Bug 135620

Summary: Openmotif 2.2.3-13: buffer overflow detected
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Joerg Steffens <joerg.steffens>
Component: X11 ApplicationsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Stefan Dirsch <sndirsch>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: Final   
Target Milestone: ---   
Hardware: x86   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: test case
workaround

Description Joerg Steffens 2005-11-27 22:25:22 UTC 
Some Openmotif programs crashes with buffer overflows in SL 10.0. 
Okay, Openmofig is buggy, but with prior versions of Suse Linux these programms had run well.
Seems that this is related to the GCC 4 and the FORTIFY_SOURCE feature that is now turned on by default within Suse Linux.
Test case and OpenMotif SPEC file that fixes the buffer overflow are attached.
BTW: I've been told that also some programms from the openmotif-demo rpm crashes with buffer overflow.
Comment 1 Joerg Steffens 2005-11-27 22:30:05 UTC 
Created attachment 58797 [details]
test case

test program. crashes with:
*** buffer overflow detected ***
unzip and compile with
cc -g -O0 -I/usr/X11R6/include -L/usr/X11R6/lib -lXt -lXm -lMrm -o test_xm test_xm.c
LANG="de_DE.ISO8859-1"
uil -o test_xm.uid test_xm.uil
Comment 2 Joerg Steffens 2005-11-27 22:35:42 UTC 
Created attachment 58798 [details]
workaround

modified spec file that compiles openmotif without the FORTIFY_SOURCE options that is now default in Suse Linux. Using this, the test program runs flawlessly.
Comment 3 Marcus Meissner 2005-11-28 07:33:40 UTC 
the solution is not to disable FORTIFY_SOURCE but to debug and fix
the buffer overflow :)
Comment 4 Andreas Schwab 2005-11-29 13:13:46 UTC 
Works fine here.
Comment 5 Joerg Steffens 2005-11-30 17:12:48 UTC 
I've tested it on different SL 10.0 systems, and the overflow occurred on all of them. 
Furthermore, from the openmotif-demo-2.2.3-13 RPMs the programs
/usr/X11R6/bin/hellomotif and /usr/X11R6/bin/xmanimate do also crash with buffer overflows (and /usr/X11R6/bin/wsm crashes with segmentatin fault).
In the provided test program test_xm the problems seems to be related with reading the test_xm.uid file. The buffer overflow only occur if it is larger than 4095 (>= 4096) bytes.
I'm using
openmotif-2.2.3-13
glibc-2.3.5-40
Comment 6 Andreas Schwab 2005-12-01 08:58:14 UTC 
Can't reproduce on ppc either. Idb__HDR_GetHeader is never called.
Comment 7 Marcus Meissner 2005-12-01 09:04:58 UTC 
works fine here too, so it is some condition on your side that triggers it.

can you supply us a gdb backtrace please?
Comment 8 Marcus Meissner 2005-12-01 09:05:22 UTC 
let secteam track it until we find the problem
Comment 9 Andreas Schwab 2005-12-01 09:06:17 UTC 
The other bugs are already fixed.