hi, the following is from sec. mailinglist: --- Package Name: LCDproc Vendor URL: http://lcdproc.omnipotent.net Date: 2004-02-22 ID: PSR-#2004-001 Affected Version: All Versions Risk: HIGH -- A remote exploitable buffer overflow that allows remote users to execute an arbitrary code was found on LCDd server. The problem appears on function parse_all_client_messages() of parse.c file, a loop does not check if MAXARGUMENTS were reached, causing the program to crash when lots of arguments are passed to the function. Testing: See proof of concept code on http://www.priv8security.com/releases/priv8lcd44.pl one should upgrade to 0.4.4 and apply the following patch coded by Rodrigo Rubira Branco: diff -urN lcdproc-0.4.4/server/parse.c lcdproc-0.4.4-cor/server/parse.c --- lcdproc-0.4.4/server/parse.c 2004-03-16 17:06:12.000000000 -0300 +++ lcdproc-0.4.4-cor/server/parse.c 2004-03-31 13:49:23.000000000 -0300 @@ -158,7 +158,7 @@ argc++; - } while (*p); + } while (*p && i < MAX_ARGUMENTS); /*debug(RPT_DEBUG, "exiting string scan...");*/ --eof--- hope, this bug is not a dup and GLSA is ok as address... ;-) didn't find that bug already in database, so i posted... so long, rootshell Reproducible: Always Steps to Reproduce: 1. 2. 3.
Version bumped and patch added, could somebody please mark these as stable on X86 and AMD64? Thanks!
rootshell : In fact you should use Product = Gentoo Linux and Component = Security for all vulnerabilities entries. We set it to GLSA when the fix is ready :) Setting it back to Gentoo Linux/Security and accept it as ASSIGNED Severity > critical as this is a C1.
Stable on AMD64.
@Koon: didn't know that - sorry... ;-) so long rootshell
Bump: Still waiting for stable on x86 on app-misc/lcdproc-0.4.4-r1.ebuild. -K
Stable on x86
app-misc/lcdproc-0.4.4-r1 stable on all platforms Ready for a GLSA
It would be nice if "security advisories" were checked before patches are committed. The issues reported are valid. However, the patch provided fails to fix one issues and doesn't even try to fix another one mentioned. I've fixed the issues upstream and released 0.4.5. It doesn't contain any other changes and should be safe to commit. FWIW the exploit is not remotely exploitable with the default configuration as shipped with the ebuild. See a corrected advisory here: http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html
Rene: Thanks for the heads-up. We rely on community bug submission for vulnerability feed and we didn't see any upstream version patching these issues, that's why we committed the (partial) fix. Obviously we should be more careful on upstream status. Tim: Could you remove the patch and bump the ebuild to 0.4.5 ? -K
GLSA 200404-19.
