[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)

Frank Lichtenheld wrote:
Hmm, the patch from the DSA is included in the package... Or do you
mean that the patch is flawed?

Do you mean DSA-405-1 (http://lwn.net/Articles/64725/)? That DSA
is refering to CAN-2003-0949, which indeed seems to be fixed, but
CAN-2004-0074 (which this bug is about) is nowhere mentioned anywhere,
and it's indeed unfixed.

How to verify this bug:

The bugtraq posting (http://www.securityfocus.com/bid/9341, referenced
from the CAN site) says:
"xsok is prone to a locally exploitable buffer overrun vulnerability due
to insufficient bounds check of data supplied through the LANG
environment variable. This could be exploited to execute arbitrary code
with elevated privileges. The program is typically installed setgid

So we grep for LANG in the code:
greuff@i:/usr/src/secure-sarge$ apt-get source xsok
Reading Package Lists... Done
Building Dependency Tree... Done
Need to get 121kB of source archives.
Get:1 http://ftp.at.debian.org sarge/main xsok 1.02-12 (dsc) [596B]
Get:2 http://ftp.at.debian.org sarge/main xsok 1.02-12 (tar) [114kB]
Get:3 http://ftp.at.debian.org sarge/main xsok 1.02-12 (diff) [6170B]
Fetched 121kB in 0s (547kB/s)
dpkg-source: extracting xsok in xsok-1.02

greuff@i:/usr/src/secure-sarge$ grep LANG xsok-1.02/src/*
xsok-1.02/src/loadsave.c:    if ((s = getenv("LANG"))) {
xsok-1.02/src/messages.c: fprintf(stderr, "Hint: Perhaps unsetting LANG or making a symbolic"
xsok-1.02/src/xsok.man:.SH NATIONAL LANGUAGE SUPPORT
xsok-1.02/src/xsok.man:environment variable \fBLANG\fP to the desired value. Currently, no translated

And we have a look in xsok-1.02/src/loadsave.c:
void setlangdir(void) {
    const char *s;
    char p[100];
    if ((s = getenv("LANG"))) {
        sprintf(p, "%s/%s", xsokdir, s);
        if (!access(p, F_OK)) {         /* langdir does exist */
            langdir = s;
    langdir = "";

This is indeed a buffer overflow.


Reply to: