|
|
|
>>
VUPEN Security / Public Mailing Lists Mirror |
Assigned : VUPEN/ADV-2005-2709
From : "alert7 at xfocus.org" <alert7 at xfocus.org>
Subject : [xfocus-SD-051202]openMotif libUil Multiple vulnerability
Date : 2005-12-03
Original Message
Title: [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability
Affected version : openmotif 2.2.3(not got 2.2.4,so not test in
openmotif 2.2.4)
Product: http://www.motifzone.net/
xfocus (http://www.xfocus.org) have discovered multiple vulnerability in
openmotif libUil library. details following:
1: libUil.so diag_issue_diagnostic buffer overflow
Clients/uil/UilDiags.c
diag_issue_diagnostic()
202 void diag_issue_diagnostic
203 ( int d_message_number, src_source_record_type
*az_src_rec,
204 int l_start_column, ...)
205
206 {
207 va_list ap; /* ptr to variable
length parameter */
208 int severity; /* severity of message */
209 int message_number; /* message number */
210 char msg_buffer[132]; /* buffer to construct
message */
211 char ptr_buffer[buf_size]; /* buffer to construct
pointer */
212 char loc_buffer[132]; /* buffer to construct
location */
213 char src_buffer[buf_size]; /* buffer to hold source
line */
......
293 va_start(ap, l_start_column);
294
295 #ifndef NO_MESSAGE_CATALOG
296[1.1] vsprintf( msg_buffer,
297 catgets(uil_catd, UIL_SET1, msg_cat_table[
message_number ],
298 diag_rz_msg_table[ message_number ].ac_text),
299 ap );
300 #else
301[1.2] vsprintf( msg_buffer,
302 diag_rz_msg_table[ message_number ].ac_text,
303 ap );
304 #endif
305 va_end(ap);
[1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support
data,so if one local or remote application which used this library may
cause execute arbitrary code .
2: libUil.so open_source_file buffer voerflow
Clients/uil/UilSrcSrc.c
620 status
621 open_source_file( XmConst char *c_file_name,
622 uil_fcb_type *az_fcb,
623 src_source_buffer_type *az_source_buffer )
624 {
625
626 static unsigned short main_dir_len = 0;
627 boolean main_file;
628 int i; /* loop index through
include files */
629 char buffer[256];
630
631
632 /* place the file name in the expanded_name buffer */
633
634[2.1] strcpy(buffer, c_file_name);
635
636 /* Determine if this is the main file or an include file. */
637
638 main_file = (main_fcb == NULL);
639
[2.1] like above
--EOF
Disclaimer : VUPEN Security does not endorse the content of this
message submitted by others to public mailinglists. Messages submitted to public
mailinglists do not necessarily reflect the opinions or policies of VUPEN Security.
VUPEN Security makes no warranties, express or implied, as to the content of the message
in this page or the accuracy and reliability of any messages and other materials
submitted to public mailinglists. Any questions or comments regarding this page
should be sent to
team@vupen.com
|
|
|
|
|
|
Monthly Statistics |
 |
|
|
|
| |
|
Try VUPEN
VNS |
 |
|
 |
|
| |
|
 |
| |
|
|
|
|
