[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)

On Fri, Oct 29, 2004 at 10:12:33PM +0200, Frank Lichtenheld wrote:

> Perhaps someone with a little more experience in identifying security
> problems should take a look, too. I CC'ed debian-security.

  Here's a quick summery :

  To be clear there are three flaws being discussed in xsok:

   CAN-2004-0074 - overflow with LANG environmental variable.
                 - overflow due to long '-xsokdir' parameter.

   CAN-2003-0949 - Failure to drop privileges when unzipping.

  The second one was discovered by me and closed in DSA-405-1

  The first one is in two parts, the environmental variable
 overflow is patched already by the package maintainer.  The
 second appears to be not an issue given this code:

    if (strlen(savedir) > MAXSAVEFILELEN-16 ||
        strlen(xsokdir) > MAXXSOKDIRLEN ||         [2]
        strlen(p->xpmdir) > MAXXSOKDIRLEN) {
        fprintf(stderr, "directory too long\n");
        exit(1);
    }


  The second line [2] seems to test its bounds - unless I missed
 an earlier usage.  I've got it installed here, but sadly I have
 no X available so I cant test it.

  Run the following command to test if it's vulnerable:

 xsok -xsokdir `perl -e 'print "X"x3000'`

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Reply to: