The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible overrun in xterm

To: security@debian.org
Subject: Re: Possible overrun in xterm
From: dark@xs4all.nl (Richard Braakman)
Date: Mon, 11 Aug 1997 01:14:21 +0200 (CEST)
Cc: eichin@cygnus.com
Delivered-to: security@debian.org
In-reply-to: <xe190y991is.fsf@maneki-neko.cygnus.com> from Mark Eichin at "Aug 10, 97 05:22:19 pm"
Resent-cc: recipient list not shown: ;
Resent-date: 10 Aug 1997 23:10:58 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"LNoue1.0.Yo6.2gaxp"@debian>
Resent-sender: debian-private-request@lists.debian.org

Mark Eichin wrote:
> Interesting analysis.  Clearly there's a bug.  While it may be
> difficult to exploit, I would be reluctant to assume it is impossible,
> and from your description it sounds easy enough to fix.  I'll look at
> the code myself, but did you happen to construct a fix while you were
> in there? 

I'm afraid not.  I see several possible strategies:

  - Enforce MAX_ROWS when creating or resizing the vt100 widget.
    This may mean backward incompatibility, but if MAX_ROWS is set to
    256 at the same time, it won't break anything that wasn't already
    broken.
    Finding all the places where the widget can be sized may be tricky.
  - Change those routines to allocate on the heap instead of on the stack,
    so that they can allocate enough space.  This may have significant
    speed impact, since ScrnDeleteLine and ScrnInsertLine are heavily
    used (scrolling).
  - Change those routines so that they do not need temporary storage.
    SwitchBufPtrs just swaps two arrays, this could be done
    element-by-element.  The other two perform internal swaps of some
    kind, this is more tricky to rewrite but it should be possible.
  - Use a global malloced buffer.  It should be easy to grep for all
    allocations for screen->allbuf, and add a realloc() to the same
    size for this global buffer.
  - In each of these routines, check if n > MAX_ROWS before doing any
    copying, and print an error and do a clean exit if so.  This will
    prevent any security problems but is obviously not elegant.

(I spent some time analyzing this problem, and I never made a patch
because I saw no clearly satisfactory solution.) 

I hope this helps.

-- 
Richard Braakman


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Follow-Ups:
- Re: Possible overrun in xterm
  - From: Ben Pfaff <pfaffben@pilot.msu.edu>

References:
- Re: Possible overrun in xterm
  - From: Mark Eichin <eichin@cygnus.com>

Prev by Date: Re: Possible overrun in xterm
Next by Date: RFC: libc5 to libc6 mini-howto
Previous by thread: Re: Possible overrun in xterm
Next by thread: Re: Possible overrun in xterm
Index(es):
- Date
- Thread