Package: lpe
Version: 1.2.7-1
Severity: grave
There is a off-by-1 buffer overflow in my buffer overflow fix. While
scanning for plugins, the length of available basename is stored that
includes \0, and then in another loop it is tested against
strlen(basename) that clearly does not include trailing \0.
Workaround is to either remove all the plugins, or change the order in
which they are returned by the file system (kind of tricky!), or apply
the patch,
diff -u lpe-1.2.7/src/buffer.c lpe-1.2.7/src/buffer.c
--- lpe-1.2.7/src/buffer.c 2014-06-23 22:53:33.582593198 -0500
+++ lpe-1.2.7/src/buffer.c 2014-12-23 09:08:54.888625050 -0600
@@ -158,8 +158,8 @@
int (*accept) (buffer *);
if (strlen(ent->d_name) > basename_len) {
- basename_len = strlen(ent->d_name) + 1;
- name = realloc(name, (basename-name) + basename_len);
+ basename_len = strlen(ent->d_name);
+ name = realloc(name, (basename-name) + basename_len + 1);
basename = name + basename_off;
}
strcpy (basename, ent->d_name);
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lpe depends on:
ii libc6 2.19-13
ii libncurses5 5.9+20140913-1
ii libslang2 2.3.0-2
ii libtinfo5 5.9+20140913-1
lpe recommends no packages.
lpe suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
