Bug 1170165 - AUDIT-FIND: enlightenment: enlightenment_system: `_cb_l2ping_ping()` performs an unbounded `sscanf()` on untrusted input data, allowing a stack buffer overflow
AUDIT-FIND: enlightenment: enlightenment_system: `_cb_l2ping_ping()` performs...
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Simon Lees
E-mail List
Depends on:
Blocks: 1169238
  Show dependency treegraph
Reported: 2020-04-22 09:29 UTC by Matthias Gerstner
Modified: 2020-05-22 08:13 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2020-04-22 09:29:34 UTC
+++ This bug was initially created as a clone of Bug #1169238

d) `_cb_l2ping_ping()` performs an unbounded `sscanf()` on untrusted input
   data, allowing a stack buffer overflow

A `sscanf()` call in this function passes a `%s` format for the `params` input
parameter. The target buffer has a length of 1024 bytes. Thus if a clients
passes a very long device name the setuid-root binary's stack will be
overwritten. The parsing by `sscanf()` stops at whitespace characters thus the
stack overflow data cannot be chosen arbitrarily. Still is a pretty dangerous
security issue.
Comment 1 Simon Lees 2020-04-22 10:56:48 UTC
Upstream: https://phab.enlightenment.org/T8673
Comment 2 Simon Lees 2020-04-22 11:25:50 UTC
Upstream fix commit: https://phab.enlightenment.org/rE6926d1d338fdead3258d322adf115708a9a1fa3e
Comment 3 Matthias Gerstner 2020-04-30 13:53:10 UTC
This fix was also simple. It's all right.
Comment 4 Matthias Gerstner 2020-05-22 08:13:24 UTC
The fix made it into the 0.24 release. Closing this bug as fixed.