Bug#720587: tvtime: Guaranteed buffer overflow

Fri, 23 Aug 2013 08:30:42 -0700 

Package: tvtime
Version: 1.0.2-10
Severity: normal
User: trinitona...@gmail.com

Analysis of code in file station.c

at:

line 365    strncpy( mgr->stationrc, getenv( "HOME" ), 235 );
line 366    strncat( mgr->stationrc, "/.tvtime/stationlist.xml", 255 );

and:

line 1033   strncpy( filename, getenv( "HOME" ), 235 );
line 1034   strncat( filename, "/.tvtime/stationlist.xml", 255 );

The call to strncpy() does not use sizeof(filename) for the size, but rather an 
arbitrarily small number. It isn't the end of the world, but there's no 
guarantee that the last 20 bytes of the variable are zero bytes (or even that 
any of them is a zero byte), in general. Under some circumstances (filename is 
a global variable, previously unused) the zeros might be guaranteed.

The strncat() call tries to append 24 characters to the end of the srting in 
filename that might already be 232-234 bytes long, or that might be arbitrarily 
longer than 235 bytes. Either way, that is a guaranteed buffer overflow. The 
usage of strncat() also falls directly into the trap about its size. You've 
said that it is OK to add up to 255 characters beyond the end of what's already 
in filename, which is blatantly wrong (unless the string from getenv("HOME") 
happens to be empty).

Regards,

Triniton

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.9-1-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages tvtime depends on:
ii  debconf [debconf-2.0]              1.5.50
ii  fonts-freefont-ttf [ttf-freefont]  20120503-1
ii  libc6                              2.17-6
ii  libfreetype6                       2.4.9-1.1
ii  libgcc1                            1:4.8.1-4
ii  libice6                            2:1.0.8-2
ii  libpng12-0                         1.2.49-4
ii  libsm6                             2:1.2.1-2
ii  libstdc++6                         4.8.1-4
ii  libx11-6                           2:1.6.0-1
ii  libxext6                           2:1.3.1-2+deb7u1
ii  libxinerama1                       2:1.1.2-1+deb7u1
ii  libxml2                            2.9.1+dfsg1-2
ii  libxtst6                           2:1.2.1-1+deb7u1
ii  libxv1                             2:1.0.7-1+deb7u1
ii  libxxf86vm1                        1:1.1.2-1+deb7u1
ii  perl-modules                       5.14.2-21
ii  ttf-freefont                       20120503-1
ii  ucf                                3.0027
ii  zlib1g                             1:1.2.8.dfsg-1

Versions of packages tvtime recommends:
ii  xmltv-util  0.5.63-2

Versions of packages tvtime suggests:
pn  lirc-x      <none>
pn  oss-compat  <none>

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to