<date>
10/2000

<title>
libDtSvc.1 $NLSPATH

<os>
HP-UX 10.20

<info>
There exists a buffer overflow vulnerability in the libDtSvc.1 library in 
the way the NLSPATH environment variable is handled. The vulnerability is 
caused by improper handling of the NLSPATH environment variable in the 
_DtEnvControl function - it copies this variable without any size checking
into the stack buffer with the use of sprintf function.This bug can be triggered
by invoking one of the CDE subsystem's suid binaries (dtterm, dtprintinfo,
dtaction or dtsession) and NLSPATH environment variable set to long string.
When appropriately exploited this bug can lead to local root compromise on 
a vulnerable system.

<link>
HP/hp_dtlib.c

<file>
HP/hp_dtlib.c

