libtool-1.4.3-5 strncpy() possible bug

bug-libtool

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

libtool-1.4.3-5 strncpy() possible bug

From:	David Wagner
Subject:	libtool-1.4.3-5 strncpy() possible bug
Date:	Sun, 19 Oct 2003 23:41:09 -0700 (PDT)

I've been doing a shallow security audit of libtool-1.4.3-5.
I found something that looked fishy, and wanted to check whether
this is a real bug.

Look at the strncpy() call in libltdl/ltdl.c:trim().
It looks like it might write a '\0' outside the bounds of its
buffer -- though I'm not sure.
 
A possible scenario: user calls lt_dlopen(), which opens a file that
contains strings processed by trim(), and if those are of the wrong format,
maybe a buffer can be overflown.

Looking through the source, I don't see any safeguards to prevent an
attacker from constructing a bad .la file, and I don't see anything that
checks the syntax of .la files, so on first glance, it looks like there
might be a security problem here.  But it's entirely possible I'm missing
something.

Any thoughts on this?

[Prev in Thread]

Current Thread

[Next in Thread]

libtool-1.4.3-5 strncpy() possible bug, David Wagner <=

Prev by Date: current cvs versionb fails on Tru64Unix
Next by Date: libtool-1.5 problem with nativ IRIX linker and -LANG:std option
Previous by thread: current cvs versionb fails on Tru64Unix
Next by thread: libtool-1.5 problem with nativ IRIX linker and -LANG:std option
Index(es):
- Date
- Thread