Bug 133883

Summary: FVWM Buffer Overflow
Product: Ports & Packages Reporter: john <x41>
Component: Individual Port(s)Assignee: Gavin Atkinson <gavin>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description john 2009-04-21 05:40:00 UTC 
 Hi guys,

Thanks for maintaining the FreeBSD packages...

I noticed a client-side buffer overflow vulnerability in the fvwm
binary, this is in the default installation.

When i do
$ fvwm `perl -e 'print "A"x979'`

The system returns
$ Abort trap (core dumped)

Stack overflow in function fvwm_msg

The issue occurs when handling specially crafted .fvwmrc files too
because the *fvwm_msg function is used for load the configurations in
that file.

Something like this can work DeskTopSize
3x3AAAAAAAAAAAAAAAAAAAAAA....and more A's

 9093 fvwm     CALL  write(0x2,0xcfbbc3d0,0x3e7)
 9093 fvwm     GIO   fd 2 wrote 999 bytes
      "Unknown option:  `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAA'
      "
 9093 fvwm     RET   write 999/0x3e7

Also im sending a fvwm.core and the ktrace.out

If I can be useful in someway let me know.
Comment 1 Gavin Atkinson freebsd_committer freebsd_triage 2009-04-23 10:09:29 UTC 
State Changed
From-To: open->feedback

To submitter: is this with x11-wm/fvwm or x11-wm/fvwm2, or some other  
port?
Comment 2 Gavin Atkinson freebsd_committer freebsd_triage 2009-04-23 10:09:29 UTC 
Responsible Changed
From-To: freebsd-i386->gavin

Track
Comment 3 Pav Lucistnik freebsd_committer freebsd_triage 2009-05-12 15:13:09 UTC 
State Changed
From-To: feedback->closed

feedback timeout