Ubuntu

gaim executable stack (security best-practice failure)

Reported by John Moser on 2006-03-08
12
Affects Status Importance Assigned to Milestone
gaim (Ubuntu)
Wishlist
Unassigned

Bug Description

lsmemmap.sh shows gaim has an executable stack on x86-64. This is a security best-practice failure: a stack-based buffer overflow in gaim will easily open up attacks via sending deformed instant messages which would otherwise be confined to denial of service attacks.

task 5173 (/usr/bin/gaim)
  7fffffe03000-7fffffe18000 rwxp 7fffffe03000 00:00 0 [stack]

Please note that this is not a security vulnerability; it is a failure to execute security best practices. By correcting this, certain real vulnerabilities will become difficult or impossible to exploit beyond basic denial of service.

The most likely cause of this is the use of gcc nested functions in gaim or a gaim plug-in.

This is the lsmemmap.sh script I wrote long ago. It is very rough; basically 'lsmemmap -wx' is the only useful form.

lsmemmap.sh in its most useful mode will run through all memory mappings in /proc/[0-9]*/maps and locate any mappings which are both writable and executable. This indicates that the mappings are being treated as PROGRAM DATA (pictures, music, etc) and PROGRAM CODE at the same time, which is likely BS unless the program happens to be a JIT compiler (mono, java).

Sebastien Bacher (seb128) wrote :

Thank you for your work on that. Upstream would probably the right place to discuss that sort of thing

John Moser (nigelenki) wrote :

This is an Ubuntu bug, dependent on bug #49192, which I have already explained how to fix as of last night. :)

Changed in gaim:
status: Unconfirmed → Confirmed
John Moser (nigelenki) wrote :

This bug was fixed in Edgy a while back, when bug #49192 was fixed.

Changed in gaim:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments