|
Date: Wed, 17 Oct 2012 17:44:11 +0200 From: Ignatios Souvatzis <is@...bsd.org> To: oss-security@...ts.openwall.com Cc: is@...bsd.org Subject: CVE id request: xlockmore vulnerability: local access Hello, i'd like to request an CVE identifier for the following vulnerability of xlockmore: software: xlockmore 5.0 to 5.40 access: terminal-local access to user account OS/hardware: all where sizeof(time_t) > sizeof(long int) (e.g. NetBSD-6 on 32bit platforms) Details: "xlockmore -mode dclock" grew additional code in version 5.0 depending on timestamps in 'time_t' format, unfortunately partially expressed as 'long' variables. This works if function prototypes/definitions or type casts are used and the values are passed by value, but fails in a few cases in the code where the pointer is passed to localtime(3)). localtime accesses a (in the discovered case) 64bit value, which is likely not to be valid, and returns a null pointer as an error indication. The code in dclock.c does not check for this but, depending on additional command-line options, either dereferences the pointer or passes it to strftime() unconditionally, which in turn triggers a segmentation fault, terminating the program and leaving the terminal unlocked. While this is unexpected, the dangerous case is where "xlockmore -mode random" calls the mode "dclock" after a while, when the user has left the terminal, not noticing that it will (eventually) be unlocked. Accessing the terminal needs physical access to it; however, the terminal can be on a different machine than the one running xlock. The maintainer of xlockmore has been notified and is working on a fixed version. In the meantime, the appended patch file will fix this problem. While it was developed for 5.38, it should apply to other 5.x versions, too. The packages xlockmore and xlockmore-lite from pkgsrc.org are vulnerable for 32bit machines with 64bit time_t up to and including xlockmore-5.38nb5 and xlockmore-lite-5.38nb1, but updated packages are available from pkgsrc-current and will shortly be available from pkgsrc-2011Q3. pkgsrc on NetBSD-6.0 or NetBSD-current on 64bit architectures, and pkgsrc on NetBSD-5.1.x and earlier, are not vulnerable. xlockmore is not shipped with the base system of NetBSD. The patch is of course subject to the same licensing as the original file. $NetBSD: patch-modes_dclock.c,v 1.2 2012/10/15 20:47:57 is Exp $ --- modes/dclock.c.orig 2012-01-23 13:19:21.000000000 +0000 +++ modes/dclock.c @@ -376,11 +376,11 @@ static dclockstruct *dclocks = (dclockst extern char *message; static unsigned long -timeAtLastNewYear(long timeNow) +timeAtLastNewYear(time_t timeNow) { struct tm *t; - t = localtime((const time_t *) &timeNow); + t = localtime(&timeNow); return (unsigned long)(t->tm_year); } @@ -420,7 +420,7 @@ convert(double x, char *string) } static void -dayhrminsec(long timeCount, int tzoffset, char *string) +dayhrminsec(time_t timeCount, int tzoffset, char *string) { int days, hours, minutes, secs; int bufsize, i; @@ -675,7 +675,7 @@ drawDclock(ModeInfo * mi) "%a %b %d %Y", localtime(&(dp->timeold))); } } else { - long timeNow, timeLocal; + time_t timeNow, timeLocal; timeNow = seconds(); timeLocal = timeNow + dp->tzoffset; @@ -950,7 +950,7 @@ init_dclock(ModeInfo * mi) { Display *display = MI_DISPLAY(mi); dclockstruct *dp; - long timeNow, timeLocal; + time_t timeNow, timeLocal; int i, j; if (dclocks == NULL) { @@ -1252,7 +1252,7 @@ defined(MODE_dclock_mayan) dayhrminsec(MAYAN_TIME_START - timeLocal, dp->tzoffset, dp->strnew[1]); dp->strpta[1] = dp->strnew[1]; } else { - struct tm *t = localtime((const time_t *) &timeLocal); + struct tm *t = localtime(&timeLocal); if (dp->time24) (void) strftime(dp->strnew[0], STRSIZE, "%H:%M:%S", t); Regards, Ignatios Souvatzis
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.