[6662] in bugtraq
Re: TOG and xterm problem
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Mon May 4 11:42:09 1998
Date: Mon, 4 May 1998 11:06:05 +0200
Reply-To: peak@kerberos.troja.mff.cuni.cz
From: Pavel Kankovsky <peak@KERBEROS.TROJA.MFF.CUNI.CZ>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.OSF.3.96.980501010657.16005A-100000@fly.HiWAAY.net>
On Fri, 1 May 1998, Jeff Gehlbach wrote:
> Open Group, when *will* the rest of us see at least some clues about where
> the bug lies and how it can be fixed? You say you won't release patches
> to X11R<6.4, but can you at least be nice enough to tell those of us using
> the still-perfectly-serviceable 6.3 just a tidbit about the problem?
Believe or not, it took me 10 minutes to grep the appropriate parts of
X11R6.3 sources, following the clues mentioned in the CERT advisory, and
find the bugs--at least some of them.
xc/programs/xterm/charproc.c:
* HandleKeymapChange():
(void) sprintf( mapName, "%sKeymap", params[0] );
(void) strcpy( mapClass, mapName );
(actually, the second command is mostly harmless because the size of
mapName and mapClass is the same)
xc/programs/xterm/charproc.c:
* VTInitI18N():
strcpy(tmp, term->misc.input_method);
...
strcpy(buf, "@im=");
strcat(buf, s);
...
strcpy(tmp, term->misc.preedit_type);
xc/lib/Xaw/XawIm.c:
* OpenIM():
strcpy(modifiers, "@im=");
strcat(modifiers, ve->im.im_list[i]);
* ParseIMNameList():
char *s, *save_s, *ss, *list[32], **lp, *end;
...
list[i] = s;
(This one is quite interesting.
Exercise for the reader: write an exploit.)
<ironic>
Security hint of the day:
find . -name '*.[ch]' | \
xargs egrep -l 'sprintf|strcat|strcpy' | \
xargs rm
</ironic>
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
P.S. A copy of this message is being submitted to XFree86.
