Package: info Version: 4.7-2.1 Severity: grave Tags: security Justification: user security hole -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.7 Locale: LANG=C, LC_CTYPE=C Versions of packages info depends on: ii libc6 2.3.2.ds1-15 GNU C Library: Shared libraries an ii libncurses5 5.4-4 Shared libraries for terminal hand -- no debconf information Information: I have tested several versions (Debian stable, unstable and testing) and have found that this bug exists in all versions tested. I have included a small --restore script that can be used to leverage a simple Seg fault. This buffer overflow is very trivial to leverage as there are several bytes available (10-15+). It may be possible that arbitary system calls could be made though this hole. It is also possible to leverage this from the command line using the --restore=FILENAME flag, and need not have the program running. Although it is not running as suid, or as a daemon, in a case where info is being used as a public service, it may be a security problem. This bug seems only to be accessable where the file has xrefs available. Walkthrough: $ info info [info screen comes up] press 'g' [Goto Node:] type 'Expert Info' (OR any other way to get to a page with xrefs) press 'f' Type in 225 or more bytes and press enter. SEG FAULT! Example File: The following can be saved to a file and called as: info info --restore=info.bug to create a segmentation fault. [START info.bug] gExpert Info fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [END info.bug]