Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 81389 - x11-wm/windowmaker-0.91.0 buggy code
Summary: x11-wm/windowmaker-0.91.0 buggy code
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Luis Medinas (RETIRED)
Depends on:
Reported: 2005-02-09 10:15 UTC by solar (RETIRED)
Modified: 2006-08-17 18:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description solar (RETIRED) gentoo-dev 2005-02-09 10:15:57 UTC
One of our users reported that ssp picked up an overflow in windowmaker
in function updateWorkspaceNames()

The problem code reads as
static void updateWorkspaceNames(WScreen *scr)
    char buf[1024], *pos;
    unsigned int i, len, curr_size;

    pos = buf;
    len = 0;
    for(i = 0; i < scr->workspace_count; i++) {
        curr_size = strlen(scr->workspaces[i]->name);
        strcpy(pos, scr->workspaces[i]->name);
        pos += (curr_size+1);
        len += (curr_size+1);

    XChangeProperty(dpy, scr->root_win, net_desktop_names, utf8_string, 8,
                    PropModeReplace, (unsigned char *)buf, len);
Upon further investigation after building windowmaker with a debug compiler 
and -fbounds-checking we can see another function which has problems.

wevent.c:216:Bounds error: array reference (93) outside bounds of the array.
wevent.c:216:  Pointer value: 0x826da64
wevent.c:216:  Object `eventMasks':
wevent.c:216:    Address in memory:    0x826d8f0 .. 0x826d97b
wevent.c:216:    Size:                 140 bytes
wevent.c:216:    Element size:         4 bytes
wevent.c:216:    Number of elements:   35
wevent.c:216:    Created at:           wevent.c, line 11
wevent.c:216:    Storage class:        static
I've joined the windowmaker channel on freenode and asked what is the 
proper method to report bugs to them. But there was no response. I've
checked the windowmaker site for a bugzilla but they appear to not have
one. (only plans to put one
in place) So I'm filing a bug here which we can use for reference for
the upstream wm-devs.

It would be ideal if we have somebody who wants to play spot of the BOFs 
via gdb and these two functions be audited and patched. It is unknown at
this time if these two bugs are exploitable in any way. I'm not a
windowmaker user so I'm not really planning on doing alot of follow up
with this bug. Hopefully our security and gnustep teams can take it from
Comment 1 solar (RETIRED) gentoo-dev 2005-02-09 10:26:41 UTC
This is what the start of the second function looks like.
int WMHandleEvent(XEvent *event)
    W_EventHandler *hPtr;
    W_View *view, *toplevel;
    unsigned long mask;
    Window window;
    WMArrayIterator iter;

    if (event->type == MappingNotify) {
        return True;

    mask = eventMasks[event->xany.type];
And it's the "mask = eventMasks[event->xany.type];" that triggers on the debug compiler.
Comment 2 solar (RETIRED) gentoo-dev 2005-02-09 10:27:39 UTC
On line 11.. static unsigned long eventMasks[] = { ....
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-09 11:01:04 UTC
Regarding the first one, there's a clear overflow there, however the ewmh specs do say only the window manager and pager should set this property:

If an attacker can change this, it's safe to assume he can set any random property and can do all kinds of craziness such as modifying the clipboard, changing keybindings and modifying resources, so if he's already got to this point...i don't think he would be interested in this :)

regarding the second one, I think we have to assume XEvents are trusted input, if an attacker can create his own synthetic events (he's got to a point where he can use XSendEvent(), for example) he can already fake input events to terminals for example, close windows, send click events, it's already game over :)

These should probably still be fixed, but afaict don't look like security issues.
Comment 4 solar (RETIRED) gentoo-dev 2005-02-09 14:01:01 UTC
Thanks Tavis.. Reassigning bug to gnustep@ as a normal bug report then.
Comment 5 Luis Medinas (RETIRED) gentoo-dev 2006-08-17 18:17:28 UTC
we can close this since 0.91.0 isn't on the tree anymore.