#690 potential buffer overflow in server_common.c

[Wooseok Kang]

Hi, there is a potential buffer overflow vulnerability in nedit-5.7.

These code examples show the vulnerable line in source/server_common.c.

63 sprintf(propName, "NEDIT_SERVER_EXISTS_%s_%s_%s", hostName, userName, serverName);
65 sprintf(propName, "NEDIT_SERVER_REQUEST_%s_%s_%s", hostName, userName, serverName);
94 sprintf(propName, "NEDIT_FILE_%s_%s_%s_%s_WF_OPEN", hostName, userName, serverName, path);
108 sprintf(propName, "NEDIT_FILE_%s_%s_%s_%s_WF_CLOSED", hostName, userName, serverName, path);
122 int length = sprintf(propNamePrefix, "NEDIT_FILE_%s_%s_%s_", hostName, userName, serverName);

A malicious attack can make 'userName' to arbitrary large string by manipulating environment variable.

const char *userName = GetUserName();

util/utils.c:143 return getenv("USER");

Since the size of propName and propNamePrefix are fixed, it can cause stack buffer overflow, which leads to buggy behavior.

[Evan Teran]

Hello kangwoosukeq!

So two things.

1. You are absolutely correct, this is definitely a buffer overflow.

2. NEdit 5.x is now considered to be "legacy" and has no planned active development going forward. The good news is that NEdit-NG https://github.com/eteran/nedit-ng/ is going to be officially considered NEdit 6.0 at some point (hopefully soon, but it's subject to the amount of time I can dedicate to it and for the past several months, I have just been absolutely swamped).

NG is is in a very workable state and is only held up from being christened "6.0" by a select few currently outstanding regressions from the 5.x series. (https://github.com/eteran/nedit-ng/milestone/1)