Bug#714617: Lingot: several vulnerabilities
Dear all, Building Lingot from Debian Stretch on a Stretch with this patch gives me a segfault when launching Lingot. Hope that helps.
Bug#714617: Lingot: several vulnerabilities
Control: tags -1 + patch Hi. I am not the maintainer, just a random Debian developer passing by this bug, but wanted to provide a suggestion. [Hamid Zamani 2013-07-03] > The patch is almost ready , Please review it and tell me about that. As the Debian maintainer seem to be busy, perhaps you instead can try to send the patch to the lingot developers, see http://www.nongnu.org/lingot/ > for contact details? -- Happy hacking Petter Reinholdtsen
Bug#714617: Lingot: several vulnerabilities
Hi, The patch is almost ready , Please review it and tell me about that. Thanks, Hamid Zamani lingot-0.9.1.patch Description: Binary data
Bug#714617: Lingot: several vulnerabilities
Package: Lingot
version: 0.9.1-2
Severity: critical
Dear Maintainer,
Several vulnerabilites was found in the latest version of lingot as explained
further below :
[1] :: [File] = lingot-config.c , [Lines] 192 ~ 197 :
if ((fp = fopen(filename, w)) == NULL) {
char buff[100]; // = if i select a filename larger than [100 - 26] and
lead the program to here, program will crash.
sprintf(buff, error saving config file %s , filename);
perror(buff);
return;
}
##
[2] :: [File] = lingot.c , [Lines] 41 , 85 ~ 86 , 108 ~ 109 , 127 ~ 131 :
41 : char CONFIG_FILE_NAME[100];
85 ~ 86 :
sprintf(CONFIG_FILE_NAME, %s/ CONFIG_DIR_NAME DEFAULT_CONFIG_FILE_NAME,
getenv(HOME));
108 ~ 109 :
sprintf(CONFIG_FILE_NAME, %s/%s%s.conf, getenv(HOME),
CONFIG_DIR_NAME, optarg);
127 ~ 131 :
char config_dir[100];
sprintf(config_dir, %s/.lingot/, getenv(HOME));
printf(creating directory %s ...\n, config_dir);
mkdir(config_dir, 0777); // creo el directorio.
printf(creating file %s ...\n, CONFIG_FILE_NAME);
if i change $HOME to a larger one , Lingot will crash here .
##
[3] :: [File] = lingot-config.h , [Lines] 41 ~ :
41 :
struct _LingotConfig {
audio_system_t audio_system;
char audio_dev[3][80]; // = !!!
...
at this section if i manually set
AUDIO_DEV_ALSA = plguhw:0 = AUDIO_DEV_ALSA =
plguhw...AA:0
program crashes here.
##
[4] :: [File] = lingot-config.h , [Lines] ?? :
251 : void lingot_config_load(LingotConfig* config, char* filename) {
273 ~ 283 :
# define MAX_LINE_SIZE 100
char char_buffer[MAX_LINE_SIZE];
if ((fp = fopen(filename, r)) == NULL) {
sprintf(char_buffer,
error opening config file %s, assuming default values ,
filename); // = !!!
perror(char_buffer);
return;
}
and because of MAX_LINE_SIZE if i select a larger filename , program crashes
here .
also is in 192 ~ 197 !
##
If i can help in the fixing process please let me know.
Thank you,
Hamid Zamani
Bug#714617: Lingot: several vulnerabilities
severity 714617 normal
thanks
thank you for your report.
the problems you identify are bugs, but I think 'critical' is far to high,
there is no security risk as lingot runs unpriviledged, and most of the
problems are only triggered by active action.
I'm currently quite overwhelmed with real life so I won't have time to look
at this before a while,
if you want to submit a patch, Ill be happy to review it and apply.
thanks.
On 1 July 2013 08:05, Hamid Zamani m...@hamidx9.ir wrote:
Package: Lingot
version: 0.9.1-2
Severity: critical
Dear Maintainer,
Several vulnerabilites was found in the latest version of lingot as
explained further below :
[1] :: [File] = lingot-config.c , [Lines] 192 ~ 197 :
if ((fp = fopen(filename, w)) == NULL) {
char buff[100]; // = if i select a filename larger than [100 -
26] and lead the program to here, program will crash.
sprintf(buff, error saving config file %s , filename);
perror(buff);
return;
}
##
[2] :: [File] = lingot.c , [Lines] 41 , 85 ~ 86 , 108 ~ 109 , 127 ~ 131 :
41 : char CONFIG_FILE_NAME[100];
85 ~ 86 :
sprintf(CONFIG_FILE_NAME, %s/ CONFIG_DIR_NAME
DEFAULT_CONFIG_FILE_NAME,
getenv(HOME));
108 ~ 109 :
sprintf(CONFIG_FILE_NAME, %s/%s%s.conf, getenv(HOME),
CONFIG_DIR_NAME, optarg);
127 ~ 131 :
char config_dir[100];
sprintf(config_dir, %s/.lingot/, getenv(HOME));
printf(creating directory %s ...\n, config_dir);
mkdir(config_dir, 0777); // creo el directorio.
printf(creating file %s ...\n, CONFIG_FILE_NAME);
if i change $HOME to a larger one , Lingot will crash here .
##
[3] :: [File] = lingot-config.h , [Lines] 41 ~ :
41 :
struct _LingotConfig {
audio_system_t audio_system;
char audio_dev[3][80]; // = !!!
...
at this section if i manually set
AUDIO_DEV_ALSA = plguhw:0 = AUDIO_DEV_ALSA =
plguhw...AA:0
program crashes here.
##
[4] :: [File] = lingot-config.h , [Lines] ?? :
251 : void lingot_config_load(LingotConfig* config, char* filename) {
273 ~ 283 :
# define MAX_LINE_SIZE 100
char char_buffer[MAX_LINE_SIZE];
if ((fp = fopen(filename, r)) == NULL) {
sprintf(char_buffer,
error opening config file %s, assuming default values ,
filename); // = !!!
perror(char_buffer);
return;
}
and because of MAX_LINE_SIZE if i select a larger filename , program
crashes here .
also is in 192 ~ 197 !
##
If i can help in the fixing process please let me know.
Thank you,
Hamid Zamani
--
Niv Sardi
Bug#714617: Lingot: several vulnerabilities
Yes , you are right , writing mistake . Ok , I'll submit patch soon. thanks Date: Mon, 1 Jul 2013 09:27:28 -0300 Subject: Re: Bug#714617: Lingot: several vulnerabilities From: xa...@evilgiggle.com To: m...@hamidx9.ir; 714...@bugs.debian.org; cont...@bugs.debian.org CC: sub...@bugs.debian.org severity 714617 normalthanks thank you for your report.the problems you identify are bugs, but I think 'critical' is far to high, there is no security risk as lingot runs unpriviledged, and most of the problems are only triggered by active action. I'm currently quite overwhelmed with real life so I won't have time to look at this before a while, if you want to submit a patch, Ill be happy to review it and apply. thanks.
