Subject: xshisen: buffer overflow when handling GECOS field Package: xshisen Version: 1.51-1-1 Severity: important Tags: security patch
Hello, I have found a buffer overflow in xshisen. It copies data from a user's GECOS field in /etc/passwd to a char array. In the rather unlikely event where that GECOS field is about 160 bytes long, the char array is overflowed which can be used to get a shell with gid games. I have attached a patch that fixes this problem. Here is a line from my /etc/passwd file (after wrapping it) that causes this bug: metaur:x:1000:1000:UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUU,,,:/home/metaur:/bin/bash I have Cc'ed the upstream developer and Naddy who's involved with FreeBSD's Ports Collection. They might also want to check out some earlier buffer overflows in xshisen that Steve Kemp found in 2003: http://bugs.debian.org/213957 // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/ -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages xshisen depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libgcc1 1:3.4.3-6 GCC support library ii libstdc++5 1:3.3.5-5 The GNU Standard C++ Library v3 ii libxaw7 4.3.0.dfsg.1-10 X Athena widget set library ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu -- no debconf information -- _____________________________________________________________ Web-based SMS services available at http://www.operamail.com. From your mailbox to local or overseas cell phones. Powered by Outblaze
xshisen.bufoflow.patch
Description: Binary data
