[Pkg-xfce-devel] xfce4-mpc-plugin buffer overflows

Subject: [Pkg-xfce-devel] xfce4-mpc-plugin buffer overflows
From: landry at fr.homeunix.org (Landry Breuil)
Date: Tue, 9 Dec 2008 10:34:29 +0100
Message-id: <[🔎] 20081209093429.GS10308@dawn.rhaalovely.net>
In-reply-to: <[🔎] 20081208233337.GU8289@paranoidfreak.co.uk>
References: <[🔎] 20081208233337.GU8289@paranoidfreak.co.uk>

On Mon, Dec 08, 2008 at 11:33:37PM +0000, Simon Huggins wrote:
> Hi,
> 
> We had a user in Debian who was having problems with the
> xfce4-mpc-plugin and a long password.  It turned out that passwords
> longer than about 30 characters were causing buffer overflows.
> 
> I looked into it and found a few problems.  There are lots of sprintfs
> into buffers with strings which contain untrusted input.
> 
> I've fixed some in the attached patch against 0.3.3 although I want it
> to be reviewed at some point.
> 
> I also couldn't see a nice way to return an error message back to the
> user and I'm not really a GTK coder in anyway :)
> 
> You may well choose to fix these issues in a different way in which case
> we'd love to see the patch to get it into Debian.
> 
> Anyway, if you have some time to review the patch it'd be great.

Patch is great, i always wanted to get back on it and fix this ugly
code. There are probably others in simple-libmpd.c... Atm, i have
no internet connection, and my svn trees are in boxes, so i cant
commit it/integrate it now... hopefully in some weeks. I just have to
remember i have to do it.

Thanks a lot.

Landry

Reply to:

References:
- [Pkg-xfce-devel] xfce4-mpc-plugin buffer overflows
  - From: huggie at earth.li (Simon Huggins)

Prev by Date: [Pkg-xfce-devel] xfce4-mpc-plugin buffer overflows
Next by Date: [Pkg-xfce-devel] Bug#508119: Fixed or not?
Previous by thread: [Pkg-xfce-devel] xfce4-mpc-plugin buffer overflows
Next by thread: [Pkg-xfce-devel] Bug#508119: Fixed or not?
Index(es):
- Date
- Thread