Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
Steve Kemp wrote:
> On Fri, Oct 29, 2004 at 10:12:33PM +0200, Frank Lichtenheld wrote:
>
> > Perhaps someone with a little more experience in identifying security
> > problems should take a look, too. I CC'ed debian-security.
>
> Here's a quick summery :
>
> To be clear there are three flaws being discussed in xsok:
>
> CAN-2004-0074 - overflow with LANG environmental variable.
> - overflow due to long '-xsokdir' parameter.
>
> CAN-2003-0949 - Failure to drop privileges when unzipping.
>
> The second one was discovered by me and closed in DSA-405-1
>
> The first one is in two parts, the environmental variable
> overflow is patched already by the package maintainer. The
> second appears to be not an issue given this code:
>
> if (strlen(savedir) > MAXSAVEFILELEN-16 ||
> strlen(xsokdir) > MAXXSOKDIRLEN || [2]
> strlen(p->xpmdir) > MAXXSOKDIRLEN) {
> fprintf(stderr, "directory too long\n");
> exit(1);
> }
>
>
> The second line [2] seems to test its bounds - unless I missed
> an earlier usage. I've got it installed here, but sadly I have
> no X available so I cant test it.
>
> Run the following command to test if it's vulnerable:
>
> xsok -xsokdir `perl -e 'print "X"x3000'`
Thanks a lot! I'll addd it to the non-vuln list.
Regards,
Joey
--
Those who don't understand Unix are condemned to reinvent it, poorly.
Please always Cc to me when replying to me on the lists.
Reply to: