i386/133883: FVWM Buffer Overflow

john x41 at freeshell.org
Tue Apr 21 04:40:01 UTC 2009 

>Number:         133883
>Category:       i386
>Synopsis:       FVWM Buffer Overflow
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 21 04:40:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     john
>Release:        7.1
>Organization:
>Environment:
>Description:
 Hi guys,

Thanks for maintaining the FreeBSD packages...

I noticed a client-side buffer overflow vulnerability in the fvwm
binary, this is in the default installation.

When i do
$ fvwm `perl -e 'print "A"x979'`

The system returns
$ Abort trap (core dumped)

Stack overflow in function fvwm_msg

The issue occurs when handling specially crafted .fvwmrc files too
because the *fvwm_msg function is used for load the configurations in
that file.

Something like this can work DeskTopSize
3x3AAAAAAAAAAAAAAAAAAAAAA....and more A's

 9093 fvwm     CALL  write(0x2,0xcfbbc3d0,0x3e7)
 9093 fvwm     GIO   fd 2 wrote 999 bytes
      "Unknown option:  `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
       AAAAAAAAAAAAAAAAA'
      "
 9093 fvwm     RET   write 999/0x3e7

Also im sending a fvwm.core and the ktrace.out

If I can be useful in someway let me know.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-i386 mailing list