Bugtraq mailing list archives

Buffer overflow in Xprt

From: lupus () LETTERE UNIPD IT (Paolo Molaro)
Date: Mon, 9 Nov 1998 19:24:25 +0100


There is a buffer overflow in the postscript backend of the
Xprint server: look at the S_OutStr() function in the file psout.c.
A user-supplied variable-lenght string is stored in a 512 sized buffer.
This bug is present in version R6, public-patch-3 and later.

WORKAROUND: do not run the Xprt server.
FIX: make the function malloc() a buffer big enough and recompile.

xfree86 and opengroup have been notified a while ago.

lupus

--
"The number of UNIX installations has grown to 10, with more expected."
    - _The UNIX Programmer's Manual_, Second Edition, June, 1972.

Current thread:

Several new CGI vulnerabilities xnec (Nov 09)
- Vulnerabilities with Swish Job de Haas (Nov 09)
- Re: Several new CGI vulnerabilities Karl Hanmore (Nov 10)
- Re: Several new CGI vulnerabilities Gus (Nov 10)
  - Buffer overflow in Xprt Paolo Molaro (Nov 09)
  - Re: Several new CGI vulnerabilities Lincoln Stein (Nov 10)
  - Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Andi Kleen (Nov 10)
    - Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) David S. Miller (Nov 11)
- Vulnerabilities with Swish Jochen Thomas Bauer (Nov 10)
- <Possible follow-ups>
- Re: Several new CGI vulnerabilities Lincoln Stein (Nov 12)