Vulnerability Development mailing list archives
Bug in libXcursor , is it exploitable?
From: gr00vy <groovy2600 () yahoo com ar>
Date: 08 Nov 2003 22:23:35 -0300
INTRO: ------------------------------------------------------------------ off-by-one bug in libXcursor that shows up when $HOME does not start with a '/'. THE QUESTION: ------------------------------------------------------------------ Could this bug compromise a system? In what cases? TEST: ------------------------------------------------------------------ root@zencracking:/root# HOME=%n%n%n%n%n%n root@zencracking:/root# xterm << not necessary xterm, any program that uses libxcursor will sigsev Segmentation fault root@zencracking:/root# gdb xterm (gdb) r Starting program: /root/xterm-181/xterm Program received signal SIGSEGV, Segmentation fault. 0x4026e5bd in _int_malloc () from /lib/libc.so.6 (gdb) bt #0 0x4026e5bd in _int_malloc () from /lib/libc.so.6 #1 0x4026d6b5 in malloc () from /lib/libc.so.6 #2 0x4025c003 in __fopen_internal () from /lib/libc.so.6 #3 0x4025c0ce in fopen@@GLIBC_2.1 () from /lib/libc.so.6 #4 0x4001e47a in XcursorFilenameSave () from /usr/X11R6/lib/libXcursor.so.1 #5 0x4001e616 in XcursorLibraryLoadImages () from /usr/X11R6/lib/libXcursor.so.1 #6 0x4001e824 in XcursorShapeLoadImages () from /usr/X11R6/lib/libXcursor.so.1 #7 0x4001eb6e in XcursorTryShapeCursor () from /usr/X11R6/lib/libXcursor.so.1 #8 0x4012d628 in _XTryShapeCursor () from usr/X11R6/lib/libX11.so.6 #9 0x4012d9e9 in XCreateGlyphCursor () from usr/X11R6/lib/libX11.so.6 #10 0x4012de59 in XCreateFontCursor () from usr/X11R6/lib/libX11.so.6 #11 0x0805f3ce in make_colored_cursor (cursorindex=68, fg=0, bg=16777215) at misc.c:216 #12 0x0805b578 in get_terminal () at main.c:2467 #13 0x0805b019 in main (argc=0, argv=0xbffff9e8) at main.c:2111 #14 0x4020dbb4 in __libc_start_main () from /lib/libc.so.6 (gdb) i r eax 0x808e780 134801280 ecx 0x40327300 1077048064 edx 0x40327354 1077048148 ebx 0x40326234 1077043764 esp 0xbffff650 0xbffff650 ebp 0xbffff688 0xbffff688 esi 0x0 0 edi 0x0 0 eip 0x4026e5bd 0x4026e5bd eflags 0x10206 66054 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 mxcsr 0x1f80 8064 orig_eax 0xffffffff -1 Regards THE FIX BY David Dawes <dawes () x-oz com>: ----------------------------------------------------------- Index: xc/lib/Xcursor/library.c =================================================================== RCS file: /home/x-cvs/xc/lib/Xcursor/library.c,v retrieving revision 1.2 diff -u -r1.2 library.c --- library.c 26 Jan 2003 03:22:42 -0000 1.2 +++ library.c 7 Nov 2003 17:48:21 -0000 @@ -101,6 +101,9 @@ if (!home) return 0; homelen = strlen (home); + /* A '/' gets prepended if $HOME doesn't start with one. */ + if (home[0] != '/') + homelen++; dir++; dirlen--; } -------BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (GNU/Linux) mQGiBD+MWD0RBAD0zsMD23euntPmXJScQ6aqId4s6SGHw5FdcgSdxM2rRo1/HJ10 yZhApRGKCbnM/RW8P1+pIKlKBvSIp9wmeIgikz4KGmzGIfuhaHwzVOTEBmY3PBqn Q73LLC+tsUPRDDuEQY5OmtbiukRmCBWFezAzFOmD3RhbgjtkGXP3nCfKbwCgnMDh /cBR9cMJDJSBnt+s3odafjMD/io6JbwCL7s3EUjU/QtNI3Zwflm/biPjMu0++wIb IEtfTLKiAKWGpnoIVjPe8bH6uQgbp4n8G1fFkkvlmvXc2Yz012MFLJyyJLRLg4L1 ZG72ExhGz54D3GV9t5VqG9IsNfDSYrH/GC6zE6N2jRFL/e6K/sg82zZqBGRpkmdM 48xyBACuNgIWtPpaMdM+WeC7nh6+j5E5eT+x1RinDHGH95y4gpKBhBr/Yc4nQvh5 e07wHHO4iWuTrnCbxEaKFOk1iTY3b1eZXZvcdJPiyq2nfp7OoRs69JZ40HQSA+aF O60rlEh8UgnD3fDD9/JzxW3iAdDPk8BLuoAC1Qdt1qpbhv0UkrQ1Z3IwMHZ5ICha ZW5DcmFja2luZy5jb20uYXIpIDxncm9vdnkyNjAwQHlhaG9vLmNvbS5hcj6IWQQT EQIAGQUCP4xYPQQLBwMCAxUCAwMWAgECHgECF4AACgkQTKxJeVJCmvAmrwCfZSL3 bx1vyW4pTNwyez0fdOJmQ+EAoIOUDo0aO9LdfpruyrTzvkQaOlnSuQENBD+MWD4Q BADcytQOgY+pPtQdgKTn53VIEOzyagqNdfd3ei0K+TIEl9x9rdOwYWn5bf8m6QIn EgWi9+cvvXIl7+ziHUOCyx/BmB3bNQ9TSIlrpx+S42BJvTAJEb0hTDn6FkeupBea edxCyt25hJjb0NoMhn32kDiWIEGqh16Tt+h0W6MbFVDilwADBQQAmY+DT5cx6u9Y urffLDVq2/FHUncJQ5jIZy+ThqRWG+DBg46UzGqSIZzXhyB49k1EBgTPA8d8rJML fLnre1ccRvzo++VR6iIEAX5ur2mosM2SCePbJ4yTugkFPGt7dfgnQnWhNMO8GMYo x0HyN+VM72VmqEKG+k7c5cVZ8GvEH4uIRgQYEQIABgUCP4xYPgAKCRBMrEl5UkKa 8ILrAJoCQOtCNlNOdbImuMTLu8hN9GHgiACgkQZQTHy1ielq23Vyl0A5Vy98bkQ= =LiOi -----END PGP PUBLIC KEY BLOCK-----
Current thread:
- Bug in libXcursor , is it exploitable? gr00vy (Nov 09)