|
xlockmore User Supplied Format String Vulnerability
Solution: Jeremy Buhler <jbuhler@cs.washington.edu> has released a patch which eliminates this vulnerability and is now shipped with xlockmore 4.17.1 and later versions. The following is the relevant fixed code. void error(const char *buf) { #if defined( HAVE_SYSLOG_H ) && defined( USE_SYSLOG ) extern Display *dsp; syslog(SYSLOG_WARNING, "%s", buf); if (!nolock) { if (strstr(buf, "unable to open display") == NULL) syslogStop(XDisplayString(dsp)); else syslogStop("unknown display"); closelog(); } #else (void) fprintf(stderr, "%s", buf); #endif exit(1); } Patches are available for Debian Linux 2.1 and 2.2. Patches are available for the FreeBSD ports version of xlockmore. David Bagley xlock 4.16
David Bagley xlock 4.16.1
|
|
|
Privacy Statement |
