brian m. carlson wrote:
> Package: acon
> Version: 1.0.5-7
> Severity: critical
> Tags: security
>
> In addition to the security bug mentioned in #475733, there are four
> buffer overflows that I have found.
>
> acon.c:53 (already reported) and child.c:104
> A very large value of $HOME can create a buffer overflow with sprintf.
> Use snprintf instead.
> menu.c:100, menu.c:221, menu.c:243
> On terminals with greater than 211 columns (like some framebuffers),
> the buffer line will be overflowed, since it only has 400 bytes of
> space. ((getmaxx()-10)*2)-2 > 400
>
> These are critical due to the local root exploit contained in #475733.
> Once the setuid bug is fixed, these will become grave.
>
> There may be more. I have gone through the code as thoroughly as I
> could, but the code is barely legible and uses lots of fixed-sized
> buffers. For these reasons, it is my recommendation that acon not be
> included in a stable release.
Ack, this package should only be included in Lenny after a complete
review by a member of the Debian audit team and communication with
upstream to make sure such errors won't be re-introduced in later
development.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
