Package: bugsx
Version: 1.08-7
Severity: normal
Tags: patch
This package contains the following code in xbutil.c:
XrmDatabase commandlineDB;
{
char name[255];
char msg[255];
int tsi;
double tsd;
strcpy (msg, "");
/* *** Load the local app-defaults file. *** */
if (getenv ("XAPPLRESDIR"))
{
strcpy(name, getenv ("XAPPLRESDIR"));
...
}
Here we copy the contents of an environmental variable into a static
buffer without checking for size. If this program were setuid/setgid
this would be exploitable. As it is this is a minor bug which should
be fixed.
The following solution would fix things up:
/* *** Load the local app-defaults file. *** */
if (getenv ("XAPPLRESDIR"))
{
snprintf( name, sizeof(name)-1,"%s/%s",
getenv ("XAPPLRESDIR"),
CLASS_NAME);
resourceDB = XrmGetFileDatabase(name);
if (resourceDB)
sprintf (msg,
"Read Resource definitions in %s ...", name);
}
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
