--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: xpp: segfault due to buffer overflow
- From: Attila Kinali <attila@kinali.ch>
- Date: Wed, 14 Feb 2018 22:48:04 +0100
- Message-id: <151864488430.17457.3467563210258260044.reportbug@shumira.kinali.ch>
Package: xpp
Version: 1.5-cvs20081009-3
Severity: important
Tags: patch
xpp allocates a 128 byte buffers for the printer selection menu and writes
to the allocated space using unchecked sprintf. It is easy to see
that this may lead to a buffer overflow and subsequent heap corruption.
The following patch fixes a crash due to the above mentioned heap corruption
by replacing malloc+sprintf by asprintf:
--- xpp-1.5-cvs20081009.orig/xpp.cxx
+++ xpp-1.5-cvs20081009/xpp.cxx
@@ -311,7 +311,7 @@ printFiles::printFiles(int argc, /* I -
// Set up text for menu entry
- menu_strs[i]=(char *)calloc(sizeof(char),128);
+ //menu_strs[i]=(char *)calloc(sizeof(char),128);
// Get printer information to show in the menu entry
@@ -366,25 +366,25 @@ printFiles::printFiles(int argc, /* I -
int prtype = CupsHelper::printerType(dests[i].name);
if ( prtype < 0 ) {
if ( dests[i].instance != NULL )
- sprintf(menu_strs[i], "%s on %s: Destination not available",
+ asprintf(&menu_strs[i], "%s on %s: Destination not available",
dests[i].instance, dests[i].name);
else
- sprintf(menu_strs[i], "%s: Destination not available",
+ asprintf(&menu_strs[i], "%s: Destination not available",
dests[i].name);
} else if ((prtype & CUPS_PRINTER_CLASS) ||
(prtype & CUPS_PRINTER_IMPLICIT)) {
if ( dests[i].instance != NULL )
- sprintf(menu_strs[i], "%s on %s: %s (printer class)",
+ asprintf(&menu_strs[i], "%s on %s: %s (printer class)",
dests[i].instance, dests[i].name, comment);
else
- sprintf(menu_strs[i], "%s: %s (printer class)",
+ asprintf(&menu_strs[i], "%s: %s (printer class)",
dests[i].name, comment);
} else {
if ( dests[i].instance != NULL )
- sprintf(menu_strs[i], "%s on %s: %s (single printer)",
+ asprintf(&menu_strs[i], "%s on %s: %s (single printer)",
dests[i].instance, dests[i].name, comment);
else
- sprintf(menu_strs[i], "%s: %s (single printer)",
+ asprintf(&menu_strs[i], "%s: %s (single printer)",
dests[i].name, comment);
}
There are more places where sprintf is used, so I would guess there are
also more places where buffer overflows can occur, but I have not checked them.
I am not sure whether this has any security implications, but I would
not be surprised if.
Attila Kinali
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages xpp depends on:
ii libc6 2.26-4
ii libcups2 2.2.6-4
ii libfltk1.1 1.1.10-23
ii libgcc1 1:7.2.0-19
ii libstdc++6 7.2.0-19
xpp recommends no packages.
xpp suggests no packages.
-- no debconf information
--- End Message ---