[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
sharutils obscure fscanf() buffer overflow
From: |
Ulf Härnhammar |
Subject: |
sharutils obscure fscanf() buffer overflow |
Date: |
Sat, 14 Aug 2004 17:31:42 +0200 |
User-agent: |
Internet Messaging Program (IMP) 3.2.1 |
Hello,
I have found an obscure buffer overflow in shar from the sharutils 4.2.1
package.
The shar command executes wc when creating shar archives. In the rather
unlikely scenario where there is a malicious wc command installed that
prints lots of output, a buffer overflow will occur in shar, because of a
"%s" format string in an fscanf() call in shar.c.
This is of course no serious security threat. Nevertheless, I think it
is worth fixing, as the Right Thing for a program should be not to assume
anything about its input and to handle various problems well.
I have attached a patch against sharutils-4.2.1 and an evil wc command that
exhibits this problem in shar on my machine (Debian GNU/Linux testing).
// Ulf Harnhammar
http://www.advogato.org/person/metaur/
wc
Description: Text document
sharutils.patch
Description: Text document
- sharutils obscure fscanf() buffer overflow,
Ulf Härnhammar <=