What you're describing could quite likely be the scenario of why its crashing. If you are happy that what you're describing is the problem, then implement a patch, verify the crash is gone and close the bug.
I found the crash automatically while fuzzing the Debian package repository using an opensource tool called sharefuzz which intercepts getenv() and returns a long buffer in an attempt to trigger overflows. I did not do any source code analysis or any more investigation once the crash was triggered. Because sharefuzz replaces the environment variable, it fits into the scenario you are describing and may not necessarily be related to the variable's length. On Thu, Jan 6, 2011 at 9:49 AM, Bill Allombert < bill.allomb...@math.u-bordeaux1.fr> wrote: > On Wed, Jan 05, 2011 at 03:49:20PM +1100, Silvio Cesare wrote: > > Package: toppler > > Version: 1.1.3-1 > > Severity: important > > Tags: security > > > > Toppler crashes when a long HOME environment variable is used. Probably > > indicative of a buffer overflow. Toppler is SGID games, so this crash > might > > potentially lead to privilege escalation. > > Hello Silvio, > Could you provide more information about the 'long HOME environment > variable' ? > > So far what I found is that if HOME is set to something different from the > user home, > (e.g. HOME=a), then SDL_SetVideoMode() fails, which cause toppler to do > exit(1). > Unfortunately, one of the destructor (~configuration) then do > fseek(NULL, 0, SEEK_SET); which cause a segfault. > > Thanks for your report, > -- > Bill. <ballo...@debian.org> > > Imagine a large red swirl here. >
