[Pkg-scicomp-devel] Bug#441478: [ptb at inv.it.uc3m.es: Bug#441478: libglpk0: security flaw buffer overflow in glplib05.c xvprintf]
Andrew Makhorin
mao at gnu.org
Fri Sep 14 09:13:24 UTC 2007
Friday, September 14, 2007, 12:21:09 PM, you wrote:
> * Andrew Makhorin <mao at gnu.org> [2007-09-11 10:32]:
>> > static void
>> > xvprintf (const char *fmt, va_list arg)
>> > {
>> > char buf[4000 + 1];
>> > vsprintf (buf, fmt, arg);
>> > xassert (strlen (buf) < sizeof (buf)); /* here! */
>> > xputs (buf);
>> > return;
>> > }
>>
>> > The assertion checks the length of the string in the current buffer
>> > AFTER having written it there. Too late, and ineffective anyway.
>>
>> However, this is not a bug, since buf cannot overflow; xvprintf is
>> not available on api level neither directly nor indirectly and used
>> internally only by glpk routines, which do not output messages long
>> enough to cause the overflow.
> I am a bit confused here: xvprintf is called by xprintf in
> src/glplib05.c. The xprintf function is actually available in the
> public API through _glp_lib_xprintf. It would then be possible to
> write a malicious program linked against libglpk that would exploit
> the buffer overflow vulnerability described in this bug report.
> Please, tell me whether I am wrong or not.
_glp_lib_xprintf is *not* api routine and formally being not declared
in glpk.h it is not available to the user.
More information about the Pkg-scicomp-devel
mailing list