> I don't see where the buf parm can be exploited. all pmsg calls are
> either with an "internal" buffer or
>with one that was sprintf-ed in. so even passing a display of "%s" hoping
>for a core dump doesn't do.
An invalid display argument is a string that looks like a valid display,
but has a screen number that's out of range. What happens then is a buffer
in x-gw's main() function gets built with an error message using sprintf
using the parsed display argument:
if( (pid=atoi(dpy+len+1)) < 0 || pid>(toport-BASE_PORT) ) {
sprintf(buf,"Invalid display=%s. Must be 0-100\n",dpy+len+1);
pmsg(buf,0);
goto out;
}
'len' points to the ":" in the display string in this case.
If you use "-disp xxx:9999%s", it ends up in the string passed to pmsg(),
which displays an error message using fprintf(stderr, buf). That causes a
core dump for me.
I note with some amusement that the original advisory said there'd be an
exploit posted on the geekgang website <http://www.geekgang.co.uk>; as far
as I can tell, there's nothing there (literally).
-Rick
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
