alpine 3.6
buffer weakness #4

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

libxklavier/src/libxklavier-5.4/libxklavier/xklavier_config.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

 
	g_object_set_data(G_OBJECT(item), XCI_PROP_VENDOR, NULL);
	g_object_set_data(G_OBJECT(item), XCI_PROP_COUNTRY_LIST, NULL);
	g_object_set_data(G_OBJECT(item), XCI_PROP_LANGUAGE_LIST, NULL);

	if (!xkl_xml_find_config_item_child(iptr, &ptr))
		return FALSE;

	if (doc_index > 0)
		g_object_set_data(G_OBJECT(item), XCI_PROP_EXTRA_ITEM,
				  GINT_TO_POINTER(TRUE));

	ptr = ptr->children;

	if (ptr->type == XML_TEXT_NODE)
		ptr = ptr->next;
	name_element = ptr;
	ptr = ptr->next;

	short_desc_element = xkl_find_element(ptr, XML_TAG_SHORT_DESCR);
	desc_element = xkl_find_element(ptr, XML_TAG_DESCR);
	vendor_element = xkl_find_element(ptr, XML_TAG_VENDOR);

	if (name_element != NULL && name_element->children != NULL)
		strncat(item->name,
			(char *) name_element->children->content,
			XKL_MAX_CI_NAME_LENGTH - 1);

	if (short_desc_element != NULL
	    && short_desc_element->children != NULL) {
		strncat(item->short_description,
			dgettext(XKB_DOMAIN, (const char *)
				 short_desc_element->children->content),
			XKL_MAX_CI_SHORT_DESC_LENGTH - 1);
	}

	if (desc_element != NULL && desc_element->children != NULL) {
		/* Convert all xml-related characters to XML form, otherwise dgettext won't find the translation 
		 * The conversion is not using libxml2, because there are no handy functions in API */
		translated =
		    g_strdup((gchar *) desc_element->children->content);
		for (i =
		     sizeof(xml_encode_regexen_str) /
		     sizeof(xml_encode_regexen_str[0]); --i >= 0;) {
			escaped =
			    g_regex_replace(xml_encode_regexen[i],
					    translated, -1, 0,
					    xml_decode_regexen_str[i], 0,
					    NULL);
			g_free(translated); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.