diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 6a7da82abdd9..1d7e8bd96e8f 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -32,6 +32,46 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. "http://www.vuxml.org/dtd/vuxml-1/vuxml-10.dtd"> + + mnGoSearch buffer overflow in UdmDocToTextBuf() + + + mnogosearch + 3.1.20_2 + + + + +

Jedi/Sector One <j@pureftpd.org> reported the following + on the full-disclosure list:

+
+

Every document is stored in multiple parts according to + its sections (description, body, etc) in databases. And + when the content has to be sent to the client, + UdmDocToTextBuf() concatenates those parts together and + skips metadata.

+

Unfortunately, that function lacks bounds checking and + a buffer overflow can be triggered by indexing a large + enough document.

+

'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c + . S->val length depends on the length of the original + document and on the indexer settings (the sample + configuration file has low limits that work around the + bug, though).

+

Exploitation should be easy, moreover textbuf points to + the stack.

+
+ + + + http://lists.netsys.com/pipermail/full-disclosure/2004-February/017366.html + + + 2004-02-15 + 2004-02-15 + + + GNU libtool insecure temporary file handling