6051808 2001-02-05 10:40 +0200 /78 rader/ Valentin Nechayev <netch@LUCKY.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05 20:45 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: netch@lucky.net
Mottagare: Bugtraq (import) <15226>
Ärende: Re: m4 format string vulnerability
------------------------------------------------------------
From: Valentin Nechayev <netch@LUCKY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010205104036.A3465@lucky.net>
> > confirmed for red hat linux 7.0:
> > [kerouac:mg:~]m4 -G %x
All folks tests it with -G, but it is not really needed.
FreeBSD ports:
netch@iv:~>gm4 -G %x gm4: bfbffb8c: No such file or directory
netch@iv:~>gm4 %x gm4: bfbffb8c: No such file or directory
netch@iv:~>gm4 %d gm4: -1077937268: No such file or directory
netch@iv:~>gm4 %s gm4:
oü¿¿ü¿¿ü¿¿³ü¿¿Êü¿¿åü¿¿ñü¿¿úü¿¿ý¿¿�ý¿¿6ý¿¿Ký¿¿eý¿¿sý¿¿{ý¿¿ý¿¿«ý¿¿¹ý¿¿Ëý¿
¿Øý¿¿îý¿¿eþ¿¿xþ¿¿þ¿¿: No such file or directory
(port is m4-1.4)
RH 7.0:
netch@yacc:~>m4 %x
m4: 80499d9: No such file or directory
netch@yacc:~>m4 %d
m4: 134519257: No such file or directory
RH 6.2:
netch@sleipnir:~>m4 %x
m4: 401081cc: No such file or directory
netch@sleipnir:~>rpm -q m4
m4-1.4-12
and so on. Possibly all GNU versions are vulnerable.
Patch against this (tabs are broken by cut-and-paste):
--- src/m4.c.orig Wed Nov 2 05:14:28 1994
+++ src/m4.c Mon Feb 5 10:36:17 2001
@@ -466,7 +466,7 @@
fp = path_search (argv[optind]);
if (fp == NULL)
{
- error (0, errno, argv[optind]);
+ error (0, errno, "%s", argv[optind]);
continue;
}
else
Another the only bad usage of error():
m4.c:372: error (0, errno, optarg);
part of code:
==={{{
case 'o':
if (!debug_set_output (optarg))
error (0, errno, optarg);
break;
===}}}
patch is of the same idea.
> > m4: 80499d9: Datei oder Verzeichnis nicht gefunden
> > [kerouac:mg:~]cat /etc/redhat-release
> > Red Hat Linux release 7.0 (Guinness)
> > [kerouac:mg:~]rpm -q m4
> > m4-1.4.1-3
/netch
(6051808) --------------------------------(Ombruten)