[Pkg-scicomp-devel] Bug#441478: [ptb at inv.it.uc3m.es: Bug#441478: libglpk0: security flaw buffer overflow in glplib05.c xvprintf]

Andrew Makhorin mao at gnu.org
Fri Sep 14 09:13:24 UTC 2007


Friday, September 14, 2007, 12:21:09 PM, you wrote:

> * Andrew Makhorin <mao at gnu.org> [2007-09-11 10:32]:

>> >   static void
>> >   xvprintf (const char *fmt, va_list arg)
>> >   {
>> >       char    buf[4000 + 1];
>> >       vsprintf (buf, fmt, arg);
>> >       xassert (strlen (buf) < sizeof (buf));          /* here! */
>> >       xputs (buf);
>> >       return;
>> >   }
>> 
>> > The assertion checks the length of the string in the current buffer
>> > AFTER having written it there. Too late, and ineffective anyway.
>> 
>> However, this is not a bug, since buf cannot overflow; xvprintf is
>> not available on api level neither directly nor indirectly and used
>> internally only by glpk routines, which do not output messages long
>> enough to cause the overflow.

> I am a bit confused here: xvprintf is called by xprintf in
> src/glplib05.c. The xprintf function is actually available in the
> public API through _glp_lib_xprintf. It would then be possible to
> write a malicious program linked against libglpk that would exploit
> the buffer overflow vulnerability described in this bug report.
> Please, tell me whether I am wrong or not.

_glp_lib_xprintf is *not* api routine and formally being not declared
in glpk.h it is not available to the user.






More information about the Pkg-scicomp-devel mailing list