Bug#513109: gnome-inm-forecast: crash parsing network data

Eduardo Pérez Ureta Mon, 26 Jan 2009 06:02:56 -0800

Package: gnome-inm-forecast
Version: 0.6.1-1
Severity: grave
Tags: patch

This bug is grave since it is a buffer overflow that could be used to
gain access to the machine.


The patch is attached and it is already applied to gnome-inm-forecast svn:
http://kutxa.homeunix.org/svn/gnome-inm-forecast/trunk/

#0  0x00007f6a99164ec1 in memcpy () from /lib/libc.so.6
No symbol table info available.
#1  0x0000000000406541 in parse_temperatures_data (applet_data=0x1beb740, 
    buf=0x1df61e9 "Cota nieve prov.(m)</th><td colspan=\"2\" 
class=\"borde_rb\">400&nbsp;</td><td colspan=\"2\" 
class=\"borde_rb\">700&nbsp;</td><td colspan=\"2\" 
class=\"borde_rb\">&nbsp;</td><td class=\"borde_rb\">&nbsp;</td><td cl"..., 
type=3) at main.c:612
        temp_buf = 0x1de8c60 "Cota nieve prov.(m)</th><td colspan=\"2\" 
class=\"borde_rb\">400&nbsp;</td><td colspan=\"2\" 
class=\"borde_rb\">700&nbsp;</td><td colspan=\"2\" 
class=\"borde_rb\">&nbsp;</td><td class=\"borde_rb\">&nbsp;</td><td cl"...
        tokens = (char **) 0x1dfdb00
        tk_snow = (char **) 0x0
        yy = 19
        idx = 10
#2  0x0000000000407d80 in check_inm_url_close (handle=0x1, result=GNOME_VFS_OK, 
callback_data=0x1beb740) at main.c:953
        x = 0
        applet_data = (AppletData *) 0x1beb740
#3  0x00007f6a9ac37885 in ?? () from /usr/lib/libgnomevfs-2.so.0
No symbol table info available.
#4  0x00007f6a9bf6778b in g_main_context_dispatch () from 
/usr/lib/libglib-2.0.so.0
No symbol table info available.
#5  0x00007f6a9bf6af5d in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#6  0x00007f6a9bf6b48d in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#7  0x00007f6a99f1f336 in bonobo_main () from /usr/lib/libbonobo-2.so.0
No symbol table info available.
#8  0x00007f6a99f1d801 in bonobo_generic_factory_main_timeout () from 
/usr/lib/libbonobo-2.so.0
No symbol table info available.
#9  0x00007f6a9b7b0624 in panel_applet_factory_main_closure () from 
/usr/lib/libpanel-applet-2.so.0
No symbol table info available.
#10 0x0000000000409f34 in main (argc=2, argv=0x7fffa60475b8) at main.c:1705
        program = (GnomeProgram *) 0x1b77850
        retval = 0

--- gnome-inm-forecast-old/src/main.c
+++ gnome-inm-forecast/src/main.c
@@ -599,7 +589,7 @@
                                if (strncmp(tokens[yy], "td ", 3) == 0) 
continue;
                                if (strncmp(tokens[yy], "nbsp", 4) == 0) 
continue;
                                //printf ("SNOW[%d]: %s - len: %d - idx: %d\n", 
yy,(tokens[yy]) ? tokens[yy] : NULL, strlen(tokens[yy]), idx);
-                               if (tokens[yy] && idx <= 10){
+                               if (tokens[yy] && idx < 10){
                                        if (strlen(tokens[yy]) == 0){
                                                if (idx == 0){
                                                        strcpy 
(applet_data->day_info[0].cota_nieve, "");

Bug#513109: gnome-inm-forecast: crash parsing network data

Reply via email to