Buffer overflows and format string vulnerabilities in LCDproc — GLSA 200404-19

Multiple remote vulnerabilities have been found in the LCDd server, allowing execution of arbitrary code with the rights of the LCDd user.

Affected Packages

app-misc/lcdproc on all architectures
Affected versions <= 0.4.4-r1
Unaffected versions >= 0.4.5


LCDproc is a program that displays various bits of real-time system information on an LCD. It makes use of a local server (LCDd) to collect information to display on the LCD.


Due to insufficient checking of client-supplied data, the LCDd server is susceptible to two buffer overflows and one string buffer vulnerability. If the server is configured to listen on all network interfaces (see the Bind parameter in LCDproc configuration), these vulnerabilities can be triggered remotely.


These vulnerabilities allow an attacker to execute code with the rights of the user running the LCDproc server. By default, this is the "nobody" user.


A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package.


LCDproc users should upgrade to version 0.4.5 or later:

 # emerge sync

 # emerge -pv ">=app-misc/lcdproc-0.4.5"
 # emerge ">=app-misc/lcdproc-0.4.5"


Release Date
April 27, 2004

Latest Revision
April 27, 2004: 01



Bugzilla entries