diff options
| -rw-r--r-- | ChangeLog | 11 | ||||
| -rw-r--r-- | src/pixmap.c | 2 |
2 files changed, 11 insertions, 2 deletions
@@ -5653,7 +5653,7 @@ claims to be a string, which is probably more correct. This should also eliminate server round-trips when clients ask for UTF-8, get a string, then ask for a string (Opera). ---------------------------------------------------------------------- -Tue Mar 15 23:03:57 2011 mej +Tue Mar 15 23:03:57 2011 Michael Jennings (mej) Fix for CVE-2011-0409 (CERT VU#285156), a use-after-free error in the XIM code. This only affects versions where XIM support is compiled in @@ -5663,3 +5663,12 @@ the team at Toucan System for responsibly disclosing this vulnerability and to CERT for assisting with coordination and disclosure. ---------------------------------------------------------------------- +Tue Mar 15 23:08:26 2011 Michael Jennings (mej) + +Fix for CVE-2011-0768, an off-by-one error in handling large pixmap +filenames which resulted in an overflow of a single NUL character if +the filename exceeded PATH_MAX bytes. This bug is NOT exploitable. +Again, thanks to Jonathan Brossard and the team at Toucan System for +responsibly disclosing this vulnerability and to CERT for assisting +with coordination and disclosure. +---------------------------------------------------------------------- diff --git a/src/pixmap.c b/src/pixmap.c index a9e45ad..b544ad0 100644 --- a/src/pixmap.c +++ b/src/pixmap.c @@ -1327,7 +1327,7 @@ search_path(const char *pathlist, const char *file) D_OPTIONS(("search_path(\"%s\", \"%s\") called from \"%s\".\n", pathlist, file, name)); if (len < PATH_MAX - 1) { strcat(name, "/"); - strncat(name, file, PATH_MAX - len - 1); + strncat(name, file, PATH_MAX - len - 2); } D_OPTIONS(("Checking for file \"%s\"\n", name)); if (!access(name, R_OK)) { |