Anon Sricharoenchai wrote:
> Package: mimms
> Version: 0.0.9-1
> Severity: grave
> Justification: user security hole
> Tags: security patch
>
> According to the patch attached in this report, it has many possible buffer
> overflows.
> For example,
> - memcpy(buf, data, length) without bounding the limit of "length",
> while "length" depend on the input data incoming from the internet.
> - read(s, data, BUF_SIZE) in main(), where BUF_SIZE is much greater than
> sizeof(data) which is only 1024 chars allocated in main(), while
> BUF_SIZE is defined as 1024*128.
Woha! Good work Anon! I'm impressed. I've assigned CVE-2006-2200 to
these issues.
One question remains, though:
> + // buf_size = min(count, buf_size);
> + if (buf_size > count) buf_size = count;
Is there any reason not to write mim() here?
Regards,
Joey
--
Given enough thrust pigs will fly, but it's not necessarily a good idea.
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
