Title:  [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability

Affected version : openmotif 2.2.3(not got 2.2.4,so not test in
openmotif 2.2.4)
Product: http://www.motifzone.net/

xfocus (http://www.xfocus.org) have discovered multiple vulnerability in
openmotif libUil library. details following:

1: libUil.so diag_issue_diagnostic buffer overflow

Clients/uil/UilDiags.c
diag_issue_diagnostic()
    202 void    diag_issue_diagnostic
    203             ( int d_message_number, src_source_record_type
*az_src_rec,
    204               int l_start_column, ...)
    205
    206 {
    207     va_list     ap;                     /* ptr to variable
length parameter */
    208     int         severity;               /* severity of message */
    209     int         message_number;         /* message number */
    210     char        msg_buffer[132];        /* buffer to construct
message */
    211     char        ptr_buffer[buf_size];   /* buffer to construct
pointer */
    212     char        loc_buffer[132];        /* buffer to construct
location */
    213     char        src_buffer[buf_size];   /* buffer to hold source
line */
......
    293     va_start(ap, l_start_column);
    294
    295 #ifndef NO_MESSAGE_CATALOG
    296[1.1]     vsprintf( msg_buffer,
    297               catgets(uil_catd, UIL_SET1, msg_cat_table[
message_number ],
    298                       diag_rz_msg_table[ message_number ].ac_text),
    299              ap );
    300 #else
    301[1.2]     vsprintf( msg_buffer,
    302               diag_rz_msg_table[ message_number ].ac_text,
    303               ap );

    304 #endif
    305     va_end(ap);

[1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support
data,so if one local or remote application which used this library may
cause execute arbitrary code .

2: libUil.so open_source_file buffer voerflow

Clients/uil/UilSrcSrc.c

    620 status
    621 open_source_file( XmConst char           *c_file_name,
    622                   uil_fcb_type           *az_fcb,
    623                   src_source_buffer_type *az_source_buffer )
    624 {
    625
    626     static unsigned short       main_dir_len = 0;
    627     boolean                     main_file;
    628     int                         i;  /* loop index through
include files */
    629     char                        buffer[256];
    630
    631
    632     /* place the file name in the expanded_name buffer */
    633
    634[2.1]   strcpy(buffer, c_file_name);
    635
    636 /*    Determine if this is the main file or an include file.  */
    637
    638     main_file = (main_fcb == NULL);
    639
[2.1] like above

--EOF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/