non-exploitable buffer overflow in gfxboot
Bug #27011 reported by
Martin Pitt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gfxboot (Ubuntu) |
Fix Released
|
Low
|
Colin Watson |
Bug Description
(sorry, gfxboot is not yet in the bz package list)
mkbootmsg.c:
1767: char *s, buf[1024];
1867: sprintf(buf, "%s", dict[val].name);
(There are more sprintfs with a similar structure below)
I did not see any apparent length check of dict[val].name, so this suspiciously
looks like a stack-based buffer overflow that could be triggered and controlled
by a malicious theme that is processed by mkbootmsg.
I didn't check thoroughly that it is really exploitable, but just for the sake
of safety this should either use asprintf() or snprintf().
Thanks!
To post a comment you must log in.
(In reply to comment #0)
> I didn't check thoroughly that it is really exploitable, but just for the sake
> of safety this should either use asprintf() or snprintf().
Or rather, the program should just bail out if it detects an overly long
dictionary entry.