SVGAlib zgv HOME Environment Variable Local Overflow

1997-06-27T00:00:00
ID OSVDB:11225
Type osvdb
Reporter KSR[T](ksrt@dec.net)
Modified 1997-06-27T00:00:00

Description

Vulnerability Description

A local overflow exists in SVGAlib/zgv. The product fails to verify the length of the HOME environment variable, resulting in a buffer overflow. By setting this variable to an overly long value, arbitrary code can be executed as root, resulting in a loss of availability.

Solution Description

Upgrade to SVGAlib version 1.2.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

A local overflow exists in SVGAlib/zgv. The product fails to verify the length of the HOME environment variable, resulting in a buffer overflow. By setting this variable to an overly long value, arbitrary code can be executed as root, resulting in a loss of availability.

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1997_2/0521.html ISS X-Force ID: 3412 CVE-1999-1483