Re: CVE Request: PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow

[Andrés Gómez Ramírez <andresgomezram7 () gmail com>]

PLIB is no longer being maintained:

http://sourceforge.net/mailarchive/message.php?msg_id=28580157

I sent a couple of bugs several months ago, but there wasn't any response
from plib developers, so I decided to make them public.

On Mon, Oct 29, 2012 at 3:58 PM, Vincent Danen <vdanen () redhat com> wrote:

> * [2012-10-29 14:02:58 -0500] Andr?s G?mez Ram?rez wrote:
>
>  Sorry for the previous message, it was not intentional :)
> > Hi, Could a CVE be assigned to this issue?
> >
> > Name: PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow
> > Software: PLIB 1.8.5
> > Software link: http://plib.sourceforge.net/
> > Vulnerability Type: Stack Based Buffer overflow
> > References: http://www.exploit-db.com/**exploits/21831/<http://www.exploit-db.com/exploits/21831/>
> >                   http://www.securityfocus.com/**bid/55839<http://www.securityfocus.com/bid/55839>
> >
> > Vulnerability Details: Plib is prone to stack based Buffer overflow in the
> > error function in ssg/ssgParser.cxx when it loads 3d model files as X
> > (Direct x), ASC, ASE, ATG, and OFF, if a very long error message is passed
> > to the function, in line 68:
> >
> >
> > // Output an error
> > void _ssgParser::error( const char *format, ... )
> > {
> >  char msgbuff[ 255 ];
> >  va_list argp;
> >
> >  char* msgptr = msgbuff;
> >  if (linenum)
> >  {
> >    msgptr += sprintf ( msgptr,"%s, line %d: ",
> >      path, linenum );
> >  }
> >
> >  va_start( argp, format );
> > 68        vsprintf( msgptr, format, argp );
> >  va_end( argp );
> >
> >  ulSetError ( UL_WARNING, "%s", msgbuff ) ;
> > }
> >
> > Thanks,
>
> Andreas, was this reported to upstream?  I can't see a patch or anything
> in their bug tracker regarding this.
>
> --
> Vincent Danen / Red Hat Security Response Team