http://bugzilla.suse.com/show_bug.cgi?id=1170165 Bug ID: 1170165 Summary: AUDIT-FIND: enlightenment: enlightenment_system: `_cb_l2ping_ping()` performs an unbounded `sscanf()` on untrusted input data, allowing a stack buffer overflow Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: simonf.lees@suse.com Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: matthias.gerstner@suse.com, security-team@suse.de Blocks: 1169238 Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1169238 d) `_cb_l2ping_ping()` performs an unbounded `sscanf()` on untrusted input data, allowing a stack buffer overflow A `sscanf()` call in this function passes a `%s` format for the `params` input parameter. The target buffer has a length of 1024 bytes. Thus if a clients passes a very long device name the setuid-root binary's stack will be overwritten. The parsing by `sscanf()` stops at whitespace characters thus the stack overflow data cannot be chosen arbitrarily. Still is a pretty dangerous security issue. -- You are receiving this mail because: You are on the CC list for the bug.