FreeBSD Mail Archives

Date:      Tue, 21 Apr 2009 04:30:59 GMT
From:      john <x41@freeshell.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   i386/133883: FVWM Buffer Overflow
Message-ID:  <200904210430.n3L4UxoP041385@www.freebsd.org>
Resent-Message-ID: <200904210440.n3L4e0l3061036@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help


>Number:         133883
>Category:       i386
>Synopsis:       FVWM Buffer Overflow
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 21 04:40:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     john
>Release:        7.1
>Organization:
>Environment:
>Description:
 Hi guys,

Thanks for maintaining the FreeBSD packages...

I noticed a client-side buffer overflow vulnerability in the fvwm
binary, this is in the default installation.

When i do
$ fvwm `perl -e 'print "A"x979'`

The system returns
$ Abort trap (core dumped)

Stack overflow in function fvwm_msg

The issue occurs when handling specially crafted .fvwmrc files too
because the *fvwm_msg function is used for load the configurations in
that file.

Something like this can work DeskTopSize
3x3AAAAAAAAAAAAAAAAAAAAAA....and more A's

 9093 fvwm     CALL  write(0x2,0xcfbbc3d0,0x3e7)
 9093 fvwm     GIO   fd 2 wrote 999 bytes
      "Unknown option:  `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAA'
      "
 9093 fvwm     RET   write 999/0x3e7

Also im sending a fvwm.core and the ktrace.out

If I can be useful in someway let me know.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904210430.n3L4UxoP041385>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation