[Pkg-scicomp-devel] Bug#441478: [ptb at inv.it.uc3m.es: Bug#441478: libglpk0: security flaw buffer overflow in glplib05.c xvprintf]
Rafael Laboissiere
rafael at debian.org
Fri Sep 14 08:21:09 UTC 2007
* Andrew Makhorin <mao at gnu.org> [2007-09-11 10:32]:
> > static void
> > xvprintf (const char *fmt, va_list arg)
> > {
> > char buf[4000 + 1];
> > vsprintf (buf, fmt, arg);
> > xassert (strlen (buf) < sizeof (buf)); /* here! */
> > xputs (buf);
> > return;
> > }
>
> > The assertion checks the length of the string in the current buffer
> > AFTER having written it there. Too late, and ineffective anyway.
>
> However, this is not a bug, since buf cannot overflow; xvprintf is
> not available on api level neither directly nor indirectly and used
> internally only by glpk routines, which do not output messages long
> enough to cause the overflow.
I am a bit confused here: xvprintf is called by xprintf in src/glplib05.c.
The xprintf function is actually available in the public API through
_glp_lib_xprintf. It would then be possible to write a malicious program
linked against libglpk that would exploit the buffer overflow vulnerability
described in this bug report. Please, tell me whether I am wrong or not.
--
Rafael
More information about the Pkg-scicomp-devel
mailing list