| Anonymous | Login | Signup for a new account | 2010-02-09 07:25 EST |
| Main | My View | View Issues | Change Log | Roadmap | Docs |
| Viewing Issue Advanced Details [ Jump to Notes ] | [ View Simple ] [ Issue History ] [ Print ] | ||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||
| 0000360 | [ncmpc] | crash | always | 2005-02-03 11:17 | 2005-03-07 20:19 | ||
| Reporter | Anonymous | View Status | public | ||||
| Assigned To | kaw | ||||||
| Priority | normal | Resolution | fixed | Platform | |||
| Status | closed | OS | |||||
| Projection | none | OS Version | |||||
| ETA | none | Fixed in Version | Product Version | ||||
| Target Version | Product Build | ||||||
| Summary | 0000360: ncmpc: set_xterm_title passed title as format string. | ||||||
| Description |
The xterm title, as defined by the xterm-title-format configuration option and the currently-playing song's metadata, is passed to set_xterm_title() verbatim. set_xterm_title() is a variable-argument-count function that expects an sprintf()-style format string followed by values to be filled into that format. Upon playing a song which had no title metadata and using an xterm-title-format that did not provide an alternate string value, resulting in the title "Tao / Cream / UMD 8730 intro / %title% - ncmpc", ncmpc crashed as that string was passed to vsnprintf(): warning: exec file is newer than core file. Core was generated by `ncmpc'. Program terminated with signal 11, Segmentation fault. [symbol reading/loading lines snipped] #0 0xb7e43db0 in vfprintf () from /lib/libc.so.6 (gdb) bt #0 0xb7e43db0 in vfprintf () from /lib/libc.so.6 #1 0xb7e608ca in vsnprintf () from /lib/libc.so.6 #2 0x0805573f in set_xterm_title (format=0x805e000 "Tao / Cream / UMD 8730 intro / %title% - ncmpc") at screen_utils.c:235 #3 0x0804e1b9 in main (argc=1, argv=0xbfffe984) at main.c:106 This trivial patch fixes the problem: --- src/main.c~1~ Fri Jul 9 00:49:46 2004 +++ src/main.c Thu Feb 3 01:26:45 2005 @@ -103,7 +103,7 @@ if( strcmp(title,tmp) ) { strncpy(title, tmp, BUFSIZE); - set_xterm_title(title); + set_xterm_title("%s", title); } } This problem might be exploited to execute arbitrary code embedded in audio-file metadata. However, I don't understand the full scope and implications of security problems from the evaluation of arbitrary format strings, so that may be a bit of an overreaction. |
||||||
| Steps To Reproduce | |||||||
| Additional Information | |||||||
| Tags | No tags attached. | ||||||
| Attached Files | |||||||
|
|
|||||||
 Relationships |
|
|
Notes |
|
|
(0000397) kaw (manager) 2005-02-13 19:55 |
Fixed in svn r2948, thanks for the trivial patch :) |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2005-02-03 11:17 | Anonymous | New Issue | |
| 2005-02-13 19:44 | kaw | Project | WMmp => ncmpc |
| 2005-02-13 19:44 | kaw | Assigned To | shank => kaw |
| 2005-02-13 19:55 | kaw | Status | assigned => resolved |
| 2005-02-13 19:55 | kaw | Resolution | open => fixed |
| 2005-02-13 19:55 | kaw | Note Added: 0000397 | |
| 2005-03-07 20:19 | Avuton Olrich | Status | resolved => closed |
| Mantis 1.1.6[^] Copyright © 2000 - 2008 Mantis Group |  |
