Bug#698189: swath: Buffer Overflow with console args is possible.
On Tue, Jan 15, 2013 at 10:45 PM, Dominik Maier domen...@gmail.com wrote: Only issue I could think of is that it could be used to escalate permissions of an attacker to swath's user's context. Then again, the system already has to be infiltrated to do that... So, it's still possible to exploit by explicitly invoking swath mule mode in some scripts or so. I think I'll fix this. Regards, -- Theppitak Karoonboonyanan http://linux.thai.net/~thep/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698189: swath: Buffer Overflow with console args is possible.
You have already fixed it, haven't you? ;) On Wed, Jan 16, 2013 at 3:53 PM, Theppitak Karoonboonyanan t...@linux.thai.net wrote: So, it's still possible to exploit by explicitly invoking swath mule mode in some scripts or so. I think I'll fix this.
Bug#698189: swath: Buffer Overflow with console args is possible.
On Wed, Jan 16, 2013 at 10:55 PM, Dominik Maier domen...@gmail.com wrote: You have already fixed it, haven't you? ;) I mean, with Debian upload. Regards, -- Theppitak Karoonboonyanan http://linux.thai.net/~thep/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698189: swath: Buffer Overflow with console args is possible.
Yes, you should get the latest Version to the repository. On Wed, Jan 16, 2013 at 4:57 PM, Theppitak Karoonboonyanan t...@linux.thai.net wrote: On Wed, Jan 16, 2013 at 10:55 PM, Dominik Maier domen...@gmail.com wrote: You have already fixed it, haven't you? ;) I mean, with Debian upload. Regards, -- Theppitak Karoonboonyanan http://linux.thai.net/~thep/
Bug#698189: swath: Buffer Overflow with console args is possible.
On Wed, Jan 16, 2013 at 11:00 PM, Dominik Maier domen...@gmail.com wrote: Yes, you should get the latest Version to the repository. No, Wheezy is now frozen. I had better backport the patch. Regards, -- Theppitak Karoonboonyanan http://linux.thai.net/~thep/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698189: swath: Buffer Overflow with console args is possible.
On Tue, Jan 15, 2013 at 6:44 AM, Dominik Maier domen...@gmail.com wrote: Buffer overflow because of strcpy with possibility to inject shellcode: swath mule -b [More than 20 to overflow and possibly inject shellcode.] emptyfile proplematic lines are: char stopstr[20]; if (muleMode) strcpy(stopstr,wbr); Instead, you should change the size of stopstr according to wbr. Even better would be simply to change the address of stopstr like char stopstr[20]; if (muleMode) stopstr = wbr; Thanks for the report. I've applied the fix upstream: http://linux.thai.net/websvn/wsvn/software.swath?op=compcompare[]=%2Ftrunk@237compare[]=%2Ftrunk@238 I'm estimating the risk to decide what to do in Debian. The use of Mule mode is quite rare, IMO. Regards, -- Theppitak Karoonboonyanan http://linux.thai.net/~thep/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698189: swath: Buffer Overflow with console args is possible.
Hi, The Argument will most likely not come from untrusted sources, I guess? So it's no severe risk. Only issue I could think of is that it could be used to escalate permissions of an attacker to swath's user's context. Then again, the system already has to be infiltrated to do that... Regards Dominik Maier Am 15.01.2013 09:26 schrieb Theppitak Karoonboonyanan t...@linux.thai.net : On Tue, Jan 15, 2013 at 6:44 AM, Dominik Maier domen...@gmail.com wrote: Buffer overflow because of strcpy with possibility to inject shellcode: swath mule -b [More than 20 to overflow and possibly inject shellcode.] emptyfile proplematic lines are: char stopstr[20]; if (muleMode) strcpy(stopstr,wbr); Instead, you should change the size of stopstr according to wbr. Even better would be simply to change the address of stopstr like char stopstr[20]; if (muleMode) stopstr = wbr; Thanks for the report. I've applied the fix upstream: http://linux.thai.net/websvn/wsvn/software.swath?op=compcompare[]=%2Ftrunk@237compare[]=%2Ftrunk@238 I'm estimating the risk to decide what to do in Debian. The use of Mule mode is quite rare, IMO. Regards, -- Theppitak Karoonboonyanan http://linux.thai.net/~thep/
Bug#698189: swath: Buffer Overflow with console args is possible.
Package: swath Version: 0.4.0-4 Buffer overflow because of strcpy with possibility to inject shellcode: swath mule -b [More than 20 to overflow and possibly inject shellcode.] emptyfile proplematic lines are: char stopstr[20]; if (muleMode) strcpy(stopstr,wbr); Instead, you should change the size of stopstr according to wbr. Even better would be simply to change the address of stopstr like char stopstr[20]; if (muleMode) stopstr = wbr; -- System Information: Debian Release: 6.0.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages swath depends on: ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib ii libdatrie10.2.4-1Double-array trie library ii libgcc1 1:4.4.5-8 GCC support library ii libstdc++64.4.5-8The GNU Standard C++ Library v3 swath recommends no packages. swath suggests no packages. -- no debconf information