| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Aug 2004 01:12:24 -0400 From: infamous41md@...pop.com To: bugtraq <bugtraq@...urityfocus.com> Subject: recent gaim advisory if anyone else was looking for some of the overflows mentioned in the rather cryptic advisory, i found one of them in: /gaim-0.81/src/protocols/msn/slp.c :648 in the function msn_slp_sip_recv(). an improper use of strncpy(). [---------------------------------------------] not very interesting for us, but there is a local overflow. it's not stack based- the buffer is a global so it's somewhere in .bss. that is in: /gaim-0.81/src/protocols/msn/utils.c :134 in the function encode_spaces(). it doesn't check the length of the buffer it copies into. unless there is some max bounds way higher up in the gtk functions that i missed. [---------------------------------------------] another local (stack based) overflow in: /gaim-0.81/src/protocols/msn/utils.c :198 in the function msn_import_html(). it is not exploitable though. multiple calls to strcat() to a small buffer, but no control over the data being appended. [---------------------------------------------] and there are many many places where the return value of dynamic memory allocation routines is not tested. actually, to rephrase that, i don't think there are many places where the return value IS checked. or in some cases the check is only after the possibly NULL pointer has already been used. on a similar note, there is little to no checking the return value of all sorts of other library functions. -- -sean
Powered by blists - more mailing lists