[4108] in bugtraq
Re: libX11
daemon@ATHENA.MIT.EDU (David Sacerdote)
Fri Feb 28 15:31:50 1997
Date: Fri, 28 Feb 1997 12:35:07 -0700
Reply-To: David Sacerdote <davids@secnet.com>
From: David Sacerdote <davids@secnet.com>
To: BUGTRAQ@netspace.org
Paul Szabo <szabo_p@MATHS.SU.OZ.AU> wrote:
> So instead I wrote the following wrapper, and used it to wrap xload, xterm
> and xconsole. My wrapper, and the SNI advisory, included below.
The wrapper is a good idea. As written, it provides reasonable protection
against buffer overflows in large buffers, including the $HOME buffer
overflow described in the advisory.
Many of the buffers involved in environment variable related
overflows in X11R6.1 and earlier are 2048 bytes in size, because
this is what the BUFSIZ constant is defined to be. However,
not all buffers are large enough to hold a thousand characters.
256 byte buffers are common, and there have been several instances of
sloppy string manupulation on buffers as small as 100 bytes. I will
grant that the overflows I am aware of in libX11 for X11R6.1 all involve
2048 byte buffers, but it is best to err on the side of caution. For this
reason, I urge those using wrappers to limit buffer and argument lengths
to a fairly low value, such as 256 bytes or perhaps even something as low
as 100 bytes.
David Sacerdote
