[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#183312: xbase-clients: Buffer overflow in "xman"



On Mon, Mar 03, 2003 at 10:38:21PM -0500, Benjamin A. Okopnik wrote:
> On Mon, Mar 03, 2003 at 07:45:03PM -0500, Branden Robinson wrote:
[...]
> > FYI, I cannot reproduce this problem on PowerPC:
[...]
> I'm not in the least surprised; on a different architecture, the call
> stack/data stack are going to be in different places, so my location
> would be in a different place from yours. FTM, it may not even happen at
> all on yours, but you might want to try this:
> 
> perl -we'$a = "a" x 100000; `MANPATH=$a xman`'
> 
> If it segfaults, it's an even broader bug report. :)

No, it just silently exited with status 0.

> Just as an additional hint, here's the last line of "strace -f"
> output:
> 
> --------------------------------------------------------------
> 20632 open("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
> 
> <about 8000 "a"s elided>
> 
> aaaaaaaa", O_RDONLY) = -1 ENAMETOOLONG (File name too long)
> 20632 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> 20632 +++ killed by SIGSEGV +++
> --------------------------------------------------------------
> 
> Looks like it tries to open the contents of MANPATH without doing a
> bounds check... tisk, tisk. *Bad* "xman"... or maybe "libc". :)

Okay.  Not saying it isn't a bug; just getting a handle on the scope.

-- 
G. Branden Robinson                |    Men use thought only to justify
Debian GNU/Linux                   |    their wrong doings, and speech only
branden@debian.org                 |    to conceal their thoughts.
http://people.debian.org/~branden/ |    -- Voltaire

Attachment: pgpOd1Qa6yrbA.pgp
Description: PGP signature


Reply to: