Package: util-linux
Version: 2.12r-19
Severity: normal
File: /usr/bin/setterm
Hi,
the setterm source in util-linux-2.12r/misc-utils/setterm.c,
function parse_snapfile, around line 513, contains the following
bit of code:
if (argc == 1)
strcpy((char *)opt_all, argv[0]);
Since 'opt_all' points to fixed size (200 byte) buffer and argv[0] is
taken directly from the command line, this leads to a buffer overflow.
Probably the following crash is a symptom of the problem:
[EMAIL PROTECTED] [/mnt/source] setterm -file $(python -c "print 'x'*1000")
Segmentation fault
While the issue does not look particularly exploitable to me (getting
control over somebody else's setterm command line arguments does not
seem easy), I think it would be good to fix this anyway.
I hope this helps,
Jochen
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.21-1-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages util-linux depends on:
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libncurses5 5.6-3 Shared libraries for terminal hand
ii libslang2 2.0.7-2 The S-Lang programming library - r
ii libuuid1 1.40-1 universally unique id library
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii tzdata 2007f-9 time zone and daylight-saving time
ii zlib1g 1:1.2.3.3.dfsg-3 compression library - runtime
util-linux recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
