xfocus-SD-051202.txt

xfocus-SD-051202.txt: Posted Dec 3, 2005; Site xfocus.org; Openmotif version 2.2.3 is susceptible to multiple buffer overflow vulnerabilities.; tags | advisory, overflow, vulnerability; SHA-256 | f305a8bd59f1f7cadacd438fb87151f8341629efdbb056c1ebaf294c3af53637; Download | Favorite | View

xfocus-SD-051202.txt

Title:  [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability

Affected version : openmotif 2.2.3(not got 2.2.4,so not test in
openmotif 2.2.4)
Product: http://www.motifzone.net/

xfocus (http://www.xfocus.org) have discovered multiple vulnerability in
openmotif libUil library. details following:

1: libUil.so diag_issue_diagnostic buffer overflow

Clients/uil/UilDiags.c
diag_issue_diagnostic()
    202 void    diag_issue_diagnostic
    203             ( int d_message_number, src_source_record_type
*az_src_rec,
    204               int l_start_column, ...)
    205
    206 {
    207     va_list     ap;                     /* ptr to variable
length parameter */
    208     int         severity;               /* severity of message */
    209     int         message_number;         /* message number */
    210     char        msg_buffer[132];        /* buffer to construct
message */
    211     char        ptr_buffer[buf_size];   /* buffer to construct
pointer */
    212     char        loc_buffer[132];        /* buffer to construct
location */
    213     char        src_buffer[buf_size];   /* buffer to hold source
line */
......
    293     va_start(ap, l_start_column);
    294
    295 #ifndef NO_MESSAGE_CATALOG
    296[1.1]     vsprintf( msg_buffer,
    297               catgets(uil_catd, UIL_SET1, msg_cat_table[
message_number ],
    298                       diag_rz_msg_table[ message_number ].ac_text),
    299              ap );
    300 #else
    301[1.2]     vsprintf( msg_buffer,
    302               diag_rz_msg_table[ message_number ].ac_text,
    303               ap );

    304 #endif
    305     va_end(ap);

[1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support
data,so if one local or remote application which used this library may
cause execute arbitrary code .

2: libUil.so open_source_file buffer voerflow

Clients/uil/UilSrcSrc.c

    620 status
    621 open_source_file( XmConst char           *c_file_name,
    622                   uil_fcb_type           *az_fcb,
    623                   src_source_buffer_type *az_source_buffer )
    624 {
    625
    626     static unsigned short       main_dir_len = 0;
    627     boolean                     main_file;
    628     int                         i;  /* loop index through
include files */
    629     char                        buffer[256];
    630
    631
    632     /* place the file name in the expanded_name buffer */
    633
    634[2.1]   strcpy(buffer, c_file_name);
    635
    636 /*    Determine if this is the main file or an include file.  */
    637
    638     main_file = (main_fcb == NULL);
    639
[2.1] like above

--EOF

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

xfocus-SD-051202.txt

xfocus-SD-051202.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

xfocus-SD-051202.txt

Share This

xfocus-SD-051202.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems