tags 430866 - security
tags 430866 forwarded patch
severity important
thanks
On Wed, Jun 27, 2007 at 04:10:08PM -0400, Patricio Rojo wrote:
> I reported this bug as a security hole just because I found what it
> seems to be a dangling pointer... I have no idea if it could be
> maliciously exploted... so feel free to downgrade its severity if you
> can certify otherwise.
Thanks for your report. I've had a look at the code in question. It treats
a "struct string *" as a "char *" when it actually should use the s_str
member of "struct string" (config.c:532 and config.c:545). But it's used
only in printf-style output and the function called (math_error()) protects
against buffer overflow, so I think the worst thing that could happen is
garbage output or under rare circumstances a segfault due to nonexistent
memory being read. I don't see any way to exploit this, so I'm downgrading
the severity.
Depending on how long upstream needs to release a fixed version, I'll
either wait for that or upload a new Debian version with the patch below.
Martin
--- apcalc-2.12.1.13/config.c.orig 2007-07-05 09:34:03.000000000 +0200
+++ apcalc-2.12.1.13/config.c 2007-07-05 09:49:47.000000000 +0200
@@ -529,7 +529,7 @@
}
temp = lookup_long(modes, vp->v_str->s_str);
if (temp < 0) {
- math_error("Unknown mode \"%s\"", vp->v_str);
+ math_error("Unknown mode \"%s\"", vp->v_str->s_str);
/*NOTREACHED*/
}
math_setmode((int) temp);
@@ -542,7 +542,7 @@
}
temp = lookup_long(modes, vp->v_str->s_str);
if (temp < 0) {
- math_error("Unknown mode \"%s\"", vp->v_str);
+ math_error("Unknown mode \"%s\"", vp->v_str->s_str);
/*NOTREACHED*/
}
math_setmode2((int) temp);
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
