Package: xpp
Version: 1.5-cvs20081009-3
Severity: important
Tags: patch

xpp allocates a 128 byte buffers for the printer selection menu and writes
to the allocated space using unchecked sprintf. It is easy to see
that this may lead to a buffer overflow and subsequent heap corruption.

The following patch fixes a crash due to the above mentioned heap corruption
by replacing malloc+sprintf by asprintf:

--- xpp-1.5-cvs20081009.orig/xpp.cxx
+++ xpp-1.5-cvs20081009/xpp.cxx
@@ -311,7 +311,7 @@ printFiles::printFiles(int  argc, /* I -
     // Set up text for menu entry
-    menu_strs[i]=(char *)calloc(sizeof(char),128);
+    //menu_strs[i]=(char *)calloc(sizeof(char),128);
     // Get printer information to show in the menu entry
@@ -366,25 +366,25 @@ printFiles::printFiles(int  argc, /* I -
     int prtype = CupsHelper::printerType(dests[i].name);
     if ( prtype < 0 ) {
       if ( dests[i].instance != NULL )
-        sprintf(menu_strs[i], "%s on %s: Destination not available",
+        asprintf(&menu_strs[i], "%s on %s: Destination not available",
                 dests[i].instance, dests[i].name);
-        sprintf(menu_strs[i], "%s: Destination not available",
+        asprintf(&menu_strs[i], "%s: Destination not available",
     } else if ((prtype & CUPS_PRINTER_CLASS) || 
                (prtype & CUPS_PRINTER_IMPLICIT)) {
       if ( dests[i].instance != NULL )
-        sprintf(menu_strs[i], "%s on %s: %s (printer class)",
+        asprintf(&menu_strs[i], "%s on %s: %s (printer class)",
                 dests[i].instance, dests[i].name, comment);
-        sprintf(menu_strs[i], "%s: %s (printer class)",
+        asprintf(&menu_strs[i], "%s: %s (printer class)",
                dests[i].name, comment);
     } else {
       if ( dests[i].instance != NULL )
-        sprintf(menu_strs[i], "%s on %s: %s (single printer)",
+        asprintf(&menu_strs[i], "%s on %s: %s (single printer)",
                 dests[i].instance, dests[i].name, comment);
-        sprintf(menu_strs[i], "%s: %s (single printer)",
+        asprintf(&menu_strs[i], "%s: %s (single printer)",
                 dests[i].name, comment);

There are more places where sprintf is used, so I would guess there are
also more places where buffer overflows can occur, but I have not checked them.

I am not sure whether this has any security implications, but I would
not be surprised if.

                        Attila Kinali

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages xpp depends on:
ii  libc6       2.26-4
ii  libcups2    2.2.6-4
ii  libfltk1.1  1.1.10-23
ii  libgcc1     1:7.2.0-19
ii  libstdc++6  7.2.0-19

xpp recommends no packages.

xpp suggests no packages.

-- no debconf information

Reply via email to