[Pkg-xfce-devel] xfce4-mpc-plugin buffer overflows

Simon Huggins huggie at earth.li
Mon Dec 8 23:33:37 UTC 2008


We had a user in Debian who was having problems with the
xfce4-mpc-plugin and a long password.  It turned out that passwords
longer than about 30 characters were causing buffer overflows.

I looked into it and found a few problems.  There are lots of sprintfs
into buffers with strings which contain untrusted input.

I've fixed some in the attached patch against 0.3.3 although I want it
to be reviewed at some point.

I also couldn't see a nice way to return an error message back to the
user and I'm not really a GTK coder in anyway :)

You may well choose to fix these issues in a different way in which case
we'd love to see the patch to get it into Debian.

Anyway, if you have some time to review the patch it'd be great.


----------( "Everyone who is alive, please raise your hand.  )----------
Simon ----(             See, told ya," - Rimmer.             )---- Nomis
                             Htag.pl 0.0.24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xfce4-mpc-plugin.diff
Type: text/x-diff
Size: 7494 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20081208/76dbb358/attachment-0001.diff 

More information about the Pkg-xfce-devel mailing list