id summary reporter owner description type status priority milestone component version resolution keywords cc arch compiler difficulty kernel operatingsystem parents patch protocol sounddrv topic 279 muroar_connect() allows connection to ~/.roar when $HOME is not set correctly ph3-der-loewe ph3-der-loewe "muroar_connect() allows to connect to ~/.roar even when $HOME is not set correctly. The following errors are in the code: * A heading slash is enforced * When $HOME is not set it tries to connect to ""/(null)/.roar"" * When $HOME is too long to fit into the buffer it is truncated. This results in a security problem because an attacker may alter $HOME in a way letting µRoar connect to an existing server. This is mostly important for restricted environments like sudo, su, ssh when parts of the env is passed while other is rejected. * May connect to ""/invalid"" if snprintf() fails (very unlikely). Some notes: * It supported to set the server via $ROAR_SERVER. This does not conflict with the statement above as it may be one of those rejected env variables. * No buffer overflow was found allowing remote code or data injection. This is why I set it only to ""major"" not ""critical""." defect closed major µRoar 0.1.10 fixed normal 0 UNIX Security