[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

libtool-1.4.3-5 strncpy() possible bug

From: David Wagner
Subject: libtool-1.4.3-5 strncpy() possible bug
Date: Sun, 19 Oct 2003 23:41:09 -0700 (PDT)

I've been doing a shallow security audit of libtool-1.4.3-5.
I found something that looked fishy, and wanted to check whether
this is a real bug.

Look at the strncpy() call in libltdl/ltdl.c:trim().
It looks like it might write a '\0' outside the bounds of its
buffer -- though I'm not sure.
A possible scenario: user calls lt_dlopen(), which opens a file that
contains strings processed by trim(), and if those are of the wrong format,
maybe a buffer can be overflown.

Looking through the source, I don't see any safeguards to prevent an
attacker from constructing a bad .la file, and I don't see anything that
checks the syntax of .la files, so on first glance, it looks like there
might be a security problem here.  But it's entirely possible I'm missing

Any thoughts on this?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]