> I was doing some testing of env vars (HOME in this case) and managed to > get evolution to core.. I set $HOME to 10235 A's as shown below, then > tried to execute evolution. When I did that the following happened: > > > sh-2.04$ export HOME=3D`perl -e'print "A" x 10235'` > sh-2.04$ evolution > Gnome-ERROR **: Could not create per-user Gnome directory > <AAAAAA....<snip> > aborting... > Aborted (core dumped) This, combined with the stack trace you show below, indicates that it is very unlikely that this bug can be exploited. If I understand what I'm seeing correctly, Gnome is trusting the HOME environment variable--not a security problem in and of itself, really--and trying to create a directory it can use for per-user information. It doesn't seem to be overflowing the buffer--perhaps it's truncating the file name--but when the directory creation fails, the Gnome library itself crunches out by calling abort(). Although this is bad manners in library code, it doesn't really represent a vulnerablity as far as I can see. -- Kevin L. Mitchell <klmitchat_private>
This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 15:44:00 PST