[Bug 745129] [NEW] buffer overflow in avra1.2.3a

Tue, 29 Mar 2011 10:57:01 -0700 

*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: avra

There is a buffer overflow bug in avra1.2.3a which might lead to memory
corruption, at the very most. Privilege escalation nor any kind of local
exploitation is expected as it runs with the privileges of the current
user.

Tracing the control flow during static analysis gives the following:-

load_arg_defines has an `strcpy(buff, define->data)` where buff is
declared as `char buff[256];`. In order to inspect the values of data,
we look at `struct prog_info *pi`; or rather the `args` argument of
`pi`.

Memory is allocated for `args` in `alloc_args`(args.c) and values are
set for it in `read_args`. Please note the lines:-

if(args->arg[j].type != ARGTYPE_STRING_MULTISINGLE)
    args->arg[j].data = argv[++i];

Evidently, at some point, the value depends on command line input and
this input can be used to overflow the `buff` array.

** Affects: avra (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: buffer-overflow memory-corruption security

** Visibility changed to: Public

** Description changed:

  Binary package hint: avra
  
  There is a buffer overflow bug in avra1.2.3a which might lead to memory
- corruption, at the very most. Privilege escalation not any kind of local
+ corruption, at the very most. Privilege escalation nor any kind of local
  exploitation is expected as it runs with the privileges of the current
  user.
  
  Tracing the control flow during static analysis gives the following:-
  
  load_arg_defines has an `strcpy(buff, define->data)` where buff is
  declared as `char buff[256];`. In order to inspect the values of data,
  we look at `struct prog_info *pi`; or rather the `args` argument of
  `pi`.
  
  Memory is allocated for `args` in `alloc_args`(args.c) and values are
  set for it in `read_args`. Please note the lines:-
  
  if(args->arg[j].type != ARGTYPE_STRING_MULTISINGLE)
-     args->arg[j].data = argv[++i];
+     args->arg[j].data = argv[++i];
  
  Evidently, at some point, the value depends on command line input and
  this input can be used to overflow the `buff` array.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/745129

Title:
  buffer overflow in avra1.2.3a

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to