Package: acon
Version: 1.0.5-7
Severity: grave
Justification: local root
Hi,
as discussed on planet.debian.org and #476603, acon contains unsecure code:
> [Brian M. Carlson]
> > I am subscribed to debian-audit, and we were requested to provide an
> > audit, which I did. My recommendation stands. It's very difficult
> > to audit the code, which is why I can't be sure I haven't missed
> > something.
[...]
> Sounds like it indeed shouldn't be included in Lenny, then.
I tend to agree. People not believing the insecurity of the code are
invited to run acon, bring up the menu (it was at Ctrl-Alt-G for my
keyboard and disappeared, the latter goes away when one disables the
console switching test as in the attached diff), select add console and
type more than 200 letters to the 200 char tmp array of menu.c/options.
I have marked a code position overflowing this buffer in attached diff.
Please note that this is NOT about this specific overflow. I have found
it by grepping(!) through the code for string functions for 5 minutes.
acon needs to be completely redone before being remotely safe,
preferably in a way that is less likely to create all sorts of
vulnerabilities.
Note that this hole was unnoticed during an audit during which the
auditor came to the conclusion to not ship the code as it is likely that
there are more vulnerabilities than those he found. He was right.
I'd note that during testing acon seemed to exhibit multiple unrelated
crashes, too.
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
diff -urN acon-1.0.5~/menu.c acon-1.0.5/menu.c
--- acon-1.0.5~/menu.c 2003-07-18 21:09:34.000000000 +0200
+++ acon-1.0.5/menu.c 2008-10-07 17:27:41.000000000 +0200
@@ -129,8 +129,8 @@
/*if the active console is changed*/
if( currentconsole!=getactive())
{
- consoleswitched=1;
- return -1;
+ //consoleswitched=1;
+ //return -1;
}
}while(ch==256);
@@ -259,6 +259,8 @@
str[strlen(str)-1]=0;
break;
default:
+ if (strlen(str)>=200)
+ printf("Overflow if str has only size 200.\n");
str[strlen(str)+1]=0;
str[strlen(str)]=ch;
}
