Summary: | x11-libs/openmotif buffer overflows (CVE-2005-3964) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | normal | CC: | bartron, sgtphou, tcdrundridge | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0047.html | ||||||||||
Whiteboard: | B2 [] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-12-02 01:11:26 UTC
Ccing lanius so that he knows about it, we still need to design a patch. Also we must determine if lesstif is also affected. Created attachment 74595 [details, diff]
patch fot bugs
patch ready and working, ebuild is on a way :)
> patch ready and working, ebuild is on a way :)
THERE IS SOMETHIG WRONG IN THIS PATCH, DO NOT USE IT.
reparing in progress...
Created attachment 74616 [details, diff]
working patch
new patch, this one is working for sure.
Sorry for any problems
Thx for the patch. Lanius, please check and apply. lanius: *bump* sorry, i currently have no possibility to upload anything to cvs, can you please do it for me the patches attached seem identical, if the first one is broken the second one must be as well? aqu, what is wrong with the first one? the first one misses two commas, the second one has them ahh, so it does :) yeah, it was my stupid error, sorry about that :) openmotif-2.2.3-r8 committed, as requested. Arches, please test and mark stable. thx This will require to ship lesstif-0.94.4 since the new openmotif uses motif-config, is that correct? (otherwise it blocks). if you bump it this way you also have to mark motif-config, openmotif-2.1.30-r13, lesstif-0.94.4 and lesstif-0.93.94-r3 stable. i think that is no problem since they all have been around a long time and the only change is to use motif-config. alternatively you could bump openmotif-2.2.3-r3 instead of openmotif-2.2.3-7. this packages are stable on ppc64 now: x11-libs/motif-config-0.9 x11-libs/openmotif-2.2.3-r8 x11-libs/openmotif-2.1.30-r13 x11-libs/lesstif-0.94.4 x11-libs/lesstif-0.93.94-r3 sparc stable. amd64 done and btw... please fix those QA issues. There's problem with digest in that package.... Stable on ppc, hppa. Karol: I cannot reproduce that problem, are you still seeing it? as a little remark, when writing the GLSA, we might want to write it together with emul-linux-x86-xlibs (bug 116481). what about the x86 team? i currently have no possibility to commit anything. oh, thx for the headsup. sorry, my fault - forgot to add x86 :( x86 done Alpha done. Cheers, Ferdy seems ready for glsa GLSA 200512-16 arm ia64 and mips should mark stable to benefit from GLSA Is the quoted text in Comment #0 the full report? It only seems to mention the first usage of a fixed size buffer directly following its declaration, and is missing all cases when it's declared anywhere else but the current function; or when declaration and usage are too far apart. Just for example, in `clients/uil/UilSrcSrc.c/open_source_file()'... 629: char buffer[256]; 634: strcpy(buffer, c_file_name); ...these two are listed in the problem URL, but... 680: strcpy (buffer, c_file_name); ...(executed when opening an include file specified by absolute path name... exact same problem) is not. As a minor nitpick, the patch in comment #4 replaces `strcpy()' with `strncpy()'... If the source pointer points to a string longer than the max length argument, `strncpy()' will not be '\0' terminate the result (in other words this needs to be done manually), meaning it will run into whatever comes next in memory until a '\0' character is reached. (Personally I'd advise against `strncpy()' in this place though, because there is a slim chance the truncated path may refer to an existing (but wrong) file which may lead to very confusing error messages). Created attachment 75850 [details, diff]
UIL patch
Created attachment 75850 [details, diff]
UIL patch
Tavis, could you have a look ? lanius, is it possible for you to create another bump, this time with the other patch (comment #30) and with a workaround for the blocking issues found in bug #117458? If thats ok, please do it, thx. assigning. Taviso / Tigger / Solar / Vapier please look into this. commited the new patch, i don't know of a way to fix the blocker So this looks ready for GLSA... ppc-macos stable: x11-libs/motif-config-0.9 x11-libs/openmotif-2.2.3-r8 x11-libs/openmotif-2.1.30-r13 x11-libs/lesstif-0.94.4 x11-libs/lesstif-0.93.94-r4 Should probably be published as a GLSA update to GLSA 200512-16... lanius: shouldn't the patch also be pushed to a 2.1.30-r14 release ? amd64: how do you stand wrt emul-linux-x86-xlibs ? (In reply to comment #38) > amd64: how do you stand wrt emul-linux-x86-xlibs ? Updated app-emulation/emul-linux-x86-xlibs-2.2.2 is on the mirrors and in cvs OK, now we just need to be sure if this doesn't also need a 2.1.30-series bump. lanius ? removing amd64 from cc, we've already done our job ;) i don't know, whoever posted the patch please check kloeri said he would take care of this. Hi, kloeri, some news on this ? What it the status of this bug now ? [stable] or [ebuild] ? Added the patch to openmotif-2.1.30-r14. Sorry about the delay. Finally closing this bugger ... feel free to reopen if you disagree. |