buffer overflow in avra1.2.3a

Bug #745129 reported by Zubin Mithra on 2011-03-29
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
avra (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: avra

There is a buffer overflow bug in avra1.2.3a which might lead to memory corruption, at the very most. Privilege escalation nor any kind of local exploitation is expected as it runs with the privileges of the current user.

Tracing the control flow during static analysis gives the following:-

load_arg_defines has an `strcpy(buff, define->data)` where buff is declared as `char buff[256];`. In order to inspect the values of data, we look at `struct prog_info *pi`; or rather the `args` argument of `pi`.

Memory is allocated for `args` in `alloc_args`(args.c) and values are set for it in `read_args`. Please note the lines:-

if(args->arg[j].type != ARGTYPE_STRING_MULTISINGLE)
    args->arg[j].data = argv[++i];

Evidently, at some point, the value depends on command line input and this input can be used to overflow the `buff` array.

visibility: private → public
description: updated
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

Could you please file a bug with the upstream avra project, and link the bug here?

http://sourceforge.net/tracker/?group_id=55499&atid=477231

Thanks!

Changed in avra (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers