Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow
From: Andrés Gómez Ramírez <andresgomezram7 () gmail com>
Date: Mon, 29 Oct 2012 18:22:29 -0500

PLIB is no longer being maintained:

http://sourceforge.net/mailarchive/message.php?msg_id=28580157

I sent a couple of bugs several months ago, but there wasn't any response
from plib developers, so I decided to make them public.

On Mon, Oct 29, 2012 at 3:58 PM, Vincent Danen <vdanen () redhat com> wrote:

* [2012-10-29 14:02:58 -0500] Andr?s G?mez Ram?rez wrote:

 Sorry for the previous message, it was not intentional :)

Hi, Could a CVE be assigned to this issue?

Name: PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow
Software: PLIB 1.8.5
Software link: http://plib.sourceforge.net/
Vulnerability Type: Stack Based Buffer overflow
References: http://www.exploit-db.com/**exploits/21831/<http://www.exploit-db.com/exploits/21831/>
                  http://www.securityfocus.com/**bid/55839<http://www.securityfocus.com/bid/55839>

Vulnerability Details: Plib is prone to stack based Buffer overflow in the
error function in ssg/ssgParser.cxx when it loads 3d model files as X
(Direct x), ASC, ASE, ATG, and OFF, if a very long error message is passed
to the function, in line 68:


// Output an error
void _ssgParser::error( const char *format, ... )
{
 char msgbuff[ 255 ];
 va_list argp;

 char* msgptr = msgbuff;
 if (linenum)
 {
   msgptr += sprintf ( msgptr,"%s, line %d: ",
     path, linenum );
 }

 va_start( argp, format );
68        vsprintf( msgptr, format, argp );
 va_end( argp );

 ulSetError ( UL_WARNING, "%s", msgbuff ) ;
}

Thanks,


Andreas, was this reported to upstream?  I can't see a patch or anything
in their bug tracker regarding this.

--
Vincent Danen / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]