Bug#183312: xbase-clients: Buffer overflow in "xman"
Package: xbase-clients
Version: 4.2.1-5
Severity: grave
-- System Information
Debian Release: testing/unstable
Kernel Version: Linux Fenrir.Thor 2.4.18 #9 Sun Sep 22 21:35:23 EDT 2002 i686 unknown unknown GNU/Linux
Versions of the packages xbase-clients depends on:
ii cpp 3.2.2-0 The GNU C preprocessor.
ii libc6 2.3.1-13 GNU C Library: Shared libraries and Timezone
ii libdps1 4.2.1-5 Display PostScript (DPS) client library
ii libfreetype6 2.1.3-10 FreeType 2 font engine, shared library files
ii libncurses5 5.3.20021109-2 Shared libraries for terminal handling
ii libxaw7 4.2.1-5 X Athena widget set library
ii xlibmesa3-gl 4.2.1-5 Mesa 3D graphics library [XFree86]
ii xlibmesa3-glu 4.2.1-5 Mesa OpenGL utility library [XFree86]
ii xlibs 4.2.1-5 X Window System client libraries
ii xlibmesa3-gl 4.2.1-5 Mesa 3D graphics library [XFree86]
^^^ (Provides virtual package libgl1)
ii xlibmesa3-gl 4.2.1-5 Mesa 3D graphics library [XFree86]
^^^ (Provides virtual package libgl1)
--- Begin /etc/X11/xinit/xserverrc (modified conffile)
#!/bin/sh
exec /usr/bin/X11/X -depth 24 -dpi 85 -nolisten tcp
--- End /etc/X11/xinit/xserverrc
I was just trying to demonstrate something that used to be an old security
hole, the "MANPATH" overflow on "xman" - and it segfaulted out on me. A
little testing shows the boundary:
ben@Fenrir:~$ perl -we'$a = "a" x 8192; `MANPATH=$a xman`'
Xman Error: No manual pages found.
ben@Fenrir:~$ perl -we'$a = "a" x 8193; `MANPATH=$a xman`'
Segmentation fault
I guess it somehow got "unfixed"...
Ben Okopnik
-=-=-=-=-=-
Reply to: