Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 114038 - net-im/centericq: buffer overflow through vulnerable ktools lib
Summary: net-im/centericq: buffer overflow through vulnerable ktools lib
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2? [glsa]
Depends on:
Blocks: 100519 CVE-2005-3863
  Show dependency tree
Reported: 2005-11-30 08:22 UTC by Thierry Carrez (RETIRED)
Modified: 2005-12-20 03:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

patch for overflow (centericq.diff,522 bytes, patch)
2005-12-13 10:36 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-11-30 08:22:17 UTC
ZRCSA-200503 - ktools Buffer Overflow Vulnerability
Zone-H Research Center Security Advisory 200503

Date of release: 27/11/2005
Software: ktools (
Affected versions: <= 0.3
Risk: Medium
Discovered by: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the
Zone-H Research Team

Background (from
ktools is a library which I wrote for my own programming needs, though its main
purpose is to provide various text-mode user interface controls without a need
to write too much code.

There is a buffer overflow in kkstrtext.h :

#define VGETSTRING(c, fmt)
va_list vgs__ap; char vgs__buf[1024];
va_start(vgs__ap, fmt);
vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf;

This library is used in the following softwares:


It can be exploited for example in centericq when editing a contact's details
with a detail field longer than 1024 chars (a <description> field of a rss feed
for example).


- :

/***************** here************/
if(face.updatedetails(c, c->getdesc().pname)) {
if(c->getdesc().pname == infocard)


- :

bool icqface::updatedetails(icqcontact *c, protocolname upname) {

while(!finished) {;
gendetails(db.gettree(), c);

if((capab.count(hookcapab::flexiblereg) && ri.params.empty()) ||
!capab.count(hookcapab::flexiblereg)) {
i = tree->addnode(_(" About "));

tree->addleaff(i, 0, 39, " %s ", about.c_str());

- :

int treeview::addleaff(int parent, int color, int ref, const char *fmt, ...) {
string buf;
VGETSTRING(buf, fmt);
return addleaf(parent, color, (void *) ref, buf);

- kkstrtext.h :

#define VGETSTRING(c, fmt)
va_list vgs__ap; char vgs__buf[1024];
va_start(vgs__ap, fmt);
vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf;

None. Vendor contacted on 18/11 and 25/11, no answer. 
(Some rights reserved,

This needs to be patched.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-12-09 06:51:54 UTC
Could someone design a patch (auditors ?)
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-12-13 10:36:55 UTC
Created attachment 74654 [details, diff]
patch for overflow

This doesnt look like legal c, isnt he setting c to point to an automatic array
no longer in scope?

Anyway, here's a fix.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-12-14 04:20:46 UTC
Wolfram: please test and bump with provided patch
Comment 4 Wolfram Schlich (RETIRED) gentoo-dev 2005-12-16 00:56:06 UTC
Compiled fine on my x86 box, committed =net-im/centericq-4.21.0-r2 archmasked.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-12-16 04:38:55 UTC
Thx for the bump, arches please test and mark -r2 stable.
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2005-12-16 06:01:24 UTC
sparc stable.
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-16 11:55:36 UTC
Stable on ppc.
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2005-12-16 21:37:17 UTC
x86 done
Comment 9 Simon Stelling (RETIRED) gentoo-dev 2005-12-17 02:11:05 UTC
amd64 done
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-12-20 03:09:27 UTC
GLSA 200512-11