[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#183312: xbase-clients: Buffer overflow in "xman"

On Mon, Mar 03, 2003 at 07:45:03PM -0500, Branden Robinson wrote:
> On Mon, Mar 03, 2003 at 04:19:48PM -0500, Benjamin A.Okopnik wrote:
> > I was just trying to demonstrate something that used to be an old security
> > hole, the "MANPATH" overflow on "xman" - and it segfaulted out on me. A
> > little testing shows the boundary:
> > 
> > ben@Fenrir:~$ perl -we'$a = "a" x 8192; `MANPATH=$a xman`'
> > Xman Error: No manual pages found.
> > ben@Fenrir:~$ perl -we'$a = "a" x 8193; `MANPATH=$a xman`'
> > Segmentation fault
> > 
> > I guess it somehow got "unfixed"...
> 
> FYI, I cannot reproduce this problem on PowerPC:
> 
> [0] branden@redwald:~ % perl -we'$a = "a" x 8192; `MANPATH=$a xman`'
> Xman Error: No manual pages found.
> [0] branden@redwald:~ % perl -we'$a = "a" x 8193; `MANPATH=$a xman`'
> Xman Error: No manual pages found.
> [0] branden@redwald:~ % perl -we'$a = "a" x 8194; `MANPATH=$a xman`'
> [0] branden@redwald:~ % uname -a
> Linux redwald 2.4.19-powerpc #1 Mon Sep 9 09:01:43 EDT 2002 ppc unknown unknown GNU/Linux

I can't reproduce it with the recipe above, but that's just because
nothing is printing the error message: it does still segfault. Try this
instead, which reproduces it here on i386 with xbase-clients 4.2.1-5:

  [colinw@eurydice ~]$ MANPATH=`perl -we'print "a" x 8192'` xman
  Xman Error: No manual pages found.
  [colinw@eurydice ~]$ MANPATH=`perl -we'print "a" x 8193'` xman
  Segmentation fault

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: