Bug#407369: xine-ui: [CVE-2007-0254] Format string vulnerability bogus?

Wed, 17 Jan 2007 15:00:52 -0800 

Package: xine-ui
Severity: normal


Good day,

My understanding is that this CVE Candidate is buggy, but in case I have
missed something I prefer to let you know, just closed the bug if you
agree with me.

>From CVE-2007-0254 :

| Name: CVE-2007-0254
| Status: Candidate
| URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254
| Phase: Assigned (20070116)
| Category:
| Reference: BUGTRAQ:20070111 Xine-ui format string Vulnerabilties.
| Reference: 
URL:http://www.securityfocus.com/archive/1/archive/1/456590/100/0/threaded
| Reference: BID:22002
| Reference: URL:http://www.securityfocus.com/bid/22002
|
| Format string vulnerability in the errors_create_window function in
| errors.c in xine-ui allows attackers to execute arbitrary code via
| unknown vectors.


I take a look at the errors_create_window function in errors.c, the
vulnerable code seems to be on line 67 : 

|  xw = xitk_window_dialog_two_buttons_with_width(gGui->imlib_data, title,
|                                                   _("Done"), _("More..."),
|                                                 NULL, _errors_display_log,
|                                                   NULL, 400, ALIGN_CENTER,
|                                                   "%s", message);

xitk_window_dialog_two_buttons_with_width() is a macro function defined on
line 2323 in src/xitk/xine-toolkit/xitk.h, this macro called 
xitk_window_dialog_checkbox_two_buttons_with_width() which is a function
defined on line 1108 in src/xitk/xine-toolkit/window.c. In this
function we have : 
(message is the format, ang args is the message from the previous
function)

     va_list   args;
     char     *buf;
     int       n, size = 100;

    if((buf = xitk_xmalloc(size)) == NULL)
          return NULL;

    while(1) {

      va_start(args, message);
      n = vsnprintf(buf, size, message, args);
      va_end(args);

      if(n > -1 && n < size)
              break;

      if(n > -1)
         size = n + 1;
      else
         size *= 2;

      if((buf = realloc(buf, size)) == NULL)
              return NULL;
      }


I failed to see where the format string vulnerability is, my
understanding is that vsnprintf will never overrun buf, but maybe I have
missed something...

Thanks for your time.

Regards.


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: powerpc (ppc)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-powerpc
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to