Bug#779397: xterm: buffer overflow with -S option
On 2015-02-28 19:02 +0100, Thomas Dickey wrote:
> ----- Original Message -----
> | From: "Sven Joachim" <svenjoac@gmx.de>
> | To: "Thomas Dickey" <dickey@his.com>
> | Cc: 779397-done@bugs.debian.org, "Vincent Lefevre" <vincent@vinc17.net>
> | Sent: Saturday, February 28, 2015 12:51:13 PM
> | Subject: Re: Bug#779397: xterm: buffer overflow with -S option
> |
> | Package: xterm
> | Version: 314-1
> |
> | On 2015-02-28 13:37 +0100, Thomas Dickey wrote:
> |
> | > On Sat, Feb 28, 2015 at 03:37:53AM +0100, Vincent Lefevre wrote:
> | >> Package: xterm
> | >> Version: 312-1
> | >> Severity: important
> | >> Tags: security
> | >>
> | >> $ xterm -S/dev/pts/20
> | >> *** buffer overflow detected ***: /usr/bin/xterm terminated
> | >
> | > This was fixed in #314, two months ago.
> |
> | Thanks. For the package in jessie/sid, I suppose I would have to
> | apply
> | the passedPty related changes in main.c, right?
> |
>
> yes - that is all that I changed for that fix:
>
> REV:1.763 main.c 2014/12/15 09:51:34 tom
> tags: xterm-313d
>
> change passedPty[] to an allocated string to ensure it is long enough for
> the -S option value.
>
> --- main.c 2014/07/24 22:47:09 1.762
> +++ main.c 2014/12/15 09:51:34 1.763
> @@ -1,4 +1,4 @@
> -/* $XTermId: main.c,v 1.761 2014/07/22 22:29:17 tom Exp $ */
> +/* $XTermId: main.c,v 1.762 2014/07/24 22:47:09 tom Exp $ */
>
> /*
> * Copyright 2002-2013,2014 by Thomas E. Dickey
> @@ -779,7 +779,8 @@
> static char bin_login[] = LOGIN_FILENAME;
> #endif
>
> -static char passedPty[PTYCHARLEN + 1]; /* name if pty if slave */
> +static char noPassedPty[2];
> +static char *passedPty = noPassedPty; /* name if pty if slave */
>
> #if defined(TIOCCONS) || defined(SRIOCSREDIR)
> static int Console;
> @@ -1760,6 +1761,7 @@
> char *leaf = x_basename(option);
> Bool code = False;
>
> + passedPty = x_strdup(option);
> if (leaf != option) {
> if (leaf - option > 0
> && isdigit(CharOf(*leaf))
> @@ -1771,13 +1773,13 @@
> * the /dev/pts/XXX value, but since we do not need to reopen it,
> * it is useful mainly for display in a "ps -ef".
> */
> - strncpy(passedPty, option, len);
> passedPty[len] = 0;
> code = True;
> }
> } else {
> code = (sscanf(option, "%c%c%d",
> passedPty, passedPty + 1, &am_slave) == 3);
> + passedPty[2] = '\0';
> }
> TRACE(("ParseSccn(%s) = '%s' %d (%s)\n", option,
> passedPty, am_slave, code ? "OK" : "ERR"));
Thanks, I will prepare an upload tomorrow.
Cheers,
Sven
Reply to: