============ ZRCSA-200503 - ktools Buffer Overflow Vulnerability 11/27/2005 Zone-H Research Center Security Advisory 200503 http://www.zone-h.fr Date of release: 27/11/2005 Software: ktools (http://konst.org.ua/ktools) Affected versions: <= 0.3 Risk: Medium Discovered by: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team Background (from http://konst.org.ua/ktools) ---------- ktools is a library which I wrote for my own programming needs, though its main purpose is to provide various text-mode user interface controls without a need to write too much code. Details -------- There is a buffer overflow in kkstrtext.h : #define VGETSTRING(c, fmt) { va_list vgs__ap; char vgs__buf[1024]; va_start(vgs__ap, fmt); vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; va_end(vgs__ap); } This library is used in the following softwares: centericq orpheus motor groan (see http://konst.org.ua/en/konstware) It can be exploited for example in centericq when editing a contact's details with a detail field longer than 1024 chars (a <description> field of a rss feed for example). Details: - centericq.cc : case ACT_EDITUSER: c->save(); /***************** here************/ if(face.updatedetails(c, c->getdesc().pname)) { if(c->getdesc().pname == infocard) c->setdispnick(c->getnick()); ... ... - icqdialogs.cc : bool icqface::updatedetails(icqcontact *c, protocolname upname) { ... ... while(!finished) {; gendetails(db.gettree(), c); ... ... gendetails() .. if((capab.count(hookcapab::flexiblereg) && ri.params.empty()) || !capab.count(hookcapab::flexiblereg)) { i = tree->addnode(_(" About ")); tree->addleaff(i, 0, 39, " %s ", about.c_str()); - treeview.cc : int treeview::addleaff(int parent, int color, int ref, const char *fmt, ...) { string buf; VGETSTRING(buf, fmt); return addleaf(parent, color, (void *) ref, buf); } - kkstrtext.h : #define VGETSTRING(c, fmt) { va_list vgs__ap; char vgs__buf[1024]; va_start(vgs__ap, fmt); vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; va_end(vgs__ap); } Solution --------- None. Vendor contacted on 18/11 and 25/11, no answer. http://www.zone-h.org/en/advisories/read/id=8480/ (Some rights reserved, http://creativecommons.org/licenses/by-nc-nd/2.0/) =============== This needs to be patched.
Could someone design a patch (auditors ?)
Created attachment 74654 [details, diff] patch for overflow This doesnt look like legal c, isnt he setting c to point to an automatic array no longer in scope? Anyway, here's a fix.
Wolfram: please test and bump with provided patch
Compiled fine on my x86 box, committed =net-im/centericq-4.21.0-r2 archmasked.
Thx for the bump, arches please test and mark -r2 stable.
sparc stable.
Stable on ppc.
x86 done
amd64 done
GLSA 200512-11
