Subject: bin/33551: strings(1) crashes on user-supplied input
To: None <,>
From: None <>
List: netbsd-bugs
Date: 05/25/2006 02:15:04
>Number:         33551
>Category:       bin
>Synopsis:       strings(1) crashes on user-supplied input
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 25 02:15:04 +0000 2006
>Originator:     Daniel Carosone
>Release:        NetBSD 3.99.19
System: NetBSD 3.99.19 NetBSD 3.99.19 (_bcd_) #20: Fri May 12 22:40:19 EST 2006 dan@resurgam:/home/NetBSD/obj/p2/home/NetBSD/HEAD/src/sys/arch/i386/compile/_bcd_ i386
Architecture: i386
Machine: i386

The strings utility is susceptible to a denial-of-service because it
fails to properly handle unexpected user-supplied input.

This issue allows attackers to crash the affected utility.  This may
aid attackers by making analysis of binary files more difficult.

SO is tracking this issue as #7482, in case the severity becomes
worse; for example if the issue turns out allow code injection for a
tool an administrator might run.

This is real - on 3.0 (x86) at least.


Please be aware that the fix in CVS is _different_ from the patch in the
bug report.

see above
see above