oss-security - Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <0a71a355-09d8-4e17-b6f6-0253f221b568@gmail.com>
Date: Fri, 17 Oct 2025 21:47:34 -0500
From: Jacob Bachmeyer <jcb62281@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: rplay (Mark R. Boyns) potential security issues
 (unsanitized data, unchecked malloc...)

On 10/17/25 18:59, Vincent Lefevre wrote:
> On 2025-10-18 01:50:23 +0200, Solar Designer wrote:
>
> [...]
>
> Some of them may be minor, but ones in librplay may be a major
> issue. For instance, in Debian, /usr/libexec/fvwm2/2.7.0/FvwmEvent
> is linked against this library:
>
> qaa:~> ldd /usr/libexec/fvwm2/2.7.0/FvwmEvent
> [...]
>          librplay.so.3 => /lib/librplay.so.3 (0x00007f25461f4000)
> [...]
>
> meaning that this could make the window manager crash (unless it
> has some protection for modules).

When I last checked, FVWM "modules" actually run in separate processes, 
connected by pairs of pipes to the main FVWM process. A crashing module 
simply goes "poof" and can be restarted at the user's discretion, if the 
configuration provides a means to do so.

-- Jacob

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.