Hi, The Argument will most likely not come from untrusted sources, I guess? So it's no severe risk. Only issue I could think of is that it could be used to escalate permissions of an attacker to swath's user's context. Then again, the system already has to be infiltrated to do that...
Regards Dominik Maier Am 15.01.2013 09:26 schrieb "Theppitak Karoonboonyanan" <[email protected] >: > On Tue, Jan 15, 2013 at 6:44 AM, Dominik Maier <[email protected]> wrote: > > > Buffer overflow because of strcpy with possibility to inject shellcode: > > > > swath mule -b [More than 20 to overflow and possibly inject shellcode.] < > > emptyfile > > > > proplematic lines are: > > > > char stopstr[20]; > > if (muleMode) > > strcpy(stopstr,wbr); > > > > Instead, you should change the size of stopstr according to wbr. > > Even better would be simply to change the address of stopstr like > > > > char stopstr[20]; > > if (muleMode) > > stopstr = wbr; > > Thanks for the report. I've applied the fix upstream: > > > http://linux.thai.net/websvn/wsvn/software.swath?op=comp&compare[]=%2Ftrunk@237&compare[]=%2Ftrunk@238 > > I'm estimating the risk to decide what to do in Debian. > The use of Mule mode is quite rare, IMO. > > Regards, > -- > Theppitak Karoonboonyanan > http://linux.thai.net/~thep/ >
