Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 47340 - app-misc/lcdproc - remote overflow - all versions
Summary: app-misc/lcdproc - remote overflow - all versions
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2004-04-09 06:22 UTC by Florian Schilhabel (RETIRED)
Modified: 2004-04-26 22:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schilhabel (RETIRED) gentoo-dev 2004-04-09 06:22:52 UTC
the following is from sec. mailinglist:

Package Name: LCDproc
Vendor URL:
Date:  2004-02-22  
ID:  PSR-#2004-001
Affected Version: All Versions
Risk: HIGH

A remote exploitable buffer overflow that allows remote users to execute an
arbitrary code was found on LCDd server.
The problem appears on function parse_all_client_messages() of parse.c file, a loop
does not check if MAXARGUMENTS were
reached, causing the program to crash when lots of arguments are passed to the


See proof of concept code on

one should upgrade to 0.4.4 and apply the following patch
coded by Rodrigo Rubira Branco:

diff -urN lcdproc-0.4.4/server/parse.c lcdproc-0.4.4-cor/server/parse.c
--- lcdproc-0.4.4/server/parse.c	2004-03-16 17:06:12.000000000 -0300
+++ lcdproc-0.4.4-cor/server/parse.c	2004-03-31 13:49:23.000000000 -0300
@@ -158,7 +158,7 @@
-				} while (*p);
+				} while (*p && i < MAX_ARGUMENTS);
 				/*debug(RPT_DEBUG, "exiting string scan...");*/

hope, this bug is not a dup and GLSA is ok as address... ;-)
didn't find that bug already in database, so i posted...

so long,

Reproducible: Always
Steps to Reproduce:
Comment 1 Tim Yamin (RETIRED) gentoo-dev 2004-04-09 06:33:25 UTC
Version bumped and patch added, could somebody please mark these as stable on X86 and AMD64? Thanks!
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-04-09 06:45:33 UTC
rootshell :
In fact you should use Product = Gentoo Linux and Component = Security for all vulnerabilities entries. We set it to GLSA when the fix is ready :)

Setting it back to Gentoo Linux/Security and accept it as ASSIGNED
Severity > critical as this is a C1.
Comment 3 Jon Portnoy (RETIRED) gentoo-dev 2004-04-09 07:16:17 UTC
Stable on AMD64.
Comment 4 Florian Schilhabel (RETIRED) gentoo-dev 2004-04-09 07:52:41 UTC
didn't know that - sorry... ;-)
so long
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-04-13 02:04:35 UTC
Still waiting for stable on x86 on app-misc/lcdproc-0.4.4-r1.ebuild.

Comment 6 Jon Portnoy (RETIRED) gentoo-dev 2004-04-13 08:43:05 UTC
Stable on x86
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-04-13 09:47:45 UTC
app-misc/lcdproc-0.4.4-r1 stable on all platforms
Ready for a GLSA
Comment 8 Rene Wagner 2004-04-13 16:45:08 UTC
It would be nice if "security advisories" were checked before patches are 

The issues reported are valid. However, the patch provided fails to fix one 
issues and doesn't even try to fix another one mentioned.

I've fixed the issues upstream and released 0.4.5. It doesn't contain any
other changes and should be safe to commit.

FWIW the exploit is not remotely exploitable with the default configuration
as shipped with the ebuild.

See a corrected advisory here:
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-04-14 00:53:17 UTC
Thanks for the heads-up. We rely on community bug submission for vulnerability feed and we didn't see any upstream version patching these issues, that's why we committed the (partial) fix. Obviously we should be more careful on upstream status.

Could you remove the patch and bump the ebuild to 0.4.5 ?

Comment 10 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-26 22:48:37 UTC
GLSA 200404-19.