Bug#779397: xterm: buffer overflow with -S option

To: Thomas Dickey <dickey@his.com>
Cc: 779397@bugs.debian.org, Vincent Lefevre <vincent@vinc17.net>
Subject: Bug#779397: xterm: buffer overflow with -S option
From: Sven Joachim <svenjoac@gmx.de>
Date: Sat, 28 Feb 2015 19:36:12 +0100
Message-id: <[🔎] 87a8zx51er.fsf@turtle.gmx.de>
Reply-to: Sven Joachim <svenjoac@gmx.de>, 779397@bugs.debian.org
In-reply-to: <774332210.10254264.1425146538307.JavaMail.root@his.com> (Thomas Dickey's message of "Sat, 28 Feb 2015 13:02:18 -0500 (EST)")
References: <774332210.10254264.1425146538307.JavaMail.root@his.com>

On 2015-02-28 19:02 +0100, Thomas Dickey wrote:

> ----- Original Message -----
> | From: "Sven Joachim" <svenjoac@gmx.de>
> | To: "Thomas Dickey" <dickey@his.com>
> | Cc: 779397-done@bugs.debian.org, "Vincent Lefevre" <vincent@vinc17.net>
> | Sent: Saturday, February 28, 2015 12:51:13 PM
> | Subject: Re: Bug#779397: xterm: buffer overflow with -S option
> | 
> | Package: xterm
> | Version: 314-1
> | 
> | On 2015-02-28 13:37 +0100, Thomas Dickey wrote:
> | 
> | > On Sat, Feb 28, 2015 at 03:37:53AM +0100, Vincent Lefevre wrote:
> | >> Package: xterm
> | >> Version: 312-1
> | >> Severity: important
> | >> Tags: security
> | >> 
> | >> $ xterm -S/dev/pts/20
> | >> *** buffer overflow detected ***: /usr/bin/xterm terminated
> | >
> | > This was fixed in #314, two months ago.
> | 
> | Thanks.  For the package in jessie/sid, I suppose I would have to
> | apply
> | the passedPty related changes in main.c, right?
> | 
>
> yes - that is all that I changed for that fix:
>
> REV:1.763               main.c              2014/12/15 09:51:34       tom
> tags:            xterm-313d
>
>    change passedPty[] to an allocated string to ensure it is long enough for
>    the -S option value.
>
> --- main.c      2014/07/24 22:47:09     1.762 
> +++ main.c      2014/12/15 09:51:34     1.763 
> @@ -1,4 +1,4 @@ 
> -/* $XTermId: main.c,v 1.761 2014/07/22 22:29:17 tom Exp $ */ 
> +/* $XTermId: main.c,v 1.762 2014/07/24 22:47:09 tom Exp $ */ 
>
>  /*
>   * Copyright 2002-2013,2014 by Thomas E. Dickey
> @@ -779,7 +779,8 @@ 
>  static char bin_login[] = LOGIN_FILENAME;
>  #endif
>
> -static char passedPty[PTYCHARLEN + 1]; /* name if pty if slave */ 
> +static char noPassedPty[2]; 
> +static char *passedPty = noPassedPty;  /* name if pty if slave */ 
>
>  #if defined(TIOCCONS) || defined(SRIOCSREDIR)
>  static int Console;
> @@ -1760,6 +1761,7 @@ 
>      char *leaf = x_basename(option);
>      Bool code = False;
>
> +    passedPty = x_strdup(option); 
>      if (leaf != option) {
>         if (leaf - option > 0
>             && isdigit(CharOf(*leaf))
> @@ -1771,13 +1773,13 @@ 
>              * the /dev/pts/XXX value, but since we do not need to reopen it,
>              * it is useful mainly for display in a "ps -ef". 
>              */
> -           strncpy(passedPty, option, len); 
>             passedPty[len] = 0;
>             code = True;
>         }
>      } else {
>         code = (sscanf(option, "%c%c%d",
>                        passedPty, passedPty + 1, &am_slave) == 3);
> +       passedPty[2] = '\0'; 
>      }
>      TRACE(("ParseSccn(%s) = '%s' %d (%s)\n", option,
>            passedPty, am_slave, code ? "OK" : "ERR"));

Thanks, I will prepare an upload tomorrow.

Cheers,
       Sven

Reply to:

Prev by Date: Processed: untagging
Previous by thread: Bug#779397: marked as done (xterm: buffer overflow with -S option)
Next by thread: Processed: Re: Bug#779397: xterm: buffer overflow with -S option
Index(es):
- Date
- Thread