From saturnero@saturnero.net  Sat Nov  9 10:59:33 2002
Return-Path: <saturnero@saturnero.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8C88337B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  9 Nov 2002 10:59:33 -0800 (PST)
Received: from smtp2.libero.it (smtp2.libero.it [193.70.192.52])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B0C8643E42
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  9 Nov 2002 10:59:27 -0800 (PST)
	(envelope-from saturnero@saturnero.net)
Received: from mocciosa.saturnero.sat (151.37.50.170) by smtp2.libero.it (6.5.028)
        id 3DCC003100077F06; Sat, 9 Nov 2002 19:59:24 +0100
Received: from pigra.saturnero.sat (pigra.saturnero.sat [10.0.1.1])
	by mocciosa.saturnero.sat (Postfix) with ESMTP
	id 9704C3BD2E; Sat,  9 Nov 2002 19:59:36 +0100 (CET)
Received: by pigra.saturnero.sat (Postfix, from userid 1000)
	id 272508FD07; Sat,  9 Nov 2002 19:59:20 +0100 (CET)
Message-Id: <20021109185920.272508FD07@pigra.saturnero.sat>
Date: Sat,  9 Nov 2002 19:59:20 +0100 (CET)
From: SaturNero <saturnero@freesbie.org>
Reply-To: SaturNero <saturnero@freesbie.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: dave <dave@freesbie.org>
Subject: Buffer overflow in /usr/bin/dialog
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         45168
>Category:       gnu
>Synopsis:       Buffer overflow in /usr/bin/dialog
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 09 11:00:05 PST 2002
>Closed-Date:    Thu Feb 24 08:10:54 EST 2011
>Last-Modified:  Thu Feb 24 08:10:54 EST 2011
>Originator:     SaturNero
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
www.freesbie.org
>Environment:
System: FreeBSD pigra.saturnero.sat 4.7-STABLE FreeBSD 4.7-STABLE #3: Thu Oct 10 16:32:50 CEST 2002 saturnero@pigra.saturnero.sat:/usr/obj/usr/src/sys/PIGRA i386



>Description:
	/usr/bin/dialog exits with Segmentation fault (after the Ok) when handling
    long checklists with many "on" field.
    Bug found by dave@freesbie.org and saturnero@freesbie.org
>How-To-Repeat:
	The attached file packages.sh is a sample shell script that faults after
    the Ok
>Fix:

	

--- packages.sh begins here ---
/usr/bin/dialog --title "FreeSBIE LiveCD - Packages" --clear \
--checklist "These are the packages installed on your system \n\
Choose the FreeSBIE packages" -1 -1 10 \
"Hermes-1.3.2" "" on \
"Mesa-3.4.2_2" "" on \
"ORBit-0.5.17" "" on \
"ORBit2-2.4.3" "" off \
"XFree86-4.2.0_1,1" "" on \
"XFree86-FontServer-4.2.0" "" on \
"XFree86-Server-4.2.1_3" "" on \
"XFree86-clients-4.2.1_1" "" on \
"XFree86-documents-4.2.0" "" on \
"XFree86-font100dpi-4.2.0" "" on \
"XFree86-font75dpi-4.2.0" "" on \
"XFree86-fontCyrillic-4.2.0_4" "" on \
"XFree86-fontDefaultBitmaps-4.2.0" "" on \
"XFree86-fontEncodings-4.2.0" "" on \
"XFree86-fontScalable-4.2.0" "" on \
"XFree86-libraries-4.2.1_1" "" on \
"Xaw3d-1.5" "" on \
"Xft-2.0_1" "" on \
"aalib-1.4.r5_1" "" on \
"acroread-5.06_1" "" off \
"alevt-1.6.0" "" off \
"aspell-0.50.2" "" off \
"aterm-0.4.2" "" on \
"atk-1.0.3" "" off \
"autoconf213-2.13.000227_4" "" off \
"automake-1.5,1" "" off \
"automake14-1.4.5_8" "" off \
"bbrun-1.4" "" off \
"bison-1.75" "" off \
"blackbox-0.65.0" "" off \
"bonobo-1.0.21_1" "" off \
"bonobo-activation-1.0.4" "" off \
"boxtools-0.65.0" "" off \
"cclient-2001a,1" "" on \
"cd2mp3-0.81,1" "" on \
"cdrtools-1.11.a39" "" on \
"cfs-1.4.1" "" off \
"curl-7.9.8" "" on \
"cvsup-without-gui-16.1f" "" off \
"dagrab-0.3.5" "" on \
"db3-3.3.11,1" "" off \
"djbfft-0.76" "" on \
"docbook-1.2" "" off \
"docbook-241" "" off \
"docbook-3.0" "" off \
"docbook-3.1" "" off \
"docbook-4.0" "" off \
"docbook-4.1" "" off \
"docbook-xml-4.2" "" on \
"docbook-xsl-1.55.0" "" on \
"downloader-2.03" "" on \
"esound-0.2.29" "" on \
"eterm-0.9.1_1" "" off \
"ethereal-0.9.7" "" on \
"expat-1.95.5" "" on \
"expect-5.38.0_1" "" on \
"ezm3-1.0" "" off \
"ffmpeg-0.4.5_3" "" off \
"fluxbox-0.1.12_1" "" off \
"fluxconf-0.6" "" off \
"fontconfig-2.0_2" "" on \
"fortuneit-1.51" "" on \
"fping-2.4b2" "" off \
"freetype-1.3.1_2" "" off \
"freetype2-2.1.2" "" on \
"gail-0.17" "" off \
"gal-0.19.3" "" off \
"gconf-1.0.9_1" "" off \
"gdbm-1.8.0" "" off \
"gdk-pixbuf-0.21.0" "" on \
"gentoo-0.11.34" "" on \
"gettext-0.11.5_1" "" on \
"gftp-2.0.13" "" on \
"ghostscript-gnu-7.05_3" "" off \
"gimp-1.2.3_2,1" "" on \
"gle-3.0.3" "" off \
"glib-1.2.10_7" "" on \
"glib-2.0.6" "" off \
"glibwww-0.2_1" "" off \
"gmake-3.79.1_3" "" off \
"gnomba-0.6.2" "" off \
"gnomecanvas-0.21.0" "" off \
"gnomedb-0.2.96_1" "" off \
"gnomehier-1.0_3" "" on \
"gnomelibs-1.4.2_1" "" on \
"gnomemimedata-2.0.1_1" "" off \
"gnomeprint-0.37" "" off \
"gnomevfs-1.0.5_4" "" off \
"gnupg-1.2.1" "" on \
"gpart-0.1h" "" off \
"gpgme-0.3.9" "" on \
"gqview-1.1.1" "" off \
"grub-0.92" "" off \
"gtk-1.2.10_8" "" on \
"gtk-2.0.6" "" off \
"gtk-engines2-1.9.0" "" off \
"gtk-gnutella-0.91" "" on \
"gtkglarea-1.2.2_1" "" off \
"gtkhtml-1.0.4_1" "" off \
"gtktalog-0.99.19" "" on \
"guile-1.4.1_2" "" off \
"imake-4.2.0_1" "" on \
"imlib-1.9.14_1" "" on \
"imlib2-1.0.6_1" "" off \
"intltool-0.22" "" on \
"irssi-0.8.5" "" on \
"iso8879-1986" "" off \
"it-openoffice-1.0.1_2" "" off \
"jade-1.2.1_1" "" off \
"jpeg-6b_1" "" on \
"lame-3.92" "" on \
"lame-devel-gtk-3.89b" "" off \
"lcms-1.08" "" on \
"lftp-2.6.2" "" on \
"libIDL-0.8.0" "" off \
"liba52-0.7.4" "" on \
"libao-esound-0.8.3_1" "" on \
"libart_lgpl2-2.3.10" "" off \
"libast-0.5" "" off \
"libaudiofile-0.2.3" "" on \
"libbonobo-2.0.1" "" off \
"libcapplet-1.4.0.5" "" off \
"libdivxdecore-0.4.7" "" off \
"libdivxencore-devel-0.4.0.50" "" off \
"libdvdcss-1.2.2" "" on \
"libdvdnav-0.1.3" "" on \
"libdvdread-0.9.3" "" on \
"libflash-0.4.10" "" on \
"libgda-0.2.96_1" "" off \
"libghttp-1.0.9" "" off \
"libglade-0.17_2" "" off \
"libglade2-2.0.1" "" off \
"libgnomecanvas-2.0.4" "" off \
"libgnugetopt-1.2" "" on \
"libgtop2-2.0.0_2" "" off \
"libiconv-1.8_1" "" on \
"libmikmod-3.1.10" "" on \
"libmng-1.0.3" "" on \
"libogg-1.0_1,3" "" on \
"libpanel-1.4.2" "" off \
"librep-0.16.1_1" "" off \
"librsvg2-2.0.1" "" off \
"libtool-1.3.4_4" "" off \
"libungif-4.1.0b1" "" on \
"libunicode-0.4_3" "" off \
"libvorbis-1.0_1,3" "" on \
"libwnck-0.17" "" off \
"libwww-5.4.0" "" on \
"libxine-0.9.13" "" on \
"libxml-1.8.17_1" "" on \
"libxml2-2.4.26" "" on \
"libxslt-1.0.22" "" on \
"libzvt-2.0.1" "" off \
"linc-0.5.3" "" off \
"links-2.0_1,1" "" on \
"linux_base-7.1_1" "" off \
"linuxdoc-1.1" "" off \
"livecd-1.2.2" "" off \
"lmmon-0.65" "" off \
"lrzsz-0.12.20" "" on \
"lsof-4.65" "" on \
"lyx-1.2.1_1" "" on \
"m4-1.4_1" "" on \
"mad-esound-0.14.2b_2" "" off \
"man2html-3.0.1" "" off \
"minicom-2.00.0" "" on \
"mkcatalog-1.1" "" on \
"mkisofs-1.15.a39" "" on \
"mozilla-1.2b_1,1" "" off \
"mpg123-esound-0.59r_8" "" on \
"mplayer-fonts-0.50" "" on \
"mplayer-gtk-0.90.0.8_2" "" on \
"mplayer-skins-1.0.3" "" on \
"mutt-1.4" "" off \
"nasm-0.98.33,1" "" off \
"nofgpg-0.4" "" off \
"oaf-0.6.10_1" "" off \
"open-motif-2.2.2_1" "" on \
"p5-Event-0.86" "" off \
"p5-File-Spec-0.82" "" on \
"p5-GdkPixbuf-0.7008" "" off \
"p5-Gtk-0.7008" "" off \
"p5-Storable-2.05" "" off \
"p5-Test-Simple-0.47" "" off \
"p5-XML-Parser-2.31_1" "" off \
"p5-XML-Writer-0.4_1" "" off \
"pango-1.0.5" "" off \
"pcre-3.9" "" off \
"perl-5.8.0_3" "" off \
"pgpgpg-0.13" "" off \
"phoenix-0.4_6" "" on \
"pkgconfig-0.13.0" "" on \
"png-1.2.4" "" on \
"popt-1.6.4" "" off \
"portupgrade-20020921.1" "" off \
"proftpd-1.2.6" "" off \
"pstree-2.17" "" off \
"py-gnome-1.4.4" "" off \
"py-gtk-0.6.10" "" off \
"py22-expat-2.2.2_2" "" off \
"py22-numeric-21.0" "" off \
"python-2.2.2" "" on \
"ruby-1.6.7.2002.09.12" "" off \
"ruby-bdb1-0.1.7" "" off \
"ruby-shim-ruby18-1.7.3.2002.09.20" "" off \
"samba-2.2.6" "" on \
"scintilla-1.44" "" on \
"scite-1.44" "" on \
"scrollkeeper-0.3.11_4,1" "" on \
"sdl-1.2.4_1" "" on \
"sdocbook-xml-4.1.2.5" "" on \
"sgmlformat-1.7_2" "" off \
"sox-12.17.3_1" "" off \
"sudo-1.6.6" "" off \
"svgalib-1.4.2_1" "" on \
"sylpheed-claws-0.8.5" "" on \
"t1lib-1.3.1" "" on \
"tcl-8.3.4_4" "" on \
"teTeX-1.0.7_1" "" on \
"tiff-3.5.7" "" on \
"tk-8.3.4_3" "" on \
"transcode-0.6.2" "" off \
"ttmkfdir-0.0_1" "" off \
"ucd-snmp-4.2.5_2" "" on \
"unrar-3.10b1" "" on \
"unzip-5.50" "" on \
"vim-6.1.231" "" on \
"vorbis-tools-1.0_1,3" "" on \
"wget-1.8.2_1" "" on \
"win32-codecs-011002.0.0.60" "" on \
"windowmaker-0.80.1" "" on \
"wmicons-1.0" "" on \
"wmix-2.20" "" on \
"wmlmmon-0.60" "" on \
"wmmemload-0.1.4" "" off \
"wmmount-1.0b2" "" off \
"wmnet-1.2" "" on \
"wmtime-1.0b2" "" on \
"wrapper-1.0_2" "" on \
"xawtv-3.78" "" off \
"xbill-2.0" "" on \
"xcdroast-0.98.a.10" "" on \
"xchat-1.8.10" "" on \
"xforms-1.0_2,1" "" on \
"xfstt-1.1_1" "" off \
"xine-0.9.13" "" on \
"xine_d4d_plugin-0.3.2" "" on \
"xine_d5d_plugin-0.2.7_1" "" on \
"xine_dvdnav_plugin-0.9.13" "" on \
"xli-1.17.0_1" "" on \
"xmix-2.1" "" off \
"xmixer-0.9.4" "" off \
"xmms-esound-1.2.7_2" "" on \
"xpdf-1.01" "" on \
"xsmbrowser-3.3.0" "" on \
"xv-3.10a_3" "" on \
"zip-2.3_1" "" on \
2> /tmp/checklist.tmp.$$
--- packages.sh ends here ---


>Release-Note:
>Audit-Trail:

From: dave <daveb@optusnet.com.au>
To: freebsd-gnats-submit@FreeBSD.org, saturnero@freesbie.org
Cc:  
Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog
Date: Thu, 14 Nov 2002 09:58:18 +1100

 The result from a checklist is stored in the result variable, with a
 maximum length of MAX_LEN, which is defined in /usr/include/dialog.h
 or /usr/src/gnu/lib/libdialog/dialog.h as 2048. Your checklist's
 output is breaching this limit.
 
 Could the result variable perhaps be dynamically allocated to hold as
 much as argv does? I'm not too familiar with dialog, but does it ever
 output more than it receives as input?
 
 --
 Dave
 

From: Nate Eldredge <nge@cs.hmc.edu>
To: bug-followup@FreeBSD.org, saturnero@freesbie.org
Cc: daveb@optusnet.com.au, freebsd-current@cs.hmc.edu
Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog
Date: Thu, 13 Oct 2005 14:29:43 -0700 (PDT)

 libdialog appears to be brimming with bugs of this sort.  Lots of uses of 
 strcpy / strcat.  It probably needs a complete audit.  Ideally there 
 should be no MAX_LEN and everything dynamically allocated.  I hope to god 
 it is never run by anything with elevated privileges.
 
 -- 
 Nate Eldredge
 nge@cs.hmc.edu
State-Changed-From-To: open->patched 
State-Changed-By: ache 
State-Changed-When: Sun May 25 13:00:15 UTC 2008 
State-Changed-Why:  
MAX_LEN bumped to 4096 

http://www.freebsd.org/cgi/query-pr.cgi?pr=45168 
State-Changed-From-To: patched->closed 
State-Changed-By: eadler 
State-Changed-When: Thu Feb 24 08:10:32 EST 2011 
State-Changed-Why:  
dialog has been updated 

http://www.freebsd.org/cgi/query-pr.cgi?pr=45168 
>Unformatted:
