[PATCH:xsm] Add size limit to scanf string specifier

[Alan Coopersmith]

On 11/29/11 23:27, Jeremy Huddleston wrote:
> Reviewed-by: Jeremy Huddleston<jeremyhu at apple.com>
>
> <lazy>Can this be exploited?</lazy>

I assumed not, which is why I sent it to xorg-devel and not xorg-security.

xsm should not be installed with any form of setuid/setgid privileges, and
this is reading from a lock file in the directory in which your session
configuration is saved (read from $SM_SAVE_DIR environment variable if set,
$HOME if not) - if the files in that directory are writable by anyone else,
then the attacker could just insert commands to be run in your session instead
of trying to overflow a buffer and then run an exploit.

This may stop crashes if a lock file gets corrupted, but should not have
any security effect.

-- 
	-Alan Coopersmith-        alan.coopersmith at oracle.com
	 Oracle Solaris Platform Engineering: X Window System