[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
libtool-1.4.3-5 strncpy() possible bug
From: |
David Wagner |
Subject: |
libtool-1.4.3-5 strncpy() possible bug |
Date: |
Sun, 19 Oct 2003 23:41:09 -0700 (PDT) |
I've been doing a shallow security audit of libtool-1.4.3-5.
I found something that looked fishy, and wanted to check whether
this is a real bug.
Look at the strncpy() call in libltdl/ltdl.c:trim().
It looks like it might write a '\0' outside the bounds of its
buffer -- though I'm not sure.
A possible scenario: user calls lt_dlopen(), which opens a file that
contains strings processed by trim(), and if those are of the wrong format,
maybe a buffer can be overflown.
Looking through the source, I don't see any safeguards to prevent an
attacker from constructing a bad .la file, and I don't see anything that
checks the syntax of .la files, so on first glance, it looks like there
might be a security problem here. But it's entirely possible I'm missing
something.
Any thoughts on this?
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- libtool-1.4.3-5 strncpy() possible bug,
David Wagner <=