Package: Lingot
version: 0.9.1-2
Severity: critical
Dear Maintainer,
Several vulnerabilites was found in the latest version of lingot as explained
further below :
[1] :: [File] => lingot-config.c , [Lines] 192 ~ 197 :
if ((fp = fopen(filename, "w")) == NULL) {
char buff[100]; // <= if i select a filename larger than [100 - 26] and
lead the program to here, program will crash.
sprintf(buff, "error saving config file %s ", filename);
perror(buff);
return;
}
##################
[2] :: [File] => lingot.c , [Lines] 41 , 85 ~ 86 , 108 ~ 109 , 127 ~ 131 :
41 : char CONFIG_FILE_NAME[100];
85 ~ 86 :
sprintf(CONFIG_FILE_NAME, "%s/" CONFIG_DIR_NAME DEFAULT_CONFIG_FILE_NAME,
getenv("HOME"));
108 ~ 109 :
sprintf(CONFIG_FILE_NAME, "%s/%s%s.conf", getenv("HOME"),
CONFIG_DIR_NAME, optarg);
127 ~ 131 :
char config_dir[100];
sprintf(config_dir, "%s/.lingot/", getenv("HOME"));
printf("creating directory %s ...\n", config_dir);
mkdir(config_dir, 0777); // creo el directorio.
printf("creating file %s ...\n", CONFIG_FILE_NAME);
if i change $HOME to a larger one , Lingot will crash here .
##################
[3] :: [File] => lingot-config.h , [Lines] 41 ~ :
41 :
struct _LingotConfig {
audio_system_t audio_system;
char audio_dev[3][80]; // <= !!!
...
at this section if i manually set
AUDIO_DEV_ALSA = plguhw:0 = > AUDIO_DEV_ALSA =
plguhwAAAAAAAAAAAAAAAAAAAA...AAAAAAAAAAAAAAAAAA:0
program crashes here.
##################
[4] :: [File] => lingot-config.h , [Lines] ?? :
251 : void lingot_config_load(LingotConfig* config, char* filename) {
273 ~ 283 :
# define MAX_LINE_SIZE 100
char char_buffer[MAX_LINE_SIZE];
if ((fp = fopen(filename, "r")) == NULL) {
sprintf(char_buffer,
"error opening config file %s, assuming default values ",
filename); // <= !!!
perror(char_buffer);
return;
}
and because of MAX_LINE_SIZE if i select a larger filename , program crashes
here .
also is in 192 ~ 197 !
##################
If i can help in the fixing process please let me know.
Thank you,
Hamid Zamani
