Ubuntu
gfxboot package

non-exploitable buffer overflow in gfxboot

Bug #27011 reported by Martin Pitt
6
Affects Status Importance Assigned to Milestone
gfxboot (Ubuntu)
Fix Released
Low
Colin Watson

Bug Description

(sorry, gfxboot is not yet in the bz package list)

mkbootmsg.c:
1767: char *s, buf[1024];
1867: sprintf(buf, "%s", dict[val].name);

(There are more sprintfs with a similar structure below)

I did not see any apparent length check of dict[val].name, so this suspiciously
looks like a stack-based buffer overflow that could be triggered and controlled
by a malicious theme that is processed by mkbootmsg.

I didn't check thoroughly that it is really exploitable, but just for the sake
of safety this should either use asprintf() or snprintf().

Thanks!

Revision history for this message
Martin Pitt (pitti) wrote :

(In reply to comment #0)
> I didn't check thoroughly that it is really exploitable, but just for the sake
> of safety this should either use asprintf() or snprintf().

Or rather, the program should just bail out if it detects an overly long
dictionary entry.

Revision history for this message
Colin Watson (cjwatson) wrote :

As it turns out, this cannot be exploited. The only cases where a string of
unknown length is copied into the fixed-size buffer is when that string is the
name of an entry in the dictionary. However, this is in the decompile function,
which is only used if you run mkbootmsg with the -i option to get information
about a compiled theme; in that code path, mkbootmsg only ever uses its built-in
dictionary entries, which are fixed at compile-time and which all have
relatively short names. Thus there is no possibility of overflow.

I agree that it would be useful to fix this for the sake of cleanliness, and in
case future changes to the decompile function affect its current safety. I'll
put together a patch and propose it to upstream.

Revision history for this message
Colin Watson (cjwatson) wrote :

gfxboot (3.2.23-2ubuntu1) edgy; urgency=low

  * Resynchronise with Kanotix. Remaining changes:
    - debian/patches/01_x11libs.dpatch: Adjust paths for Debian/Ubuntu's X
      layout.
  * Remove as-yet-unsatisfiable Recommends: grub-gfxboot.
  * Suggest gfxboot-theme-ubuntu (before other themes).
  * debian/patches/04_mkbootmsg_asprintf.dpatch: Fix some non-exploitable
    buffer overflows in mkbootmsg (closes: Malone #27011).
  * debian/patches/05_mkbootmsg_ctype.dpatch: Make sure to pass unsigned
    chars to isspace(), per the C standard; not doing so can cause problems
    on powerpc and other architectures.
  * debian/patches/06_getx11font_endianness.dpatch: Treat the output of
    iconv_open("utf32le") as little-endian even on big-endian architectures.
    Make sure all numbers in the output file are encoded little-endian.

 -- Colin Watson <email address hidden> Wed, 12 Jul 2006 12:38:03 +0100

Changed in gfxboot:
status: Unconfirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.