Ccing the bug report.
* Steffen Joeris <[hidden email]> [2008-09-05 11:51]:
> Looking at #497835 I guess it might not be a bad idea to request a security
> audit for gmanedit. I have added a placeholder temp item to the security
> tracker for now. Can someone request the audit or shortly outline how to do
> it or who to mail?
In theory it is possible to overflow a buffer with a large COMMAND
string in the configuration file (I find it not very likely
that someone sends you a gmanedit configuration file
The buffer that comes from ReadConfFromFile can be bigger than command can take:
862 static gchar *ReadConfFromFile(gchar *variable)
864 FILE *f;
865 gchar readed;
866 gchar *home;
867 gchar *tok;
869 // Intento de abrir el fichero con la configuración personalizada
870 home = getenv("HOME");
880 while (fgets(readed,80,f) != NULL)
882 // Lo siguiente quita los retornos de carro de las líneas leidas
883 if (readed[strlen(readed)-1] == '\n')
884 readed[strlen(readed)-1] = '\0';
886 if ((readed != '#') && (!strncmp(variable,readed,strlen(variable))))
888 tok = strtok(readed,"=");
889 tok = strtok(NULL,"=");
In practice this is a bug because the pointer on readed is not valid anymore after
the function was left. It can be still available though
in some cases. It should be fixed definitely.
Similar problems are all over the code, heavy strcpy/strcat usage without
any bounds checking but using self supplied data.
When reading a manpage file there can be a problem if the text is converted to utf8:
1148 static void open_man_file(gchar *manfile)
1156 gchar *utf8;
1157 gchar * buffer = (gchar*)malloc(BUFFER_SIZE);
1179 if ((f=gzopen((gchar *)manfile,"rb"))!=NULL)
1184 if (bytes_read>0)
1186 utf8 = NULL;
1187 if (g_utf8_validate(buffer, -1, NULL) == FALSE)
1189 utf8 = g_locale_to_utf8(buffer, -1, NULL, NULL, NULL);
1191 if (utf8 != NULL)
1193 gtk_text_buffer_insert_at_cursor(tb, buffer ,bytes_read);
This should be an exploitable heap overflow. When converting the manpage buffer from the
current locale to utf8 (line 1189) the resulting buffer can be bigger than
the previous locale buffer. As the strncpy call in line 1192 is useless as it uses strlen(utf8)
as the upper bound it is possible to overflow buffer in some situations.
Because of this I raise the severity and readd the security tag.
The overall code quality is pretty bad from my point of view and this
program should be heavily reworked.