Bug in libXcursor , is it exploitable?

2003-11-10T00:00:00
ID SECURITYVULNS:DOC:5368
Type securityvulns
Reporter Securityvulns
Modified 2003-11-10T00:00:00

Description

INTRO:

off-by-one bug in libXcursor that shows up when $HOME does not start with a '/'.

THE QUESTION:

Could this bug compromise a system? In what cases?

TEST:

root@zencracking:/root# HOME=%n%n%n%n%n%n root@zencracking:/root# xterm << not necessary xterm, any program
that uses libxcursor will sigsev Segmentation fault root@zencracking:/root# gdb xterm (gdb) r Starting program: /root/xterm-181/xterm

Program received signal SIGSEGV, Segmentation fault. 0x4026e5bd in _int_malloc () from /lib/libc.so.6 (gdb) bt

0 0x4026e5bd in _int_malloc () from /lib/libc.so.6

1 0x4026d6b5 in malloc () from /lib/libc.so.6

2 0x4025c003 in __fopen_internal () from /lib/libc.so.6

3 0x4025c0ce in fopen@@GLIBC_2.1 () from /lib/libc.so.6

4 0x4001e47a in XcursorFilenameSave () from

/usr/X11R6/lib/libXcursor.so.1

5 0x4001e616 in XcursorLibraryLoadImages () from

/usr/X11R6/lib/libXcursor.so.1

6 0x4001e824 in XcursorShapeLoadImages () from

/usr/X11R6/lib/libXcursor.so.1

7 0x4001eb6e in XcursorTryShapeCursor () from

/usr/X11R6/lib/libXcursor.so.1

8 0x4012d628 in _XTryShapeCursor () from usr/X11R6/lib/libX11.so.6

9 0x4012d9e9 in XCreateGlyphCursor () from usr/X11R6/lib/libX11.so.6

10 0x4012de59 in XCreateFontCursor () from usr/X11R6/lib/libX11.so.6

11 0x0805f3ce in make_colored_cursor (cursorindex=68, fg=0,

bg=16777215) at misc.c:216

12 0x0805b578 in get_terminal () at main.c:2467

13 0x0805b019 in main (argc=0, argv=0xbffff9e8) at main.c:2111

14 0x4020dbb4 in __libc_start_main () from /lib/libc.so.6

(gdb) i r eax 0x808e780 134801280 ecx 0x40327300 1077048064 edx 0x40327354 1077048148 ebx 0x40326234 1077043764 esp 0xbffff650 0xbffff650 ebp 0xbffff688 0xbffff688 esi 0x0 0 edi 0x0 0 eip 0x4026e5bd 0x4026e5bd eflags 0x10206 66054 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 mxcsr 0x1f80 8064 orig_eax 0xffffffff -1

Regards

THE FIX BY David Dawes <dawes@x-oz.com>:

Index: xc/lib/Xcursor/library.c

RCS file: /home/x-cvs/xc/lib/Xcursor/library.c,v retrieving revision 1.2 diff -u -r1.2 library.c --- library.c 26 Jan 2003 03:22:42 -0000 1.2 +++ library.c 7 Nov 2003 17:48:21 -0000 @@ -101,6 +101,9 @@ if (!home) return 0; homelen = strlen (home); + / A '/' gets prepended if $HOME doesn't start with one. / + if (home[0] != '/') + homelen++; dir++; dirlen--; }

-------BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (GNU/Linux)

mQGiBD+MWD0RBAD0zsMD23euntPmXJScQ6aqId4s6SGHw5FdcgSdxM2rRo1/HJ10 yZhApRGKCbnM/RW8P1+pIKlKBvSIp9wmeIgikz4KGmzGIfuhaHwzVOTEBmY3PBqn Q73LLC+tsUPRDDuEQY5OmtbiukRmCBWFezAzFOmD3RhbgjtkGXP3nCfKbwCgnMDh /cBR9cMJDJSBnt+s3odafjMD/io6JbwCL7s3EUjU/QtNI3Zwflm/biPjMu0++wIb IEtfTLKiAKWGpnoIVjPe8bH6uQgbp4n8G1fFkkvlmvXc2Yz012MFLJyyJLRLg4L1 ZG72ExhGz54D3GV9t5VqG9IsNfDSYrH/GC6zE6N2jRFL/e6K/sg82zZqBGRpkmdM 48xyBACuNgIWtPpaMdM+WeC7nh6+j5E5eT+x1RinDHGH95y4gpKBhBr/Yc4nQvh5 e07wHHO4iWuTrnCbxEaKFOk1iTY3b1eZXZvcdJPiyq2nfp7OoRs69JZ40HQSA+aF O60rlEh8UgnD3fDD9/JzxW3iAdDPk8BLuoAC1Qdt1qpbhv0UkrQ1Z3IwMHZ5ICha ZW5DcmFja2luZy5jb20uYXIpIDxncm9vdnkyNjAwQHlhaG9vLmNvbS5hcj6IWQQT EQIAGQUCP4xYPQQLBwMCAxUCAwMWAgECHgECF4AACgkQTKxJeVJCmvAmrwCfZSL3 bx1vyW4pTNwyez0fdOJmQ+EAoIOUDo0aO9LdfpruyrTzvkQaOlnSuQENBD+MWD4Q BADcytQOgY+pPtQdgKTn53VIEOzyagqNdfd3ei0K+TIEl9x9rdOwYWn5bf8m6QIn EgWi9+cvvXIl7+ziHUOCyx/BmB3bNQ9TSIlrpx+S42BJvTAJEb0hTDn6FkeupBea edxCyt25hJjb0NoMhn32kDiWIEGqh16Tt+h0W6MbFVDilwADBQQAmY+DT5cx6u9Y urffLDVq2/FHUncJQ5jIZy+ThqRWG+DBg46UzGqSIZzXhyB49k1EBgTPA8d8rJML fLnre1ccRvzo++VR6iIEAX5ur2mosM2SCePbJ4yTugkFPGt7dfgnQnWhNMO8GMYo x0HyN+VM72VmqEKG+k7c5cVZ8GvEH4uIRgQYEQIABgUCP4xYPgAKCRBMrEl5UkKa 8ILrAJoCQOtCNlNOdbImuMTLu8hN9GHgiACgkQZQTHy1ielq23Vyl0A5Vy98bkQ= =LiOi -----END PGP PUBLIC KEY BLOCK-----