[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow
From: Vincent Danen <vdanen () redhat ! com>
Date: 2012-10-31 18:31:29
Message-ID: 20121031183129.GC2676 () redhat ! com
[Download RAW message or body]
* [2012-10-29 18:22:29 -0500] Andr?s G?mez Ram?rez wrote:
>PLIB is no longer being maintained:
>
>http://sourceforge.net/mailarchive/message.php?msg_id=28580157
>
>I sent a couple of bugs several months ago, but there wasn't any response
>from plib developers, so I decided to make them public.
Fair enough. Thank you so much for this explanation. I didn't realize
it was unmaintained software.
>On Mon, Oct 29, 2012 at 3:58 PM, Vincent Danen <vdanen@redhat.com> wrote:
>
>> * [2012-10-29 14:02:58 -0500] Andr?s G?mez Ram?rez wrote:
>>
>> Sorry for the previous message, it was not intentional :)
>>>
>>> Hi, Could a CVE be assigned to this issue?
>>>
>>> Name: PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow
>>> Software: PLIB 1.8.5
>>> Software link: http://plib.sourceforge.net/
>>> Vulnerability Type: Stack Based Buffer overflow
>>> References: http://www.exploit-db.com/**exploits/21831/<http://www.exploit-db.com/exploits/21831/>
>>> http://www.securityfocus.com/**bid/55839<http://www.securityfocus.com/bid/55839>
>>>
>>> Vulnerability Details: Plib is prone to stack based Buffer overflow in the
>>> error function in ssg/ssgParser.cxx when it loads 3d model files as X
>>> (Direct x), ASC, ASE, ATG, and OFF, if a very long error message is passed
>>> to the function, in line 68:
>>>
>>>
>>> // Output an error
>>> void _ssgParser::error( const char *format, ... )
>>> {
>>> char msgbuff[ 255 ];
>>> va_list argp;
>>>
>>> char* msgptr = msgbuff;
>>> if (linenum)
>>> {
>>> msgptr += sprintf ( msgptr,"%s, line %d: ",
>>> path, linenum );
>>> }
>>>
>>> va_start( argp, format );
>>> 68 vsprintf( msgptr, format, argp );
>>> va_end( argp );
>>>
>>> ulSetError ( UL_WARNING, "%s", msgbuff ) ;
>>> }
>>>
>>> Thanks,
>>>
>>
>> Andreas, was this reported to upstream? I can't see a patch or anything
>> in their bug tracker regarding this.
--
Vincent Danen / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic