Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Oct 2012 17:44:11 +0200
From: Ignatios Souvatzis <is@...bsd.org>
To: oss-security@...ts.openwall.com
Cc: is@...bsd.org
Subject: CVE id request: xlockmore vulnerability: local access

Hello,

i'd like to request an CVE identifier for the following vulnerability
of xlockmore:

software:	xlockmore 5.0 to 5.40
access:		terminal-local access to user account
OS/hardware:	all where sizeof(time_t) > sizeof(long int)
		(e.g. NetBSD-6 on 32bit platforms)

Details:

"xlockmore -mode dclock" grew additional code in version 5.0
depending on timestamps in 'time_t' format, unfortunately partially
expressed as 'long' variables. This works if function
prototypes/definitions or type casts are used and the values are
passed by value, but fails in a few cases in the code where the
pointer is passed to localtime(3)).

localtime accesses a (in the discovered case) 64bit value, which
is likely not to be valid, and returns a null pointer as an error
indication. The code in dclock.c does not check for this but,
depending on additional command-line options, either dereferences
the pointer or passes it to strftime() unconditionally, which in
turn triggers a segmentation fault, terminating the program and
leaving the terminal unlocked.

While this is unexpected, the dangerous case is where
"xlockmore -mode random" calls the mode "dclock" after a while,
when the user has left the terminal, not noticing that it will
(eventually) be unlocked.

Accessing the terminal needs physical access to it; however, the 
terminal can be on a different machine than the one running xlock.

The maintainer of xlockmore has been notified and is working on a
fixed version. In the meantime, the appended patch file will fix
this problem. While it was developed for 5.38, it should apply to
other 5.x versions, too.

The packages xlockmore and xlockmore-lite from pkgsrc.org are
vulnerable for 32bit machines with 64bit time_t up to and including
xlockmore-5.38nb5 and xlockmore-lite-5.38nb1, but updated packages
are available from pkgsrc-current and will shortly be available
from pkgsrc-2011Q3.

pkgsrc on NetBSD-6.0 or NetBSD-current on 64bit architectures, and
pkgsrc on NetBSD-5.1.x and earlier, are not vulnerable. 

xlockmore is not shipped with the base system of NetBSD.

The patch is of course subject to the same licensing as the original
file.

$NetBSD: patch-modes_dclock.c,v 1.2 2012/10/15 20:47:57 is Exp $

--- modes/dclock.c.orig	2012-01-23 13:19:21.000000000 +0000
+++ modes/dclock.c
@@ -376,11 +376,11 @@ static dclockstruct *dclocks = (dclockst
 extern char *message;
 
 static unsigned long
-timeAtLastNewYear(long timeNow)
+timeAtLastNewYear(time_t timeNow)
 {
 	struct tm *t;
 
-	t = localtime((const time_t *) &timeNow);
+	t = localtime(&timeNow);
 	return (unsigned long)(t->tm_year);
 }
 
@@ -420,7 +420,7 @@ convert(double x, char *string)
 }
 
 static void
-dayhrminsec(long timeCount, int tzoffset, char *string)
+dayhrminsec(time_t timeCount, int tzoffset, char *string)
 {
 	int days, hours, minutes, secs;
 	int bufsize, i;
@@ -675,7 +675,7 @@ drawDclock(ModeInfo * mi)
 				"%a %b %d %Y", localtime(&(dp->timeold)));
 		}
 	  } else {
-		long timeNow, timeLocal;
+		time_t timeNow, timeLocal;
 		timeNow = seconds();
 		timeLocal = timeNow + dp->tzoffset;
 
@@ -950,7 +950,7 @@ init_dclock(ModeInfo * mi)
 {
 	Display *display = MI_DISPLAY(mi);
 	dclockstruct *dp;
-	long timeNow, timeLocal;
+	time_t timeNow, timeLocal;
 	int i, j;
 
 	if (dclocks == NULL) {
@@ -1252,7 +1252,7 @@ defined(MODE_dclock_mayan)
 			dayhrminsec(MAYAN_TIME_START - timeLocal, dp->tzoffset, dp->strnew[1]);
 			dp->strpta[1] = dp->strnew[1];
 		} else {
-			struct tm *t = localtime((const time_t *) &timeLocal);
+			struct tm *t = localtime(&timeLocal);
 
 			if (dp->time24)
 			  (void) strftime(dp->strnew[0], STRSIZE, "%H:%M:%S", t);


Regards,
	Ignatios Souvatzis

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.