Ubuntu
avra package

buffer overflow in avra1.2.3a

Bug #745129 reported by Zubin Mithra
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
avra (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

Binary package hint: avra

There is a buffer overflow bug in avra1.2.3a which might lead to memory corruption, at the very most. Privilege escalation nor any kind of local exploitation is expected as it runs with the privileges of the current user.

Tracing the control flow during static analysis gives the following:-

load_arg_defines has an `strcpy(buff, define->data)` where buff is declared as `char buff[256];`. In order to inspect the values of data, we look at `struct prog_info *pi`; or rather the `args` argument of `pi`.

Memory is allocated for `args` in `alloc_args`(args.c) and values are set for it in `read_args`. Please note the lines:-

if(args->arg[j].type != ARGTYPE_STRING_MULTISINGLE)
    args->arg[j].data = argv[++i];

Evidently, at some point, the value depends on command line input and this input can be used to overflow the `buff` array.

See original description
Zubin Mithra (zubin-mithra)
visibility: private → public
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

Could you please file a bug with the upstream avra project, and link the bug here?

http://sourceforge.net/tracker/?group_id=55499&atid=477231

Thanks!

Changed in avra (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.