103898 2003-06-07  21:33  /43 rader/ Vade 79 <v9@fakehalo.deadpig.org>
Importerad: 2003-06-07  21:33  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5176>
Ärende: man[v1.5l] catalog format strings patch.
------------------------------------------------------------


forgot to make a patch for the original posting of the exploit.  the patch 
will keep the functionality, while eliminating exploitation possibilities.

original exploit ref:
 http://www.securityfocus.com/archive/1/323821/2003-05-28/2003-06-03/0

bash# tar -zxvf man.src.tgz
bash# patch -p0 <man.fmtbug.patch


--- man.fmtbug.patch --

diff -urP man-1.5l/src/gripes.c man-1.5l/src/gripes.c
--- man-1.5l/src/gripes.c Wed Jul 17 20:17:23 2002
+++ man-1.5l/src/gripes.c Fri Jun  6 14:51:21 2003
@@ -28,0 +28,1 @@
+#include <string.h>
@@ -68,0 +68,2 @@
+    unsigned int i = 0;
+    unsigned short fmt_n = 0;
@@ -78,0 +78,13 @@
+    /* routine to filter format string abuse.  will */
+    /* only allow %d, %s, and %o through.  no more  */
+    /* than two formats needed for any response.    */
+    for (i = 0; s[i] != 0x0; i++){
+        if (s[i] == '%' && s[i+1]){
+            if (strchr("dso", s[i+1])) /* %d,%s,%o. */
+                fmt_n++;
+            else
+                fmt_n=3; /* anything else = <limit. */
+        }
+        if (fmt_n > 2) /* failed, default reply. */
+            s = msg[n];
+    }
diff -urP man-1.5l/src/version.h man-1.5l/src/version.h
--- man-1.5l/src/version.h Fri Jun  6 14:36:40 2003
+++ man-1.5l/src/version.h Fri Jun  6 14:51:21 2003
@@ -1,1 +1,1 @@
-static char version[] = "1.5l";
+static char version[] = "1.5l-fmtfix";
(103898) /Vade 79 <v9@fakehalo.deadpig.org>/--------