Bug#183312: xbase-clients: Buffer overflow in "xman"
On Mon, Mar 03, 2003 at 07:45:03PM -0500, Branden Robinson wrote:
> On Mon, Mar 03, 2003 at 04:19:48PM -0500, Benjamin A.Okopnik wrote:
> > I was just trying to demonstrate something that used to be an old security
> > hole, the "MANPATH" overflow on "xman" - and it segfaulted out on me. A
> > little testing shows the boundary:
> >
> > ben@Fenrir:~$ perl -we'$a = "a" x 8192; `MANPATH=$a xman`'
> > Xman Error: No manual pages found.
> > ben@Fenrir:~$ perl -we'$a = "a" x 8193; `MANPATH=$a xman`'
> > Segmentation fault
> >
> > I guess it somehow got "unfixed"...
>
> FYI, I cannot reproduce this problem on PowerPC:
>
> [0] branden@redwald:~ % perl -we'$a = "a" x 8192; `MANPATH=$a xman`'
> Xman Error: No manual pages found.
> [0] branden@redwald:~ % perl -we'$a = "a" x 8193; `MANPATH=$a xman`'
> Xman Error: No manual pages found.
> [0] branden@redwald:~ % perl -we'$a = "a" x 8194; `MANPATH=$a xman`'
> [0] branden@redwald:~ % uname -a
> Linux redwald 2.4.19-powerpc #1 Mon Sep 9 09:01:43 EDT 2002 ppc unknown unknown GNU/Linux
I can't reproduce it with the recipe above, but that's just because
nothing is printing the error message: it does still segfault. Try this
instead, which reproduces it here on i386 with xbase-clients 4.2.1-5:
[colinw@eurydice ~]$ MANPATH=`perl -we'print "a" x 8192'` xman
Xman Error: No manual pages found.
[colinw@eurydice ~]$ MANPATH=`perl -we'print "a" x 8193'` xman
Segmentation fault
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: