Skip to content

buffer overflows via scanf

High
tillkamppeter published GHSA-25j7-9gfc-f46x Jun 14, 2023

Package

cpdb-libs

Affected versions

All 1.x 2.x

Patched versions

2.0b6

Description

Summary

There's multiple instances of buffer overflows in this package via improper use of scanf(3).

Details

cpdb-libs/tools/cpdb-text-frontend.c

Line 362 in 85555fb

else if (strcmp(buf, "print-file") == 0) 

            char printer_id[BUFSIZE], backend_name[BUFSIZE], file_path[BUFSIZE];
            scanf("%s%s%s", file_path, printer_id, backend_name);

cpdb-libs/tools/cpdb-text-frontend.c

Line 453 in 85555fb

else if (strcmp(buf, "get-all-translations") == 0) 

            char printer_id[BUFSIZE];
            char backend_name[BUFSIZE];
            scanf("%s%s", printer_id, backend_name);

cpdb-libs/cpdb/cpdb-frontend.c

Line 372 in 85555fb

PrintBackend *cpdbCreateBackendFromFile(GDBusConnection *connection, 

    char obj_path[CPDB_BSIZE];
    /* ... */
    if ((file = fopen(path, "r")) == NULL)
    /* ... */
    if (fscanf(file, "%s", obj_path) == 0)

%s does not place bounds on the allowed input sizes.

Severity

High

CVE ID

CVE-2023-34095

Weaknesses