[email protected]
[Top] [All Lists]

Bug#285904: marked as forwarded (exploit could delete local files)

Subject: Bug#285904: marked as forwarded exploit could delete local files
From: Debian Bug Tracking System
Date: Sat, 08 Jan 2005 11:48:20 -0800
Your message dated Sat, 8 Jan 2005 19:41:19 +0000
with message-id <[email protected]>
has caused the Debian Bug report #285904,
regarding exploit could delete local files
to be marked as having been forwarded to the upstream software
author(s) Stefan Ondrejicka <[email protected]>.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at 285904-forwarded) by bugs.debian.org; 8 Jan 2005 19:41:38 +0000
>From [email protected] Sat Jan 08 11:41:38 2005
Return-path: <[email protected]>
Received: from dd1234.kasserver.com [] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1CnMSw-0002vA-00; Sat, 08 Jan 2005 11:41:38 -0800
Received: by dd1234.kasserver.com (Postfix, from userid 65534)
        id 4BA6D1FC95; Sat,  8 Jan 2005 20:41:33 +0100 (CET)
Received: from plonk (83-216-138-129.rachel998.adsl.metronet.co.uk 
        by dd1234.kasserver.com (Postfix) with ESMTP
        id DCF69D5F44; Sat,  8 Jan 2005 20:41:30 +0100 (CET)
Received: from voss by plonk with local (Exim 4.34)
        id 1CnMSe-0006Oy-B8; Sat, 08 Jan 2005 19:41:20 +0000
Date: Sat, 8 Jan 2005 19:41:19 +0000
From: Jochen Voss <[email protected]>
To: Stefan Ondrejicka <[email protected]>
Cc: [email protected],
        Stephan =?iso-8859-1?Q?Windm=FCller?= <[email protected]>
Subject: buffer overflow in chbg
Message-ID: <[email protected]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="hQiwHBbRI9kgIhsi"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
X-Spam-score: -1.6
Delivered-To: [email protected]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 

Content-Type: multipart/mixed; boundary="rwEMma7ioTxnRzrJ"
Content-Disposition: inline

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Dear Stefan,

I wish you a happy new year.  I did not hear from you in a long time,
but I hope that everything is ok and that this email address is still

As you probably have heard there is a buffer overflow in the
simplify_path function (file "config.c") fo chbg.  Details about this
problem may be found at


and the corresponding Debian bug report is at


The problem can be fixed by the appended patch.  I would be very
happy to receive comments about my patch or suggestions about
better ways to fix this.

All the best,

PS.: Please preserve the Cc to [email protected]
in any answers to this mail.  This will make the Debian bug tracking
system very happy.

Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="chbg.patch"

diff -u chbg-1.5/src/config.c chbg-1.5/src/config.c
--- chbg-1.5/src/config.c
+++ chbg-1.5/src/config.c
@@ -140,9 +140,11 @@
 char *inpath;
        char *p, *path = NULL;
-       char res[2048];
+       char *res;
+       size_t  res_allocated = PATH_MAX;
        int l;

+       res = g_malloc (res_allocated);
        if (inpath[0] != '/')
                if (!getcwd(res, sizeof(res)))
@@ -171,6 +173,11 @@
+                               size_t  needed_len = strlen(res) + 1 + 
strlen(p) + 1;
+                               if (needed_len > res_allocated) {
+                                       res_allocated = needed_len;
+                                       res = g_realloc (res, res_allocated);
+                               }
                                strcat(res, "/");
                                strncat(res, p, l);
@@ -182,7 +189,10 @@

        if (path)
-       return g_strdup(res);
+       p = g_strdup(res);
+       g_free (res);
+       return p;

 int makealldirs(path)


Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.2.5 (GNU/Linux)



To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

<Prev in Thread] Current Thread [Next in Thread>
  • Bug#285904: marked as forwarded (exploit could delete local files), Debian Bug Tracking System <=