buffer overflow in Window Maker

From: Alfredo K. Kojima (kojima@conectiva.com.br)
Date: Mon Jul 23 2001 - 23:02:13 CEST

  • Next message: secure@conectiva.com.br: "[CLA-2001:411] Conectiva Linux Security Announcement - windowmaker"

    A buffer overflow type bug has been found in Window Maker
    which makes it possible for html pages containing malicious
    code to corrupt memory allocated by wmaker.

    To reproduce the problem, open a window with a very long
    title and also the window list menu (middle click on the root
    window). Window Maker will have it's heap corrupted and
    will sometimes crash. Since browsers will set the <title>
    of a page as it's window title, Window Maker may be crashed
    by html pages containing long titles.

    Here's an excerpt from the patch that fixes the problem
    and can illustrate it:

    --- switchmenu.c Thu Apr 19 22:22:42 2001
    +++ ../../wm/src/switchmenu.c Mon Jul 23 14:55:39 2001
    @@ -181,6 +181,7 @@
         WMenu *switchmenu = scr->switch_menu;
         WMenuEntry *entry;
         char title[MAX_MENU_TEXT_LENGTH+6];
    + int len = MAX_MENU_TEXT_LENGTH+6;
         int i;
         int checkVisibility = 0;

    @@ -203,9 +204,9 @@
                return;

            if (wwin->frame->title)
    - sprintf(title, "%s", wwin->frame->title);
    + snprintf(title, len, "%s", wwin->frame->title);
            else
    - sprintf(title, "%s", DEF_WINDOW_TITLE);
    + snprintf(title, len, "%s", DEF_WINDOW_TITLE);
            t = ShrinkString(scr->menu_entry_font, title,
    MAX_WINDOWLIST_WIDTH);

            if (IS_OMNIPRESENT(wwin))

    I have included a patch that fixes it. The soon to be released
    Window Maker 0.65.1 should also have this bug fixed.
    It can be downloaded from www.windowmaker.org

    Please keep me in the CC: list since I'm not subscribed to the list.

    Thank you

    --
    Alfredo
    




    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 23:42:47 CEST