Re: GNU/Linux 'info Buffer Overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: GNU/Linux 'info Buffer Overflow
From: Roman Werpachowski <roman@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 7 Aug 2004 01:09:04 +0200
In-reply-to: <20040806004621.25110.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040806004621.25110.qmail@xxxxxxxxxxxxxxxxxxxxx>
User-agent: KMail/1.6.2

Dnia piątek, 6 sierpnia 2004 02:46, Josh Martin napisał:
> Package: info
> Version: 4.7-2.1
> Severity: grave
> Tags: security
> Justification: user security hole

'Severe' is to severe a word, but for anybody who's interested, here goes a 
patch:

diff -urN texinfo-4.7/info/echo-area.c texinfo-4.7.patch/info/echo-area.c
--- texinfo-4.7/info/echo-area.c        2004-03-14 01:57:29.000000000 +0100
+++ texinfo-4.7.patch/info/echo-area.c  2004-08-07 01:06:49.000000000 +0200
@@ -1510,8 +1510,8 @@
   text[i] = 0;

   echo_area_initialize_node ();
-  sprintf (&input_line[input_line_end], "%s[%s]\n",
-           echo_area_is_active ? " ": "", text);
+  snprintf (&input_line[input_line_end], EA_MAX_INPUT + 1 - input_line_end,
+                 "%s[%s]\n", echo_area_is_active ? " ": "", text);
   free (text);
   the_echo_area->point = input_line_point;
   display_update_one_window (the_echo_area);



-- 
/* Roman Werpachowski */

Ten e-mail został sprawdzony i
zaakceptowany przez fretkę Tintin.

References:
- GNU/Linux 'info Buffer Overflow
  - From: Josh Martin

Prev by Date: Airpwn & libpng holes
Next by Date: Re: CVS woes: .cvspass
Previous by thread: Re: GNU/Linux 'info Buffer Overflow
Next by thread: Remote Command Execution
Index(es):
- Date
- Thread