Bugtraq mailing list archives
Re: Possible bufferoverflow condition in lpr, xterm and xload
From: casper () holland Sun COM (Casper Dik)
Date: Tue, 13 Aug 1996 12:13:40 +0200
Digital Dreamer <dreamer () garrison inetcan net>:
On Tue, 13 Aug 1996, bloodmask wrote:
xterm, xload, both segmented when supplied with -display commandline argument / enviroment variable above it's buffer size. Probably exploitable, although i haven't gotten around to veryfing this myself, I'd like to here comments concerning this suspicioun of mine.The fact that it's in the -display variable, which isn't handled by the program but rather the X toolkit it was compiled with, implies that this could be a problem with all X programs using this particular toolkit. I'm pretty sure Xterm is compiled with the Athena set, which is (I beleive) the most common library, followed by Mosaic.
Looks like a problem in X11R6: XOpenDisplay() (OpenDis.c) calls a function in lib/X11/ConnDis.c which does a sprintf(address,....). address is a static buffer of size 128. In X11R5 (and before??), there's also a sprintf but in a buffer allocated with the proper size. Casper
Current thread:
- Re: mail storm, (continued)
- Re: mail storm Albert Lunde (Aug 12)
- Re: mail storm Igor Chudov @ home (Aug 12)
- Vulnrability in all known Linux distributions bloodmask (Aug 12)
- Re: Vulnrability in all known Linux distributions Steve Czetty (Aug 13)
- Re: Vulnrability in all known Linux distributions Alan Brown (Aug 13)
- Re: Vulnrability in all known Linux distributions Elliot Lee (Aug 13)
- Re: Vulnrability in all known Linux distributions Alan Cox (Aug 14)
- mount/umount realpath() buffer overflow David J. Meltzer (Aug 13)
- Possible bufferoverflow condition in lpr, xterm and xload bloodmask (Aug 12)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Digital Dreamer (Aug 12)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Casper Dik (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Mike Acar (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Elliot Lee (Aug 13)
- why suid mount (was Re: Possible bufferoverflow condition in lpr, Bryan Reece (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Christopher Masto (Aug 14)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Brian Tao (Aug 15)
- Re: Possible bufferoverflow condition in lpr, xterm and xload *Unknown* (Aug 17)
- Re: libresolv+ bug Theo Van Dinter (Aug 17)
- Re: libresolv+ bug Brian Mitchell (Aug 18)
- Re: libresolv+ bug Jon Lewis (Aug 18)
- Re: libresolv+ bug Alan Cox (Aug 19)