'Re: [oss-security] CVE Request: PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2012-10-31 18:31:29
Message-ID: 20121031183129.GC2676 () redhat ! com
[Download RAW message or body]

* [2012-10-29 18:22:29 -0500] Andr?s G?mez Ram?rez wrote:

>PLIB is no longer being maintained:
>
>http://sourceforge.net/mailarchive/message.php?msg_id=28580157
>
>I sent a couple of bugs several months ago, but there wasn't any response
>from plib developers, so I decided to make them public.

Fair enough.  Thank you so much for this explanation.  I didn't realize
it was unmaintained software.

>On Mon, Oct 29, 2012 at 3:58 PM, Vincent Danen <vdanen@redhat.com> wrote:
>
>> * [2012-10-29 14:02:58 -0500] Andr?s G?mez Ram?rez wrote:
>>
>>  Sorry for the previous message, it was not intentional :)
>>>
>>> Hi, Could a CVE be assigned to this issue?
>>>
>>> Name: PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow
>>> Software: PLIB 1.8.5
>>> Software link: http://plib.sourceforge.net/
>>> Vulnerability Type: Stack Based Buffer overflow
>>> References: http://www.exploit-db.com/**exploits/21831/<http://www.exploit-db.com/exploits/21831/>
>>>                   http://www.securityfocus.com/**bid/55839<http://www.securityfocus.com/bid/55839>
>>>
>>> Vulnerability Details: Plib is prone to stack based Buffer overflow in the
>>> error function in ssg/ssgParser.cxx when it loads 3d model files as X
>>> (Direct x), ASC, ASE, ATG, and OFF, if a very long error message is passed
>>> to the function, in line 68:
>>>
>>>
>>> // Output an error
>>> void _ssgParser::error( const char *format, ... )
>>> {
>>>  char msgbuff[ 255 ];
>>>  va_list argp;
>>>
>>>  char* msgptr = msgbuff;
>>>  if (linenum)
>>>  {
>>>    msgptr += sprintf ( msgptr,"%s, line %d: ",
>>>      path, linenum );
>>>  }
>>>
>>>  va_start( argp, format );
>>> 68        vsprintf( msgptr, format, argp );
>>>  va_end( argp );
>>>
>>>  ulSetError ( UL_WARNING, "%s", msgbuff ) ;
>>> }
>>>
>>> Thanks,
>>>
>>
>> Andreas, was this reported to upstream?  I can't see a patch or anything
>> in their bug tracker regarding this.

-- 
Vincent Danen / Red Hat Security Response Team 
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic