© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
As it turns out, this cannot be exploited. The only cases where a string of
unknown length is copied into the fixed-size buffer is when that string is the
name of an entry in the dictionary. However, this is in the decompile function,
which is only used if you run mkbootmsg with the -i option to get information
about a compiled theme; in that code path, mkbootmsg only ever uses its built-in
dictionary entries, which are fixed at compile-time and which all have
relatively short names. Thus there is no possibility of overflow.
I agree that it would be useful to fix this for the sake of cleanliness, and in
case future changes to the decompile function affect its current safety. I'll
put together a patch and propose it to upstream.