the following is from sec. mailinglist:
Package Name: LCDproc
Vendor URL: http://lcdproc.omnipotent.net
Affected Version: All Versions
A remote exploitable buffer overflow that allows remote users to execute an
arbitrary code was found on LCDd server.
The problem appears on function parse_all_client_messages() of parse.c file, a loop
does not check if MAXARGUMENTS were
reached, causing the program to crash when lots of arguments are passed to the
See proof of concept code on
one should upgrade to 0.4.4 and apply the following patch
coded by Rodrigo Rubira Branco:
diff -urN lcdproc-0.4.4/server/parse.c lcdproc-0.4.4-cor/server/parse.c
--- lcdproc-0.4.4/server/parse.c 2004-03-16 17:06:12.000000000 -0300
+++ lcdproc-0.4.4-cor/server/parse.c 2004-03-31 13:49:23.000000000 -0300
@@ -158,7 +158,7 @@
- } while (*p);
+ } while (*p && i < MAX_ARGUMENTS);
/*debug(RPT_DEBUG, "exiting string scan...");*/
hope, this bug is not a dup and GLSA is ok as address... ;-)
didn't find that bug already in database, so i posted...
Steps to Reproduce:
Version bumped and patch added, could somebody please mark these as stable on X86 and AMD64? Thanks!
In fact you should use Product = Gentoo Linux and Component = Security for all vulnerabilities entries. We set it to GLSA when the fix is ready :)
Setting it back to Gentoo Linux/Security and accept it as ASSIGNED
Severity > critical as this is a C1.
Stable on AMD64.
didn't know that - sorry... ;-)
Still waiting for stable on x86 on app-misc/lcdproc-0.4.4-r1.ebuild.
Stable on x86
app-misc/lcdproc-0.4.4-r1 stable on all platforms
Ready for a GLSA
It would be nice if "security advisories" were checked before patches are
The issues reported are valid. However, the patch provided fails to fix one
issues and doesn't even try to fix another one mentioned.
I've fixed the issues upstream and released 0.4.5. It doesn't contain any
other changes and should be safe to commit.
FWIW the exploit is not remotely exploitable with the default configuration
as shipped with the ebuild.
See a corrected advisory here:
Thanks for the heads-up. We rely on community bug submission for vulnerability feed and we didn't see any upstream version patching these issues, that's why we committed the (partial) fix. Obviously we should be more careful on upstream status.
Could you remove the patch and bump the ebuild to 0.4.5 ?