Package: came
Version: 1.9-3.1
Severity: normal
Usertags: sourcescan
*** Please type your report below this line ***
The code contains a buffer overflow in handling a long HOME
environmental variable - although it looks like somebody has
attempted to patch this at some time in the past.
The code reads:
/* read config */
if (config_file) {
cfg_parse_file(config_file);
} else {
sprintf(filename, "%s/%s", getenv("HOME"), ".camErc");
memset(filename, '\0', sizeof(filename));
snprintf(filename, sizeof(filename)-1, "%s/%s", getenv("HOME"), ".camErc");
cfg_parse_file(filename);
}
The first sprintf merrily stomps all over the end of the filename buffer,
which is then emptied and filled in a bounded way.
Whilst this isn't a security issue it is an annoyance which should be
fixed: Simply remove the sprintf line, letting the snprintf line do
the right thing.
Demo:
[EMAIL PROTECTED]:/tmp/came-1.9$ ulimit -c 9999
[EMAIL PROTECTED]:/tmp/came-1.9$ HOME=`perl -e 'print "X"x33433'` camE -d -s
Segmentation fault
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages came depends on:
ii giblib1 1.2.4-4 wrapper library for imlib2, and ot
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libcurl4-openssl 7.16.2-4 Multi-protocol file transfer libra
ii libimlib2 1.3.0.0debian1-4 powerful image loading and renderi
Versions of packages came recommends:
pn ttf-freefont <none> (no description available)
-- no debconf information
Steve
--
# Kink-Friendly Dating
http://ctrl-alt-date.com/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
