Debian Bug report logs - #278191
xtrlock unlocks upon very long input

version graph

Package: xtrlock; Maintainer for xtrlock is Matthew Vernon <matthew@debian.org>; Source for xtrlock is src:xtrlock.

Reported by: muec@mail.ustc.edu.cn

Date: Mon, 25 Oct 2004 12:18:16 UTC

Severity: critical

Tags: confirmed, patch, security, woody

Merged with 278190

Found in version 2.0-8

Fixed in version xtrlock/2.0-9

Done: Matthew Vernon <matthew@sel.cam.ac.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#278191; Package xtrlock. Full text and rfc822 format available.

Acknowledgement sent to muec@mail.ustc.edu.cn:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: muec@mail.ustc.edu.cn
To: submit@bugs.debian.org
Subject: xtrlock unlocks upon very long input
Date: Mon, 25 Oct 2004 20:07:03 +0800 (CST)
Package: xtrlock
Version: 2.0-8

xtrlock can be bypassed by holding down any key for 1 minute and then
pressing Enter.

I am using Debian GNU/Linux 3.1, kernel 2.6.8-1-686,
libc6 2.3.2.ds1-16, xlibs 4.3.0.dfsg.1-7 and Gnome 2.




Merged 278190 278191. Request was from Stephen Quinney <stephen@jadevine.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `critical'. Request was from Stephen Quinney <stephen@jadevine.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Stephen Quinney <stephen@jadevine.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to muec@mail.ustc.edu.cn:
Bug#278191. Full text and rfc822 format available.

Message #14 received at 278191-submitter@bugs.debian.org (full text, mbox):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>
To: 278191-submitter@bugs.debian.org
Subject: xtrlock bug
Date: Sun, 16 Jan 2005 15:16:13 -0500
Hi,

I'm following up on the xtrlock bug you reported:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278191&msg=6

What architecture were you using when you experienced this?  I can't
reproduce it here.

Justin



Tags added: confirmed Request was from Justin Pryzby <justinpryzby@users.sourceforge.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#278191; Package xtrlock. Full text and rfc822 format available.

Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #21 received at 278191@bugs.debian.org (full text, mbox):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>
To: 278191@bugs.debian.org
Subject: crash
Date: Sun, 16 Jan 2005 18:02:22 -0500
Well, gdb the process might have been a bad idea .. since it locks the
keyboard.  But, the line that crashes is:

	184             rbuf[rlen]=0;

Justin



Tags added: patch Request was from Justin Pryzby <justinpryzby@users.sourceforge.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#278191; Package xtrlock. Full text and rfc822 format available.

Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #28 received at 278191@bugs.debian.org (full text, mbox):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>
To: 278191@bugs.debian.org
Subject: patch
Date: Sun, 16 Jan 2005 19:59:54 -0500
[Message part 1 (text/plain, inline)]

[xtrlock-overflow (text/plain, attachment)]

Reply sent to Matthew Vernon <matthew@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to muec@mail.ustc.edu.cn:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #33 received at 278190-close@bugs.debian.org (full text, mbox):

From: Matthew Vernon <matthew@debian.org>
To: 278190-close@bugs.debian.org
Subject: Bug#278190: fixed in xtrlock 2.0-9
Date: Mon, 17 Jan 2005 06:02:02 -0500
Source: xtrlock
Source-Version: 2.0-9

We believe that the bug you reported is fixed in the latest version of
xtrlock, which is due to be installed in the Debian FTP archive:

xtrlock_2.0-9.dsc
  to pool/main/x/xtrlock/xtrlock_2.0-9.dsc
xtrlock_2.0-9.tar.gz
  to pool/main/x/xtrlock/xtrlock_2.0-9.tar.gz
xtrlock_2.0-9_i386.deb
  to pool/main/x/xtrlock/xtrlock_2.0-9_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 278190@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthew Vernon <matthew@debian.org> (supplier of updated xtrlock package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Mon, 17 Jan 2005 10:47:09 +0000
Source: xtrlock
Binary: xtrlock
Architecture: source i386
Version: 2.0-9
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Matthew Vernon <matthew@debian.org>
Description: 
 xtrlock    - Minimal X display lock program
Closes: 264173 278190 278191
Changes: 
 xtrlock (2.0-9) unstable; urgency=high
 .
   * Fix the problem whereby we unlocked on long input (closes: #278191, #278190)
   * tidy up a switch statement (closes: #264173)
Files: 
 2b5cb5f98847a8e37b618a95cac9f634 599 x11 optional xtrlock_2.0-9.dsc
 f268de7457416ba57d4b757e62e9eece 7437 x11 optional xtrlock_2.0-9.tar.gz
 c35a5610aa22f4371cfc083f6bdfcc9d 9142 x11 optional xtrlock_2.0-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBQeuYF7DSad4X89TRAQHqngP/crvhfHGo463PFP16jtPA6MVTTW2YX0eq
dc87l0eFxFK/Fq6r9I3GTKmQ1LDA7M8ok0zB2DetRvZJg+qZcycUSI7DKLwDEYHp
7H/Je+6Vv/dxWbSwhlIa1lcJLFyJ5HVnjem0sGZuJnNM73M1RqeLxpNuIJBO+z52
Nl4aFO4b55s=
=pPXN
-----END PGP SIGNATURE-----




Message #34 received at 278191-close@bugs.debian.org (full text, mbox):

From: Matthew Vernon <matthew@debian.org>
To: 278191-close@bugs.debian.org
Subject: Bug#278191: fixed in xtrlock 2.0-9
Date: Mon, 17 Jan 2005 06:02:02 -0500
Source: xtrlock
Source-Version: 2.0-9

We believe that the bug you reported is fixed in the latest version of
xtrlock, which is due to be installed in the Debian FTP archive:

xtrlock_2.0-9.dsc
  to pool/main/x/xtrlock/xtrlock_2.0-9.dsc
xtrlock_2.0-9.tar.gz
  to pool/main/x/xtrlock/xtrlock_2.0-9.tar.gz
xtrlock_2.0-9_i386.deb
  to pool/main/x/xtrlock/xtrlock_2.0-9_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 278191@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthew Vernon <matthew@debian.org> (supplier of updated xtrlock package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Mon, 17 Jan 2005 10:47:09 +0000
Source: xtrlock
Binary: xtrlock
Architecture: source i386
Version: 2.0-9
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Matthew Vernon <matthew@debian.org>
Description: 
 xtrlock    - Minimal X display lock program
Closes: 264173 278190 278191
Changes: 
 xtrlock (2.0-9) unstable; urgency=high
 .
   * Fix the problem whereby we unlocked on long input (closes: #278191, #278190)
   * tidy up a switch statement (closes: #264173)
Files: 
 2b5cb5f98847a8e37b618a95cac9f634 599 x11 optional xtrlock_2.0-9.dsc
 f268de7457416ba57d4b757e62e9eece 7437 x11 optional xtrlock_2.0-9.tar.gz
 c35a5610aa22f4371cfc083f6bdfcc9d 9142 x11 optional xtrlock_2.0-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBQeuYF7DSad4X89TRAQHqngP/crvhfHGo463PFP16jtPA6MVTTW2YX0eq
dc87l0eFxFK/Fq6r9I3GTKmQ1LDA7M8ok0zB2DetRvZJg+qZcycUSI7DKLwDEYHp
7H/Je+6Vv/dxWbSwhlIa1lcJLFyJ5HVnjem0sGZuJnNM73M1RqeLxpNuIJBO+z52
Nl4aFO4b55s=
=pPXN
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#278191; Package xtrlock. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #39 received at 278191@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 278191@bugs.debian.org, 278190@bugs.debian.org
Subject: CAN-2005-0079: authentication bypass via integer overflow
Date: Mon, 17 Jan 2005 18:39:34 +0100
Just for references, this issue has been assigned CAN-2005-0079.
A Debian advisory will follow.

Regards,

	Joey

-- 
MIME - broken solution for a broken design.  -- Ralf Baechle

Please always Cc to me when replying to me on the lists.



Bug reopened, originator not changed. Request was from Justin Pryzby <justinpryzby@users.sourceforge.net> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: woody Request was from Justin Pryzby <justinpryzby@users.sourceforge.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#278191; Package xtrlock. Full text and rfc822 format available.

Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #48 received at 278191@bugs.debian.org (full text, mbox):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>
To: Martin Schulze <joey@infodrom.org>, 278191@bugs.debian.org
Subject: Re: Bug#278191: CAN-2005-0079: authentication bypass via integer overflow
Date: Mon, 17 Jan 2005 14:35:02 -0500
Bug#278191: CAN-2005-0079: authentication bypass via integer overflow
                                                     ^^^^^^^^^^^^^^^^

Its not an integer overflow, btw, though its not really a buffer
overflow either; its an set-an-arbitrary-byte-of-memory-to-zero bug.

Justin

On Mon, Jan 17, 2005 at 06:39:34PM +0100, Martin Schulze wrote:
> Just for references, this issue has been assigned CAN-2005-0079.
> A Debian advisory will follow.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#278191; Package xtrlock. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #53 received at 278191@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Justin Pryzby <justinpryzby@users.sourceforge.net>
Cc: 278191@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#278191: CAN-2005-0079: authentication bypass via integer overflow
Date: Mon, 17 Jan 2005 20:52:32 +0100
Justin Pryzby wrote:
> Bug#278191: CAN-2005-0079: authentication bypass via integer overflow
>                                                      ^^^^^^^^^^^^^^^^
> 
> Its not an integer overflow, btw, though its not really a buffer
> overflow either; its an set-an-arbitrary-byte-of-memory-to-zero bug.

Are you sure?

My investigation showed that

rlen goes from 0..49 and rbuf[rlen] is accessed
then rlen grows until 2147483647 while rbuf[rlen] is not accessed
   due to rlen > sizeof(rbuf)
But then, since 2147483647 is INT_MAX, rlen will become -2147483648
and with the next character the condition rlen < sizeof(rbuf) is
   true again, causing rbuf[rlen] = cbuf[0] to be executed,
   unfortunately rlen is now -2147483648 causing the program to
   crash

rlen goes from valid to invalid positive to invalid negative
  --> integer overflow

Regards,

	Joey

-- 
MIME - broken solution for a broken design.  -- Ralf Baechle

Please always Cc to me when replying to me on the lists.



Reply sent to Matthew Vernon <matthew@sel.cam.ac.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to muec@mail.ustc.edu.cn:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #58 received at 278190-done@bugs.debian.org (full text, mbox):

From: Matthew Vernon <matthew@sel.cam.ac.uk>
To: 278191-done@bugs.debian.org, 278190-done@bugs.debian.org
Subject: DSA out
Date: Thu, 20 Jan 2005 10:37:55 +0000
The DSA regarding these bugs has been released, so they can be laid to 
rest.

Matthew

-- 
Matthew Vernon MA VetMB LGSM MRCVS
Farm Animal Epidemiology and Informatics Unit
Department of Veterinary Medicine, University of Cambridge




Information stored:
Bug#278191; Package xtrlock. Full text and rfc822 format available.

Acknowledgement sent to muec@mail.ustc.edu.cn:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #64 received at 278191-quiet@bugs.debian.org (full text, mbox):

From: muec@mail.ustc.edu.cn
To: "Justin Pryzby" <justinpryzby@users.sourceforge.net>, 278191-quiet@bugs.debian.org
Subject: Re: Bug#278191: xtrlock bug
Date: Mon, 31 Jan 2005 00:22:40 +0800 (CST)
> Hi,
>
> I'm following up on the xtrlock bug you reported:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278191&msg=6
>
> What architecture were you using when you experienced this?  I can't
> reproduce it here.
>
> Justin
>
>

I'm using i386.
Sorry for my replying so late, the mailbox has been down for a long time.
Hope this can help.



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 11:08:20 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.