Re: Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
On Fri, Oct 29, 2004 at 10:12:33PM +0200, Frank Lichtenheld wrote:
> Perhaps someone with a little more experience in identifying security
> problems should take a look, too. I CC'ed debian-security.
Here's a quick summery :
To be clear there are three flaws being discussed in xsok:
CAN-2004-0074 - overflow with LANG environmental variable.
- overflow due to long '-xsokdir' parameter.
CAN-2003-0949 - Failure to drop privileges when unzipping.
The second one was discovered by me and closed in DSA-405-1
The first one is in two parts, the environmental variable
overflow is patched already by the package maintainer. The
second appears to be not an issue given this code:
if (strlen(savedir) > MAXSAVEFILELEN-16 ||
strlen(xsokdir) > MAXXSOKDIRLEN || [2]
strlen(p->xpmdir) > MAXXSOKDIRLEN) {
fprintf(stderr, "directory too long\n");
exit(1);
}
The second line [2] seems to test its bounds - unless I missed
an earlier usage. I've got it installed here, but sadly I have
no X available so I cant test it.
Run the following command to test if it's vulnerable:
xsok -xsokdir `perl -e 'print "X"x3000'`
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Reply to: