made public because, while I'm certain this is a potential security vulnerability, I can't think of anyway to exploit it. The program has segfaulted before a cracker could do any damage.
** Description changed: when performing strcasestr to look for a string in another string of - length 4000 bytes (I have not tested it with files of vastly different + length 4000 bytes (I have not tested it with strings of vastly different sizes), the returned pointer to character overflows the buffer. This is hard to track down because the code does not segfault on that call, and it is not until the pointer to the character is used that the program will segfault. Attached is a piece of code which will reproduce the bug. launchpad won't let me attach another file, so an example input file (created by copying 4k bytes from /dev/urandom and then replacing 5 bytes with "hello") to go with it is at http://mafianode.com/~you/ubuntu/strcasestrbug_exampleinput.txt I'm running natty. $ lsb_release -rd Description: Ubuntu 11.04 Release: 11.04 I believe this is libc6, but I'm not certain. but, here's the version of libc6 I'm running: $ apt-cache policy libc6 libc6: - Installed: 2.13-0ubuntu13 - Candidate: 2.13-0ubuntu13 - Version table: - *** 2.13-0ubuntu13 0 - 500 http://us.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 2.13-0ubuntu13 + Candidate: 2.13-0ubuntu13 + Version table: + *** 2.13-0ubuntu13 0 + 500 http://us.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages + 100 /var/lib/dpkg/status -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/807154 Title: libc has buffer overflow with strcasestr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/807154/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
