[3134] in bugtraq
Re: Possible bufferoverflow condition in lpr, xterm and xload
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue Aug 13 12:57:55 1996
Date: Tue, 13 Aug 1996 12:13:40 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Casper Dik <casper@holland.Sun.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Your message of "Tue, 13 Aug 1996 00:49:16 MDT."
<Pine.LNX.3.91.960813004759.24815B-100000@garrison.inetcan.net>
Digital Dreamer <dreamer@garrison.inetcan.net>:
>On Tue, 13 Aug 1996, bloodmask wrote:
>> xterm, xload, both segmented when supplied with -display commandline
>> argument / enviroment variable above it's buffer size. Probably
>> exploitable, although i haven't gotten around to veryfing this myself,
>> I'd like to here comments concerning this suspicioun of mine.
>
>The fact that it's in the -display variable, which isn't handled by
>the program but rather the X toolkit it was compiled with, implies
>that this could be a problem with all X programs using this particular
>toolkit. I'm pretty sure Xterm is compiled with the Athena set, which
>is (I beleive) the most common library, followed by Mosaic.
Looks like a problem in X11R6: XOpenDisplay() (OpenDis.c) calls
a function in lib/X11/ConnDis.c which does a sprintf(address,....).
address is a static buffer of size 128.
In X11R5 (and before??), there's also a sprintf but in a buffer
allocated with the proper size.
Casper
