Subject: pkg/22084: XV should be added to "vulnerabilities" file
To: None <gnats-bugs@gnats.netbsd.org>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 07/07/2003 11:54:24
>Number: 22084
>Category: pkg
>Synopsis: XV should be added to "vulnerabilities" file
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Mon Jul 07 09:55:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Christian Biere
>Release: NetBSD 1.6U
>Organization:
>Environment:
>Description:
The classic picture viewer XV (pkgsrc/graphics/xv) should be listed as
vulnerable because it's obviously exploitable to gain local-user-shell
access. It uses sprintf() in a very insecure manner all over the place.
There are hundreds of possibilities to cause buffer overruns - mainly by
passing long path- or filenames whereas often long means longer at 64 or
128 bytes only. I assume that's hardly new for anyone but for the sake
of completeness, it should be listed in the "vulnerabilities" file.
>How-To-Repeat:
Just a poor "harmless" example:
$ xv "This a so called long filename and it will crash xv because it
doesn't give a damn about protecting its buffers so it's nothing but a
can full of worms"
<Dialog pops up and says that the file doesn't exist>
Segmentation fault
Way too easy, isn't it?
>Fix:
Sorry, can't offer the six month.
>Release-Note:
>Audit-Trail:
>Unformatted: