oss-security - suckless sent and libxft-dev 2.3.2-1 crash

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <CAATyssetqs4To7DdqFRrzJT-UF7Z1LoRkrraiL7dEqWK76BmvQ@mail.gmail.com>
Date: Mon, 16 Nov 2015 23:47:16 +0100
From: "Simon ." <bofh666ftw@...glemail.com>
To: oss-security@...ts.openwall.com
Subject: suckless sent and libxft-dev 2.3.2-1 crash

Hi,

please review, whether this needs a CVE.

Greetings
Simon
.

---------- Forwarded message ----------
From: "Simon ." <bofh666ftw@...glemail.com>
Date: Mon, 16 Nov 2015 23:37:57 +0100
Subject: sent segfaults Xft
To: dev@...kless.org

Hi,

installing "sent" failed for me. I needed to install libpng-dev + libxft-dev.
Running "sent" on some file:

simon@...hi3000:~/archive/sent$ file sent
sent: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically
linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32,
BuildID[sha1]=e3a0864f2be10dd5e1f749ed9443b8391d885c9b, not stripped
simon@...hi3000:~/archive/sent$ ls
arg.h         config.mk       drw.h    LICENSE   README.md  sent.o  util.o
config.def.h  core.9840.9840  drw.o    Makefile  sent       util.c
config.h      drw.c           example  nyan.png  sent.c     util.h
simon@...hi3000:~/archive/sent$ ./sent /etc/passwd
Segmentation fault (core dumped)
simon@...hi3000:~/archive/sent$ gdb -q sent
Reading symbols from sent...done.
(gdb) r /etc/passwd
Starting program: /home/sk/archive/sent/sent /etc/passwd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff74ff660 in XftCharExists ()
   from /usr/lib/x86_64-linux-gnu/libXft.so.2
(gdb) l
655				shortcuts[i].func(&(shortcuts[i].arg));
656	}
657	
658	void configure(XEvent *e)
659	{
660		resize(e->xconfigure.width, e->xconfigure.height);
661		if (slides[idx].img)
662			slides[idx].img->state &= ~(DRAWN | SCALED);
663		xdraw();
664	}
(gdb) disas 0x7ffff74ff660
Dump of assembler code for function XftCharExists:
=> 0x00007ffff74ff660 <+0>:	mov    0x10(%rsi),%rdi
   0x00007ffff74ff664 <+4>:	test   %rdi,%rdi
   0x00007ffff74ff667 <+7>:	je     0x7ffff74ff670 <XftCharExists+16>
   0x00007ffff74ff669 <+9>:	mov    %edx,%esi
   0x00007ffff74ff66b <+11>:	jmpq   0x7ffff74f5dc0 <FcCharSetHasChar@plt>
   0x00007ffff74ff670 <+16>:	xor    %eax,%eax
   0x00007ffff74ff672 <+18>:	retq
End of assembler dump.

Can anyone else reproduce?

Greetings
Simon
.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.