Description of problem: Possible buffer overflows in kudzu's readlink code, possible security vulnerability. <FYI> int readlink(const char *path, char *buf, size_t bufsiz); readlink places the contents of the symbolic link path in the buffer buf, which has size bufsiz. readlink does not append a NUL character to buf. It will truncate the contents (to a length of bufsiz characters), in case the buffer is too small to hold all of the contents. <FYI/> Readlink does not append a NULL character to buf. In kudzu's code NULL character is set using memset, before calling readlink. In some cases if bufsiz is equal to the lenght of the buffer, we have string, which is not terminated by NULL, as result, there are possible buffer overflows. hwconf.c:227: if (readlink(path,path2,256)>0) { serial.c:954: if (readlink("/dev/modem",lockfile,32)>0) { Version-Release number of selected component (if applicable): - the latest CVS version, kudzu-1.1.36-1 How reproducible: General idea to create link with the same name, which are used by kudzu. The contents of link must be longer or equal to the buffer lenght. Expected results: Possible seg. faults.
All of these links are in root-writable only directories, so I don't see how this is a security issue. But it should be fixed, yes.
Created attachment 97374 [details] examples of code with errors
Fixed in CVS, will be in 1.1.116-1 or later.