Bug#497835: gmanedit: Found several buffer overflows

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#497835: gmanedit: Found several buffer overflows

François Wendling
Package: gmanedit
Version: 0.4.1-1
Severity: important
Tags: security

Hi,

Gmanedit includes several buffer overflows. It needs to be audited
seriously, user input is never checked. Here are the ones i found :

        * Launch the wizard, click all the boxes, complete the wizard. Check
                for "cad[512]" in the source, it's where the problem is, it should
                be increased ; it fixes the problem, but it's ugly.

        * Launch the wizard, type a very long line in title or name of the
                manpage. At first the UI doesn't limit the number of characters
                you can enter, then the code handles it badly.

        * Open preferences, flood the inputbox.

        * Same like above, but this time it comes from the rc file. Just fill the
                "COMMAND=" parameters with a lot of characters.
       
        * Fill the editor with a 200kb file, then try to see the man ("view
                created page").

Maybe there are some others, so it needs a good audit. I don't send a
patch, because i can't fix properly, but don't hesitate to ask me
more if you need.

Regards,




--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#497835: gmanedit: Found several buffer overflows

Joop Stakenborg-3
Hello François,

thanks for all your bug reports, it is much appreciated!

I currently don't have time to work on a new version (I am also the
upstream maintainer), because I will go on holiday this weekend for 3
weeks. When I get back I will start working on an updated version.
Please feel free to use the Debian BTS when you find more bugs.

Thanks,
Joop pa3aba at debian dot org
Reply | Threaded
Open this post in threaded view
|

Bug#497835: gmanedit: Found several buffer overflows

Nico Golde-6
In reply to this post by François Wendling
Hi François,
* François Wendling <[hidden email]> [2008-09-05 01:51]:

> Gmanedit includes several buffer overflows. It needs to be audited
> seriously, user input is never checked. Here are the ones i found :
>
> * Launch the wizard, click all the boxes, complete the wizard. Check
> for "cad[512]" in the source, it's where the problem is, it should
> be increased ; it fixes the problem, but it's ugly.
>
> * Launch the wizard, type a very long line in title or name of the
> manpage. At first the UI doesn't limit the number of characters
> you can enter, then the code handles it badly.
>
> * Open preferences, flood the inputbox.
>
> * Same like above, but this time it comes from the rc file. Just fill the
> "COMMAND=" parameters with a lot of characters.
>
> * Fill the editor with a 200kb file, then try to see the man ("view
> created page").
I took a look at these and they are definitely bugs but not
security issues. At least I currently see no way how an
attacker could use these bugs to exploit a victim. Loading
files with long titles works fine for example. I'll continue
to have a look at the rest of the code.

Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [hidden email] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

attachment0 (204 bytes) Download Attachment