tags 430866 - security tags 430866 forwarded patch severity important thanks
On Wed, Jun 27, 2007 at 04:10:08PM -0400, Patricio Rojo wrote: > I reported this bug as a security hole just because I found what it > seems to be a dangling pointer... I have no idea if it could be > maliciously exploted... so feel free to downgrade its severity if you > can certify otherwise. Thanks for your report. I've had a look at the code in question. It treats a "struct string *" as a "char *" when it actually should use the s_str member of "struct string" (config.c:532 and config.c:545). But it's used only in printf-style output and the function called (math_error()) protects against buffer overflow, so I think the worst thing that could happen is garbage output or under rare circumstances a segfault due to nonexistent memory being read. I don't see any way to exploit this, so I'm downgrading the severity. Depending on how long upstream needs to release a fixed version, I'll either wait for that or upload a new Debian version with the patch below. Martin --- apcalc-2.12.1.13/config.c.orig 2007-07-05 09:34:03.000000000 +0200 +++ apcalc-2.12.1.13/config.c 2007-07-05 09:49:47.000000000 +0200 @@ -529,7 +529,7 @@ } temp = lookup_long(modes, vp->v_str->s_str); if (temp < 0) { - math_error("Unknown mode \"%s\"", vp->v_str); + math_error("Unknown mode \"%s\"", vp->v_str->s_str); /*NOTREACHED*/ } math_setmode((int) temp); @@ -542,7 +542,7 @@ } temp = lookup_long(modes, vp->v_str->s_str); if (temp < 0) { - math_error("Unknown mode \"%s\"", vp->v_str); + math_error("Unknown mode \"%s\"", vp->v_str->s_str); /*NOTREACHED*/ } math_setmode2((int) temp); -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]