gaim executable stack (security best-practice failure)
Bug #34129 reported by
John Moser
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| gaim (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
Bug Description
lsmemmap.sh shows gaim has an executable stack on x86-64. This is a security best-practice failure: a stack-based buffer overflow in gaim will easily open up attacks via sending deformed instant messages which would otherwise be confined to denial of service attacks.
task 5173 (/usr/bin/gaim)
7fffffe03000-
Please note that this is not a security vulnerability; it is a failure to execute security best practices. By correcting this, certain real vulnerabilities will become difficult or impossible to exploit beyond basic denial of service.
The most likely cause of this is the use of gcc nested functions in gaim or a gaim plug-in.
Revision history for this message
| John Moser (nigelenki) wrote lsmemmap.sh | #1 |
Revision history for this message
| Sebastien Bacher (seb128) wrote | #2 |
Revision history for this message
| John Moser (nigelenki) wrote | #3 |
| Changed in gaim: | |
| status: | Unconfirmed → Confirmed |
Revision history for this message
| John Moser (nigelenki) wrote | #4 |
| Changed in gaim: | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
This is the lsmemmap.sh script I wrote long ago. It is very rough; basically 'lsmemmap -wx' is the only useful form.
lsmemmap.sh in its most useful mode will run through all memory mappings in /proc/[0-9]*/maps and locate any mappings which are both writable and executable. This indicates that the mappings are being treated as PROGRAM DATA (pictures, music, etc) and PROGRAM CODE at the same time, which is likely BS unless the program happens to be a JIT compiler (mono, java).