severity 714617 normal
thanks
thank you for your report.
the problems you identify are bugs, but I think 'critical' is far to high,
there is no security risk as lingot runs unpriviledged, and most of the
problems are only triggered by active action.
I'm currently quite overwhelmed with real life so I won't have time to look
at this before a while,
if you want to submit a patch, I"ll be happy to review it and apply.
thanks.
On 1 July 2013 08:05, Hamid Zamani <m...@hamidx9.ir> wrote:
> Package: Lingot
> version: 0.9.1-2
> Severity: critical
>
> Dear Maintainer,
>
> Several vulnerabilites was found in the latest version of lingot as
> explained further below :
>
> [1] :: [File] => lingot-config.c , [Lines] 192 ~ 197 :
>
> if ((fp = fopen(filename, "w")) == NULL) {
> char buff[100]; // <= if i select a filename larger than [100 -
> 26] and lead the program to here, program will crash.
> sprintf(buff, "error saving config file %s ", filename);
> perror(buff);
> return;
> }
>
> ##################
>
> [2] :: [File] => lingot.c , [Lines] 41 , 85 ~ 86 , 108 ~ 109 , 127 ~ 131 :
>
> 41 : char CONFIG_FILE_NAME[100];
>
> 85 ~ 86 :
> sprintf(CONFIG_FILE_NAME, "%s/" CONFIG_DIR_NAME
> DEFAULT_CONFIG_FILE_NAME,
> getenv("HOME"));
>
> 108 ~ 109 :
> sprintf(CONFIG_FILE_NAME, "%s/%s%s.conf", getenv("HOME"),
> CONFIG_DIR_NAME, optarg);
>
> 127 ~ 131 :
> char config_dir[100];
> sprintf(config_dir, "%s/.lingot/", getenv("HOME"));
> printf("creating directory %s ...\n", config_dir);
> mkdir(config_dir, 0777); // creo el directorio.
> printf("creating file %s ...\n", CONFIG_FILE_NAME);
>
> if i change $HOME to a larger one , Lingot will crash here .
>
>
> ##################
>
>
> [3] :: [File] => lingot-config.h , [Lines] 41 ~ :
>
> 41 :
> struct _LingotConfig {
>
> audio_system_t audio_system;
>
> char audio_dev[3][80]; // <= !!!
>
> ...
>
> at this section if i manually set
> AUDIO_DEV_ALSA = plguhw:0 = > AUDIO_DEV_ALSA =
> plguhwAAAAAAAAAAAAAAAAAAAA...AAAAAAAAAAAAAAAAAA:0
> program crashes here.
>
> ##################
>
> [4] :: [File] => lingot-config.h , [Lines] ?? :
>
> 251 : void lingot_config_load(LingotConfig* config, char* filename) {
>
> 273 ~ 283 :
> # define MAX_LINE_SIZE 100
>
> char char_buffer[MAX_LINE_SIZE];
>
> if ((fp = fopen(filename, "r")) == NULL) {
> sprintf(char_buffer,
> "error opening config file %s, assuming default values ",
> filename); // <= !!!
> perror(char_buffer);
> return;
> }
>
> and because of MAX_LINE_SIZE if i select a larger filename , program
> crashes here .
>
> also is in 192 ~ 197 !
>
> ##################
>
> If i can help in the fixing process please let me know.
>
> Thank you,
> Hamid Zamani
>
>
--
Niv Sardi
