CVE-2019-1010044

Vulnerability

The borg-reducer executable (version c6d5240) contains a buffer overflow in the write_report function. The vulnerable code path is in borg-reducer.h at line 58, where the output variable is set without bounds checking. This variable originates from borg-reducer.c line 80, where dir and filepath are concatenated into a buffer of fixed size 150. If the combined length exceeds 300, the overflow triggers a crash or potential code execution [1].

Exploitation

An attacker needs no special authentication or network position; only the ability to supply a long dir or filepath string to the program. The sequence is: the program reads user input, constructs the output buffer without length validation, then calls write_report which writes beyond the allocated space, causing a buffer overflow [1].

Impact

The overflow can cause a crash (denial of service) or, if carefully crafted, arbitrary code execution. The attacker gains the ability to corrupt memory and potentially execute commands at the privilege level of the running process [1].

Mitigation

No fix is disclosed in the available references. Users should avoid using long input strings, or consider replacing borg-reducer with a safer alternative. The issue remains open as of the publication date [1].