Bugzilla – Bug 136628
VUL-0: openmotif: two buffer overflows
Last modified: 2005-12-06 09:44:49 UTC
There are two buffer overflows in openmotif: http://marc.theaimsgroup.com/?l=full-disclosure&m=113349242925897&w=2
Name: CVE-2005-3964 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3964 Reference: FULLDISC:20051201 [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=113349242925897&w=2 Multiple buffer overflows in libUil (libUil.so) in OpenMotif 2.2.3, and possibly other versions, allows attackers to execute arbitrary code via the (1) diag_issue_diagnostic function in UilDiags.c and (2) open_source_file function in UilSrcSrc.c.
Title: [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability Affected version : openmotif 2.2.3(not got 2.2.4,so not test in openmotif 2.2.4) Product: http://www.motifzone.net/ xfocus (http://www.xfocus.org) have discovered multiple vulnerability in openmotif libUil library. details following: 1: libUil.so diag_issue_diagnostic buffer overflow Clients/uil/UilDiags.c diag_issue_diagnostic() 202 void diag_issue_diagnostic 203 ( int d_message_number, src_source_record_type *az_src_rec, 204 int l_start_column, ...) 205 206 { 207 va_list ap; /* ptr to variable length parameter */ 208 int severity; /* severity of message */ 209 int message_number; /* message number */ 210 char msg_buffer[132]; /* buffer to construct message */ 211 char ptr_buffer[buf_size]; /* buffer to construct pointer */ 212 char loc_buffer[132]; /* buffer to construct location */ 213 char src_buffer[buf_size]; /* buffer to hold source line */ ...... 293 va_start(ap, l_start_column); 294 295 #ifndef NO_MESSAGE_CATALOG 296[1.1] vsprintf( msg_buffer, 297 catgets(uil_catd, UIL_SET1, msg_cat_table[ message_number ], 298 diag_rz_msg_table[ message_number ].ac_text), 299 ap ); 300 #else 301[1.2] vsprintf( msg_buffer, 302 diag_rz_msg_table[ message_number ].ac_text, 303 ap ); 304 #endif 305 va_end(ap); [1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support data,so if one local or remote application which used this library may cause execute arbitrary code . 2: libUil.so open_source_file buffer voerflow Clients/uil/UilSrcSrc.c 620 status 621 open_source_file( XmConst char *c_file_name, 622 uil_fcb_type *az_fcb, 623 src_source_buffer_type *az_source_buffer ) 624 { 625 626 static unsigned short main_dir_len = 0; 627 boolean main_file; 628 int i; /* loop index through include files */ 629 char buffer[256]; 630 631 632 /* place the file name in the expanded_name buffer */ 633 634[2.1] strcpy(buffer, c_file_name); 635 636 /* Determine if this is the main file or an include file. */ 637 638 main_file = (main_fcb == NULL); 639 [2.1] like above --EOF
They stopped half way through.
Fixed.
*** Bug 137105 has been marked as a duplicate of this bug. ***