|
Bugzilla – Full Text Bug Listing |
| Summary: | TightVNC - vncpasswd buffer owerflow detected | ||
|---|---|---|---|
| Product: | [openSUSE] SUSE LINUX 10.0 | Reporter: | Daniel Radetic <daniel> |
| Component: | Security | Assignee: | Reinhard Max <max> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | patch-request, security-team |
| Version: | Beta 3 | Keywords: | beta_customer |
| Target Milestone: | --- | ||
| Hardware: | PowerPC | ||
| OS: | SUSE Other | ||
| Whiteboard: | |||
| Found By: | Beta-Customer | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Daniel Radetic
2005-09-02 11:19:24 UTC
can you perhaps run it in gdb and provide a backtrace? I can't reproduce the problem on x86_64. Hi, here is excerpt from gdb: (gdb) run Starting program: /usr/X11R6/bin/vncpasswd (no debugging symbols found) (no debugging symbols found) Using password file /root/.vnc/passwd Password: Verify: Would you like to enter a view-only password (y/n)? n *** buffer overflow detected ***: /usr/X11R6/bin/vncpasswd terminated Program received signal SIGABRT, Aborted. 0x0fed6dec in raise () from /lib/tls/libc.so.6 (gdb) backtrace full #0 0x0fed6dec in raise () from /lib/tls/libc.so.6 No symbol table info available. #1 0x0fed88d0 in abort () from /lib/tls/libc.so.6 No symbol table info available. #2 0x0ff10c2c in __libc_message () from /lib/tls/libc.so.6 No symbol table info available. #3 0x0ff8abf8 in __chk_fail () from /lib/tls/libc.so.6 No symbol table info available. #4 0x0ff89940 in __memset_chk () from /lib/tls/libc.so.6 No symbol table info available. #5 0x100010d0 in main () No symbol table info available. (gdb) Funny. I guess it is the memset(passwd1,0,strlen(passwd1)) in the main() function when operating on unitialized stack. Can you install the tightvnc-debuginfo.rpm package too to get a better backtrace above? Reinhard, the memset(foo,0,strlen(foo)) should all be memset(foo,0,sizeof(foo)); Hi, Marcus thank you for sending me those RPM packages earlier ( bison, flex, cvs ... ). I have rebuilt tightvnc src.rpm package for ppc and thus built tightvnc-debuginfo aswell, however when installed it seems not to be working ( or i dont know how to utilize it ). Running : /usr/lib/debug/usr/X11R6/bin/vncpasswd.debug Yields error message: -bash: /usr/lib/debug/usr/X11R6/bin/vncpasswd.debug: cannot execute binary file It doesnt even accept arguments i.e vncpasswd.debug /path/to/vncpasswd ( Same error as above ), so obviously i ran it in gdb and recieved following message: (gdb) run Starting program: /usr/lib/debug/usr/X11R6/bin/vncpasswd.debug /bin/bash: /usr/lib/debug/usr/X11R6/bin/vncpasswd.debug: cannot execute binary file /bin/bash: /usr/lib/debug/usr/X11R6/bin/vncpasswd.debug: Success Program exited with code 01. warning: Unable to find dynamic linker breakpoint function. GDB will be unable to debug shared library initializers and track explicitly loaded dynamic code. You can't do that without a process to debug. So tell me what must i do to provide you with more info you seek for this ? Oh yes just for info, the message above appears both on x86 and ppc arches ( i tested it ). install both rpms (*tightvnc and tightvnc-debuginfo) from the same build. gdb vncpasswd ... (gdb) run ... input usuall stuff ... ... now it should crash ... gdb basically pulls in the extra vncpasswd.debug file as debuginformation. the binary is still the same Hi,
Excerpt as follows:
(gdb) run
Starting program: /usr/X11R6/bin/vncpasswd
Using password file /root/.vnc/passwd
Password:
Verify:
Would you like to enter a view-only password (y/n)? n
*** buffer overflow detected ***: /usr/X11R6/bin/vncpasswd terminated
Program received signal SIGABRT, Aborted.
0x0fed6dec in raise () from /lib/tls/libc.so.6
(gdb) backtrace full
#0 0x0fed6dec in raise () from /lib/tls/libc.so.6
No symbol table info available.
#1 0x0fed88d0 in abort () from /lib/tls/libc.so.6
No symbol table info available.
#2 0x0ff10c2c in __libc_message () from /lib/tls/libc.so.6
No symbol table info available.
#3 0x0ff8abf8 in __chk_fail () from /lib/tls/libc.so.6
No symbol table info available.
#4 0x0ff89940 in __memset_chk () from /lib/tls/libc.so.6
No symbol table info available.
#5 0x100010d0 in main (argc=<value optimized out>, argv=<value optimized out>)
at vncpasswd.c:139
check_strictly = 0
passwd1 = "\000\000\000\000\000\000\000ÿÿ"
passwd2 = "ÿ0\002z\2300\002u,"
passwd2_ptr = <value optimized out>
yesno = "n"
passwdDir = "/root/.vnc", '\0' <repeats 43 times>, "linux", '\0' <repeat
s 60 times>,
"2.6.13-rc6-git13-4-default", '\0' <repeats 39 times>, "#1 Mon Aug
22 18:38:22 UTC 2005", '\0' <repeats 34 times>,
"ppc\000\000\000\000"
passwdFile = "/root/.vnc/passwd", '\0' <repeats 41 times>, "ocal", '\0'
<repeats 74 times>,
"\177Ä\221ð\000\000\000\000\177Ä\222`\177Ä\224À\177Ä\222@\17
7Ä\222<\177Ä\222<0\000\001Ì0\002u80\002vð0\002u,0\000\000\000\177Ä\224°0\000\033
---Type <return> to continue, or q
<return> to quit---
È0\000\006h\000\000\020\214", '\0' <repeats 15 times>,
"\001\177Ä\222@\000\000\000\000\020\001°\0240\002nT\177Ä\222P\020\000\bØ\017þÍ\b\000\000\000\000\177Ä\222p\020\000\037¤"
#6 0x0fec0a34 in generic_start_main () from /lib/tls/libc.so.6
No symbol table info available.
#7 0x0fec0bc4 in __libc_start_main () from /lib/tls/libc.so.6
No symbol table info available.
#8 0x0fec0bc4 in __libc_start_main () from /lib/tls/libc.so.6
No symbol table info available.
Previous frame inner to this frame (corrupt stack?)
Andreas, is this the one you fixed last week? Fixed. |