Your message dated Thu, 18 Jan 2007 18:38:00 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#407369: [xine-devel] [SALVETTI Djoume] Bug#407369:
xine-ui: [CVE-2007-0254] Format string vulnerability bogus?
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: xine-ui
Severity: normal
Good day,
My understanding is that this CVE Candidate is buggy, but in case I have
missed something I prefer to let you know, just closed the bug if you
agree with me.
>From CVE-2007-0254 :
| Name: CVE-2007-0254
| Status: Candidate
| URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254
| Phase: Assigned (20070116)
| Category:
| Reference: BUGTRAQ:20070111 Xine-ui format string Vulnerabilties.
| Reference:
URL:http://www.securityfocus.com/archive/1/archive/1/456590/100/0/threaded
| Reference: BID:22002
| Reference: URL:http://www.securityfocus.com/bid/22002
|
| Format string vulnerability in the errors_create_window function in
| errors.c in xine-ui allows attackers to execute arbitrary code via
| unknown vectors.
I take a look at the errors_create_window function in errors.c, the
vulnerable code seems to be on line 67 :
| xw = xitk_window_dialog_two_buttons_with_width(gGui->imlib_data, title,
| _("Done"), _("More..."),
| NULL, _errors_display_log,
| NULL, 400, ALIGN_CENTER,
| "%s", message);
xitk_window_dialog_two_buttons_with_width() is a macro function defined on
line 2323 in src/xitk/xine-toolkit/xitk.h, this macro called
xitk_window_dialog_checkbox_two_buttons_with_width() which is a function
defined on line 1108 in src/xitk/xine-toolkit/window.c. In this
function we have :
(message is the format, ang args is the message from the previous
function)
va_list args;
char *buf;
int n, size = 100;
if((buf = xitk_xmalloc(size)) == NULL)
return NULL;
while(1) {
va_start(args, message);
n = vsnprintf(buf, size, message, args);
va_end(args);
if(n > -1 && n < size)
break;
if(n > -1)
size = n + 1;
else
size *= 2;
if((buf = realloc(buf, size)) == NULL)
return NULL;
}
I failed to see where the format string vulnerability is, my
understanding is that vsnprintf will never overrun buf, but maybe I have
missed something...
Thanks for your time.
Regards.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-powerpc
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
--- End Message ---
--- Begin Message ---
Matthias Hopf <[EMAIL PROTECTED]> writes:
>> I take a look at the errors_create_window function in errors.c, the
>> vulnerable code seems to be on line 67 :
>>
>> | xw = xitk_window_dialog_two_buttons_with_width(gGui->imlib_data, title,
>> | _("Done"), _("More..."),
>> | NULL, _errors_display_log,
>> | NULL, 400, ALIGN_CENTER,
>> | "%s", message);
>
> This used to be .... NULL, 400, ALIGN_CENTER, message);
> ("%s", missing), which was indeed vulnerable.
With this rationale, I'm closing this bug (at least for now). I checked
the source of the current xine-ui package, which is in both
testing+unstable, and it contains the source like shown above. If you
find further vulnerabilities, feel free to file or reopen this report.
I'm planning to upload an updated xine-ui snapshot to experimental later
today.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
--- End Message ---
