Package: xpp Version: 1.5-cvs20081009-3 Severity: important Tags: patch xpp allocates a 128 byte buffers for the printer selection menu and writes to the allocated space using unchecked sprintf. It is easy to see that this may lead to a buffer overflow and subsequent heap corruption.
The following patch fixes a crash due to the above mentioned heap corruption by replacing malloc+sprintf by asprintf: --- xpp-1.5-cvs20081009.orig/xpp.cxx +++ xpp-1.5-cvs20081009/xpp.cxx @@ -311,7 +311,7 @@ printFiles::printFiles(int argc, /* I - // Set up text for menu entry - menu_strs[i]=(char *)calloc(sizeof(char),128); + //menu_strs[i]=(char *)calloc(sizeof(char),128); // Get printer information to show in the menu entry @@ -366,25 +366,25 @@ printFiles::printFiles(int argc, /* I - int prtype = CupsHelper::printerType(dests[i].name); if ( prtype < 0 ) { if ( dests[i].instance != NULL ) - sprintf(menu_strs[i], "%s on %s: Destination not available", + asprintf(&menu_strs[i], "%s on %s: Destination not available", dests[i].instance, dests[i].name); else - sprintf(menu_strs[i], "%s: Destination not available", + asprintf(&menu_strs[i], "%s: Destination not available", dests[i].name); } else if ((prtype & CUPS_PRINTER_CLASS) || (prtype & CUPS_PRINTER_IMPLICIT)) { if ( dests[i].instance != NULL ) - sprintf(menu_strs[i], "%s on %s: %s (printer class)", + asprintf(&menu_strs[i], "%s on %s: %s (printer class)", dests[i].instance, dests[i].name, comment); else - sprintf(menu_strs[i], "%s: %s (printer class)", + asprintf(&menu_strs[i], "%s: %s (printer class)", dests[i].name, comment); } else { if ( dests[i].instance != NULL ) - sprintf(menu_strs[i], "%s on %s: %s (single printer)", + asprintf(&menu_strs[i], "%s on %s: %s (single printer)", dests[i].instance, dests[i].name, comment); else - sprintf(menu_strs[i], "%s: %s (single printer)", + asprintf(&menu_strs[i], "%s: %s (single printer)", dests[i].name, comment); } There are more places where sprintf is used, so I would guess there are also more places where buffer overflows can occur, but I have not checked them. I am not sure whether this has any security implications, but I would not be surprised if. Attila Kinali -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages xpp depends on: ii libc6 2.26-4 ii libcups2 2.2.6-4 ii libfltk1.1 1.1.10-23 ii libgcc1 1:7.2.0-19 ii libstdc++6 7.2.0-19 xpp recommends no packages. xpp suggests no packages. -- no debconf information