Page MenuHomePhabricator

enlightenment_system: `_cb_l2ping_ping()` performs an unbounded `sscanf()` on untrusted input data, allowing a stack buffer overflow
Closed, ResolvedPublic

Description

d) _cb_l2ping_ping() performs an unbounded sscanf() on untrusted input

data, allowing a stack buffer overflow

A sscanf() call in this function passes a %s format for the params input
parameter. The target buffer has a length of 1024 bytes. Thus if a clients
passes a very long device name the setuid-root binary's stack will be
overwritten. The parsing by sscanf() stops at whitespace characters thus the
stack overflow data cannot be chosen arbitrarily. Still is a pretty dangerous
security issue.

http://bugzilla.suse.com/show_bug.cgi?id=1170165