Subject: pkg/22084: XV should be added to "vulnerabilities" file
To: None <gnats-bugs@gnats.netbsd.org>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 07/07/2003 11:54:24
>Number:         22084
>Category:       pkg
>Synopsis:       XV should be added to "vulnerabilities" file
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 07 09:55:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christian Biere
>Release:        NetBSD 1.6U
>Organization:
>Environment:

>Description:
The classic picture viewer XV (pkgsrc/graphics/xv) should be listed as
vulnerable because it's obviously exploitable to gain local-user-shell
access. It uses sprintf() in a very insecure manner all over the place.
There are hundreds of possibilities to cause buffer overruns - mainly by
passing long path- or filenames whereas often long means longer at 64 or
128 bytes only. I assume that's hardly new for anyone but for the sake
of completeness, it should be listed in the "vulnerabilities" file.

>How-To-Repeat:
Just a poor "harmless" example:

$ xv "This a so called long filename and it will crash xv because it
doesn't give a damn about protecting its buffers so it's nothing but a
can full of worms"

<Dialog pops up and says that the file doesn't exist>
Segmentation fault

Way too easy, isn't it?

>Fix:
Sorry, can't offer the six month.
>Release-Note:
>Audit-Trail:
>Unformatted: