|Summary:||app-misc/lcdproc - remote overflow - all versions|
|Product:||Gentoo Security||Reporter:||Florian Schilhabel (RETIRED) <ruth>|
|Component:||GLSA Errors||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Florian Schilhabel (RETIRED) 2004-04-09 06:22:52 UTC
hi, the following is from sec. mailinglist: --- Package Name: LCDproc Vendor URL: http://lcdproc.omnipotent.net Date: 2004-02-22 ID: PSR-#2004-001 Affected Version: All Versions Risk: HIGH -- A remote exploitable buffer overflow that allows remote users to execute an arbitrary code was found on LCDd server. The problem appears on function parse_all_client_messages() of parse.c file, a loop does not check if MAXARGUMENTS were reached, causing the program to crash when lots of arguments are passed to the function. Testing: See proof of concept code on http://www.priv8security.com/releases/priv8lcd44.pl one should upgrade to 0.4.4 and apply the following patch coded by Rodrigo Rubira Branco: diff -urN lcdproc-0.4.4/server/parse.c lcdproc-0.4.4-cor/server/parse.c --- lcdproc-0.4.4/server/parse.c 2004-03-16 17:06:12.000000000 -0300 +++ lcdproc-0.4.4-cor/server/parse.c 2004-03-31 13:49:23.000000000 -0300 @@ -158,7 +158,7 @@ argc++; - } while (*p); + } while (*p && i < MAX_ARGUMENTS); /*debug(RPT_DEBUG, "exiting string scan...");*/ --eof--- hope, this bug is not a dup and GLSA is ok as address... ;-) didn't find that bug already in database, so i posted... so long, rootshell Reproducible: Always Steps to Reproduce: 1. 2. 3.
Comment 1 Tim Yamin (RETIRED) 2004-04-09 06:33:25 UTC
Version bumped and patch added, could somebody please mark these as stable on X86 and AMD64? Thanks!
Comment 2 Thierry Carrez (RETIRED) 2004-04-09 06:45:33 UTC
rootshell : In fact you should use Product = Gentoo Linux and Component = Security for all vulnerabilities entries. We set it to GLSA when the fix is ready :) Setting it back to Gentoo Linux/Security and accept it as ASSIGNED Severity > critical as this is a C1.
Comment 3 Jon Portnoy (RETIRED) 2004-04-09 07:16:17 UTC
Stable on AMD64.
Comment 4 Florian Schilhabel (RETIRED) 2004-04-09 07:52:41 UTC
@Koon: didn't know that - sorry... ;-) so long rootshell
Comment 5 Thierry Carrez (RETIRED) 2004-04-13 02:04:35 UTC
Bump: Still waiting for stable on x86 on app-misc/lcdproc-0.4.4-r1.ebuild. -K
Comment 6 Jon Portnoy (RETIRED) 2004-04-13 08:43:05 UTC
Stable on x86
Comment 7 Thierry Carrez (RETIRED) 2004-04-13 09:47:45 UTC
app-misc/lcdproc-0.4.4-r1 stable on all platforms Ready for a GLSA
Comment 8 Rene Wagner 2004-04-13 16:45:08 UTC
It would be nice if "security advisories" were checked before patches are committed. The issues reported are valid. However, the patch provided fails to fix one issues and doesn't even try to fix another one mentioned. I've fixed the issues upstream and released 0.4.5. It doesn't contain any other changes and should be safe to commit. FWIW the exploit is not remotely exploitable with the default configuration as shipped with the ebuild. See a corrected advisory here: http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html
Comment 9 Thierry Carrez (RETIRED) 2004-04-14 00:53:17 UTC
Rene: Thanks for the heads-up. We rely on community bug submission for vulnerability feed and we didn't see any upstream version patching these issues, that's why we committed the (partial) fix. Obviously we should be more careful on upstream status. Tim: Could you remove the patch and bump the ebuild to 0.4.5 ? -K
Comment 10 Joshua J. Berry (CondorDes) (RETIRED) 2004-04-26 22:48:37 UTC