Hi folks, Take a look at mmsclient's client.c: Line 28: #define BUF_SIZE 102400 Line 470: char data[1024]; Line 551: len = read (s, data, BUF_SIZE) ; This blew up for me for obvious reasons, and may be exploitable on other systems. Changing the buffer length fixes my problem, but I have not checked if mmsclient contains other problems, so I thought I'd ask you security guys what you want to do about it. Do you want to get this fixed this now or wait and check the rest of the code first?
Thanks for the report. The first thing to do would be to report this upstream. Did you contact them already?
No, there is no upstream for mmsclient that I know of.
@security, you asked me to bring security issues to folks like you first, but the result is that it's been over a month now for something that I would've otherwise fixed in the tree directly. Could you take a look at this, please?
It's in the unstable, tree and it seems, that no one cared to look, sorry. It's public via Bug #284747.
mmsclient will be removed. *** This bug has been marked as a duplicate of bug 284747 ***
No need to keep this closed. Whiteboard was incorrectly changed by me, so I'm reopening; we need a GLSA as there was a stable version.
Sorry for bugspam...
