions 0.4b3 and 0.4b4 (released January 17, 1997)
====================================================================

1.      Dump now runs correctly on kernels 2.1.x
        Fix made by Gerald Peters <gapeters@worldnet.att.net>

Changes between versions 0.4b2 and 0.4b3
========================================

1.      Use realpath() if available

2.      Report statistics

Changes between versions 0.4b1 and 0.4b2
========================================

1.      Fixed the bug fix from Greg Lutz (I had made a mistake when integrating
        the patch)

2.      Fixed restore to make it able to read FreeBSD 2.x dumps again

3.      Fixed configure.in to correctly handle --enable-rmt

Changes between versions 0.3 and 0.4b1
======================================

1.      Integrated the changes from 4.4BSD-Lite2

2.      Integrated the patches from Debian and Red Hat

3.      Portability changes: use the __u32, __u16, __s32, and __s16 types

4.      Changed dump to use the Ext2fs library to get block addresses.  This
        should solve the endianness problem on SparcLinux.

5.      Created a configure.in file (shamelessly stolen from the e2fsprogs
        distribution's one) to use autoconf

6.      Fixed a few minor bugs

Changes between versions 0.2e and 0.2f
======================================

1.      Added the creation of named pipes (fifos) in restore.

2.      Added the -N flag in the restore manual page.

3.      Added the file kernel.patch which contains the llseek() optimization
        patch for 1.2.x kernels.

4.      Fixed a bug in the restoration of symbolic links: owner and group were
        not restored.

5.      Integrated some changes from FreeBSD 2.2.

6.      Added a call to ftruncate() after restoring each file to restore
        correctly files ending by a hole.

Changes between versions 0.2d and 0.2e
======================================

1.      Fixed a bug in the "set owner/mode" process.  Every file was restored
        with owner = root (0) and group = root/wheel/whatever (0).

Changes between versions 0.2c and 0.2d
======================================

1.      Dump is now able to backup 2GB+ filesystems.

2.      Dump and restore can now be linked as static binaries.

Changes between versions 0.2b and 0.2c
======================================

1.      Fixed a bug when dumping ``slow'' (i.e. normal) symbolic links.

Changes between versions 0.2a and 0.2b
======================================

1.      Really fixed the bug that I should have corrected in 0.2a.

2.      Enabled optimization again.

Changes between versions 0.2 and 0.2a
=====================================

1.      Disabled the optimization during compilation.

Changes between versions 0.1 and 0.2
====================================

1.      Fixed a bug in fstab.c which caused a null pointer to be stored in
        the fs_type field (actually, I modified the file fstab.c to make it
        use the mntent functions).

2.      Dump and restore now use a 4.3 BSD compatible dump format.  Backups
        made by dump should be readable by the BSD restore and backups made
        by the BSD dump should be readable by restore.  Unfortunately, this
        means that the dump format has changed between version 0.1 and version
        0.2 :-(

3.      Dump is now able to backup a subtree, it is no longer limited to whole
        filesystems like the BSD version.

4.      Dump now uses ext2_llseek() so it is able to backup filesystems bigger
        than 2 GB.

Changes between versions 0.0 and 0.1
====================================

1.      Now create links rdump and rrestore during the `make install' step.

2.      Linux port specific bugs added to the manual pages

3.      Incorrect estimation of the number of tapes blocks fixed when doing
        incremental backups.

4.      Better ls-like format in restore in interactive mode.