Public bug reported: Binary package hint: dialog
This issue affects dialog version 1.0-20060101-1, the current version in Dapper at the time of filing. I suspect it was fixed in the 2006/1/19 and 2006/1/26 releases, based on the following comments from the author's changelog (found at http://dickey.his.com/dialog/CHANGES): >From 2006/1/19: "correct logic that passes the callback for menubox to do inputmenu operations from 2005/12/7 changes (report by Reznic Valery)." >From 2006/1/26: "amend correction to menubox, fixes normal menus (Debian #349969)." Steps to reproduce: 1. Run the following command: $ dialog --extra-button --menu "title" 10 40 1 Tag Item 2> foo.txt 2. In the resulting menu, select the middle button, labelled "Extra". Note that the highlighting on the text "Item" changes, and the text itself changes to "IItem" with a cursor under the second I. 3. Enter some text. Note that, although this is not an inputmenu, it seems to accept keyboard input as if you were modifying the item text (though the initial "I" in "IItem" cannot be edited). There are at least 3 possible results from here, depending on the number of characters entered (including the initial 4 characters from the existing text "Item"). * Enter 18 characters and the program will crash with a segfault. * Enter 15 to 17 characters, followed by Enter, and the program will crash reporting "*** glibc detected *** free(): invalid next size (fast): 0x081163a8 ***". * Enter fewer than 15 characters, followed by Enter, and the program will terminate normally. However, the text in the file foo.txt will be, for example "RENAMED Tag NewText" The expected behavior is that when the "Extra" button is selected, the program terminates and foo.txt contains the text "Tag" to indicate the selection. No editing of menu items should occur. The glibc error in free() makes me suspect that this allows a heap overflow. I don't know whether it is exploitable. ** Affects: dialog (Ubuntu) Importance: Undecided Status: Unconfirmed -- Menu box with --extra-button allows segfault https://launchpad.net/bugs/80808 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
