| Anonymous | Login | Signup for a new account | 2010-09-02 11:15 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |
| 0000360 | ncmpc | public | 2005-02-03 11:17 | 2005-03-07 20:19 | ||
| Reporter | Anonymous | |||||
| Assigned To | kaw | |||||
| Priority | normal | Severity | crash | Reproducibility | always | |
| Status | closed | Resolution | fixed | |||
| Platform | OS | OS Version | ||||
| Product Version | ||||||
| Target Version | Fixed in Version | |||||
| Summary | 0000360: ncmpc: set_xterm_title passed title as format string. | |||||
| Description | The xterm title, as defined by the xterm-title-format configuration option and the currently-playing song's metadata, is passed to set_xterm_title() verbatim. set_xterm_title() is a variable-argument-count function that expects an sprintf()-style format string followed by values to be filled into that format. Upon playing a song which had no title metadata and using an xterm-title-format that did not provide an alternate string value, resulting in the title "Tao / Cream / UMD 8730 intro / %title% - ncmpc", ncmpc crashed as that string was passed to vsnprintf(): warning: exec file is newer than core file. Core was generated by `ncmpc'. Program terminated with signal 11, Segmentation fault. [symbol reading/loading lines snipped] #0 0xb7e43db0 in vfprintf () from /lib/libc.so.6 (gdb) bt #0 0xb7e43db0 in vfprintf () from /lib/libc.so.6 #1 0xb7e608ca in vsnprintf () from /lib/libc.so.6 #2 0x0805573f in set_xterm_title (format=0x805e000 "Tao / Cream / UMD 8730 intro / %title% - ncmpc") at screen_utils.c:235 #3 0x0804e1b9 in main (argc=1, argv=0xbfffe984) at main.c:106 This trivial patch fixes the problem: --- src/main.c~1~ Fri Jul 9 00:49:46 2004 +++ src/main.c Thu Feb 3 01:26:45 2005 @@ -103,7 +103,7 @@ if( strcmp(title,tmp) ) { strncpy(title, tmp, BUFSIZE); - set_xterm_title(title); + set_xterm_title("%s", title); } } This problem might be exploited to execute arbitrary code embedded in audio-file metadata. However, I don't understand the full scope and implications of security problems from the evaluation of arbitrary format strings, so that may be a bit of an overreaction. | |||||
| Tags | No tags attached. | |||||
| Attached Files | ||||||
 Relationships |
|
 Relationships |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2005-02-03 11:17 | Anonymous | New Issue | |
| 2005-02-13 19:44 | kaw | Project | WMmp => ncmpc |
| 2005-02-13 19:44 | kaw | Assigned To | shank => kaw |
| 2005-02-13 19:55 | kaw | Status | assigned => resolved |
| 2005-02-13 19:55 | kaw | Resolution | open => fixed |
| 2005-02-13 19:55 | kaw | Note Added: 0000397 | |
| 2005-03-07 20:19 | Avuton Olrich | Status | resolved => closed |
|
Issue History |
| Copyright © 2000 - 2010 MantisBT Group |
 |