Ubuntu
x11-apps package

xcutsel Buffer Overflow

Bug #792642 reported by Emanuel Bronshtein
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
x11-apps (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

Binary package hint: x11-apps

when /usr/bin/xcutsel get 83 characters or more from -selection option it crash with "buffer overflow detected".

test case :
emanuel@emanuel-desktop:/tmp$ xcutsel -selection `python -c "print 'A'*10000"`
*** buffer overflow detected ***: xcutsel terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x50)[0xb1adf0]
/lib/i386-linux-gnu/libc.so.6(+0xe4cca)[0xb19cca]
/lib/i386-linux-gnu/libc.so.6(+0xe43c8)[0xb193c8]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x95)[0xa9e7e5]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x2b06)[0xa74c66]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xad)[0xb1947d]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2d)[0xb193bd]
xcutsel[0x804940c]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0xa4be37]
xcutsel[0x8048c51]
======= Memory map: ========
00110000-00165000 r-xp 00000000 08:01 4391 /usr/lib/libXaw7.so.7.0.0
00165000-00166000 r--p 00054000 08:01 4391 /usr/lib/libXaw7.so.7.0.0
00166000-0016c000 rw-p 00055000 08:01 4391 /usr/lib/libXaw7.so.7.0.0
0016c000-0016d000 rw-p 00000000 00:00 0
0016d000-0018e000 r-xp 00000000 08:01 5252 /usr/lib/libxkbfile.so.1.0.2
0018e000-0018f000 r--p 00020000 08:01 5252 /usr/lib/libxkbfile.so.1.0.2
0018f000-00190000 rw-p 00021000 08:01 5252 /usr/lib/libxkbfile.so.1.0.2
00190000-00192000 r-xp 00000000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so
00192000-00193000 r--p 00001000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so
00193000-00194000 rw-p 00002000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so
00194000-00197000 r-xp 00000000 08:01 261021 /lib/i386-linux-gnu/libuuid.so.1.3.0
00197000-00198000 r--p 00002000 08:01 261021 /lib/i386-linux-gnu/libuuid.so.1.3.0
00198000-00199000 rw-p 00003000 08:01 261021 /lib/i386-linux-gnu/libuuid.so.1.3.0
00199000-001a1000 r-xp 00000000 08:01 7134 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
001a1000-001a2000 r--p 00007000 08:01 7134 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
001a2000-001a3000 rw-p 00008000 08:01 7134 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
001a3000-001a7000 r-xp 00000000 08:01 7124 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
001a7000-001a8000 r--p 00003000 08:01 7124 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
001a8000-001a9000 rw-p 00004000 08:01 7124 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
001a9000-001c3000 r-xp 00000000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1
001c3000-001c4000 r--p 00019000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1
001c4000-001c5000 rw-p 0001a000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1
004f9000-00508000 r-xp 00000000 08:01 4401 /usr/lib/libXpm.so.4.11.0
00508000-00509000 r--p 0000e000 08:01 4401 /usr/lib/libXpm.so.4.11.0
00509000-0050a000 rw-p 0000f000 08:01 4401 /usr/lib/libXpm.so.4.11.0
00531000-00535000 r-xp 00000000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
00535000-00536000 r--p 00003000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
00536000-00537000 rw-p 00004000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
0065a000-00662000 r-xp 00000000 08:01 7116 /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
00662000-00663000 r--p 00007000 08:01 7116 /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
00663000-00664000 rw-p 00008000 08:01 7116 /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
00803000-00919000 r-xp 00000000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
00919000-0091a000 ---p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0091a000-0091b000 r--p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0091b000-0091d000 rw-p 00117000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
0091d000-0091e000 rw-p 00000000 00:00 0
00976000-0098d000 r-xp 00000000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
0098d000-0098e000 r--p 00016000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
0098e000-0098f000 rw-p 00017000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
009b1000-009b2000 r-xp 00000000 00:00 0 [vdso]
009bb000-009c8000 r-xp 00000000 08:01 7122 /usr/lib/i386-linux-gnu/libXext.so.6.4.0
009c8000-009c9000 r--p 0000c000 08:01 7122 /usr/lib/i386-linux-gnu/libXext.so.6.4.0
009c9000-009ca000 rw-p 0000d000 08:01 7122 /usr/lib/i386-linux-gnu/libXext.so.6.4.0
00a0a000-00a26000 r-xp 00000000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so
00a26000-00a27000 r--p 0001b000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so
00a27000-00a28000 rw-p 0001c000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so
00a35000-00b8f000 r-xp 00000000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
00b8f000-00b90000 ---p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
00b90000-00b92000 r--p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
00b92000-00b93000 rw-p 0015c000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so
00b93000-00b96000 rw-p 00000000 00:00 0
00bb3000-00bb5000 r-xp 00000000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
00bb5000-00bb6000 r--p 00001000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
00bb6000-00bb7000 rw-p 00002000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
00c2b000-00c31000 r-xp 00000000 08:01 7106 /usr/lib/i386-linux-gnu/libSM.so.6.0.1
00c31000-00c32000 r--p 00005000 08:01 7106 /usr/lib/i386-linux-gnu/libSM.so.6.0.1
00c32000-00c33000 rw-p 00006000 08:01 7106 /usr/lib/i386-linux-gnu/libSM.so.6.0.1
00c79000-00c8d000 r-xp 00000000 08:01 4395 /usr/lib/libXmu.so.6.2.0
00c8d000-00c8e000 r--p 00014000 08:01 4395 /usr/lib/libXmu.so.6.2.0
00c8e000-00c8f000 rw-p 00015000 08:01 4395 /usr/lib/libXmu.so.6.2.0
00cda000-00d28000 r-xp 00000000 08:01 7136 /usr/lib/i386-linux-gnu/libXt.so.6.0.0
00d28000-00d29000 r--p 0004d000 08:01 7136 /usr/lib/i386-linux-gnu/libXt.so.6.0.0
00d29000-00d2c000 rw-p 0004e000 08:01 7136 /usr/lib/i386-linux-gnu/libXt.so.6.0.0
00e12000-00e26000 r-xp 00000000 08:01 7104 /usr/lib/i386-linux-gnu/libICE.so.6.3.0
00e26000-00e27000 r--p 00013000 08:01 7104 /usr/lib/i386-linux-gnu/libICE.so.6.3.0
00e27000-00e28000 rw-p 00014000 08:01 7104 /usr/lib/i386-linux-gnu/libICE.so.6.3.0
00e28000-00e2a000 rw-p 00000000 00:00 0
08048000-0804a000 r-xp 00000000 08:01 2067 /usr/bin/xcutsel
0804a000-0804b000 r--p 00001000 08:01 2067 /usr/bin/xcutsel
0804b000-0804c000 rw-p 00002000 08:01 2067 /usr/bin/xcutsel
08c26000-08c69000 rw-p 00000000 00:00 0 [heap]
b7635000-b7835000 r--p 00000000 08:01 10267 /usr/lib/locale/locale-archive
b7835000-b783a000 rw-p 00000000 00:00 0
b7850000-b7851000 r--p 002a1000 08:01 10267 /usr/lib/locale/locale-archive
b7851000-b7853000 rw-p 00000000 00:00 0
bf836000-bf85a000 rw-p 00000000 00:00 0 [stack]
Aborted

tested on :
Ubuntu 11.04 , x11-apps package version : 7.6+4ubuntu2

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report. I've sent a patch for this to upstream.

Changed in x11-apps (Ubuntu):
status: New → In Progress
Revision history for this message
Kees Cook (kees) wrote :

http://lists.x.org/archives/xorg-devel/2011-July/023832.html

Changed in x11-apps (Ubuntu):
assignee: nobody → Kees Cook (kees)
Revision history for this message
Kees Cook (kees) wrote :

http://cgit.freedesktop.org/xorg/app/xclipboard/commit/?id=4f1a5dbc00d577cdbd37a824c396b030cb170d65

Changed in x11-apps (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

fixed in 12.10

Changed in x11-apps (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.