[Secure-testing-team] Bug#476603: acon: multiple buffer overflows
brian m. carlson
sandals at crustytoothpaste.ath.cx
Thu Apr 17 20:53:14 UTC 2008
Package: acon
Version: 1.0.5-7
Severity: critical
Tags: security
In addition to the security bug mentioned in #475733, there are four
buffer overflows that I have found.
acon.c:53 (already reported) and child.c:104
A very large value of $HOME can create a buffer overflow with sprintf.
Use snprintf instead.
menu.c:100, menu.c:221, menu.c:243
On terminals with greater than 211 columns (like some framebuffers),
the buffer line will be overflowed, since it only has 400 bytes of
space. ((getmaxx()-10)*2)-2 > 400
These are critical due to the local root exploit contained in #475733.
Once the setuid bug is fixed, these will become grave.
There may be more. I have gone through the code as thoroughly as I
could, but the code is barely legible and uses lots of fixed-sized
buffers. For these reasons, it is my recommendation that acon not be
included in a stable release.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.25-rc8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080417/10605b10/attachment.pgp
More information about the Secure-testing-team
mailing list