-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've noticed that there is an abundance of format string vulnerabilities all across busybox 1.17.0 source code. I understand that most of them are not practically exploitable or very hard to exploit, but I also noticed a couple of format string vulnerabilities that can be directly exploited.
Attached is a patch to fix the found bugs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkw3dI4ACgkQ2VxGY2VcpojhCACcDQrgayzRNaxNX4NzxcDKht6d PKUAn2EnuneL4vZPb5fIs/ZbyqXEOd/X =VSFE -----END PGP SIGNATURE-----
--- busybox-1.17.0/applets/applet_tables.c 2010-06-26 00:39:36.000000000 +0000
+++ busybox-1.17.0.fixed/applets/applet_tables.c 2010-07-09 10:18:24.000000000 +0000
@@ -129,4 +129,5 @@
if (argv[2]) {
+ char *res;
char line_old[80];
char line_new[80];
@@ -136,5 +137,5 @@
fp = fopen(argv[2], "r");
if (fp) {
- fgets(line_old, sizeof(line_old), fp);
+ res = fgets(line_old, sizeof(line_old), fp);
fclose(fp);
}
--- busybox-1.17.0/applets/usage.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/applets/usage.c 2010-07-09 10:08:54.000000000 +0000
@@ -41,4 +41,5 @@
{
int i;
+ int res;
int num_messages = sizeof(usage_array) / sizeof(usage_array[0]);
@@ -50,5 +51,5 @@
compare_func);
for (i = 0; i < num_messages; i++)
- write(STDOUT_FILENO, usage_array[i].usage, strlen(usage_array[i].usage) + 1);
+ res = write(STDOUT_FILENO, usage_array[i].usage, strlen(usage_array[i].usage) + 1);
return 0;
--- busybox-1.17.0/applets/usage_pod.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/applets/usage_pod.c 2010-07-09 10:08:01.000000000 +0000
@@ -72,5 +72,9 @@
printf(", ");
}
- printf(usage_array[i].aname);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * printf(usage_array[i].aname);
+ */
+ printf("%s", usage_array[i].aname);
col += len2;
}
--- busybox-1.17.0/archival/bzip2.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/archival/bzip2.c 2010-07-09 09:30:46.000000000 +0000
@@ -89,6 +89,10 @@
if (n2 >= 0)
errno = 0; /* prevent bogus error message */
- bb_perror_msg(n2 >= 0 ? "short write" : bb_msg_write_error);
- return -1;
+ /*
+ * Vulnerable to arbitary format strings.
+ * bb_perror_msg(n2 >= 0 ? "short write" : bb_msg_write_error);
+ */
+ n2 >= 0 ? bb_perror_msg("short write") : bb_perror_msg("%s", bb_msg_write_error);
+ return -1;
}
}
@@ -119,5 +123,9 @@
count = full_read(STDIN_FILENO, rbuf, IOBUF_SIZE);
if (count < 0) {
- bb_perror_msg(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg(bb_msg_read_error);
+ */
+ bb_perror_msg("%s", bb_msg_read_error);
total = -1;
break;
--- busybox-1.17.0/archival/libunarchive/data_extract_to_command.c 2010-07-04 13:32:24.000000000 +0000
+++ busybox-1.17.0.fixed/archival/libunarchive/data_extract_to_command.c 2010-07-09 09:32:26.000000000 +0000
@@ -39,5 +39,9 @@
{
if (putenv(str))
- bb_error_msg_and_die(bb_msg_memory_exhausted);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_memory_exhausted);
+ */
+ bb_error_msg_and_die("%s", bb_msg_memory_exhausted);
}
--- busybox-1.17.0/archival/libunarchive/decompress_unxz.c 2010-07-01 03:12:20.000000000 +0000
+++ busybox-1.17.0.fixed/archival/libunarchive/decompress_unxz.c 2010-07-09 09:33:30.000000000 +0000
@@ -74,5 +74,9 @@
int rd = safe_read(src_fd, membuf, BUFSIZ);
if (rd < 0) {
- bb_error_msg(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg(bb_msg_read_error);
+ */
+ bb_error_msg("%s", bb_msg_read_error);
total = -1;
break;
--- busybox-1.17.0/archival/libunarchive/decompress_unzip.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/archival/libunarchive/decompress_unzip.c 2010-07-09 09:34:29.000000000 +0000
@@ -1073,5 +1073,9 @@
bytebuffer_size = full_read(gunzip_src_fd, &bytebuffer[count], bytebuffer_max - count);
if ((int)bytebuffer_size < 0) {
- bb_error_msg(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg(bb_msg_read_error);
+ */
+ bb_error_msg("%s", bb_msg_read_error);
return 0;
}
--- busybox-1.17.0/coreutils/df.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/coreutils/df.c 2010-07-09 09:35:34.000000000 +0000
@@ -109,5 +109,9 @@
mount_table = setmntent(bb_path_mtab_file, "r");
if (!mount_table)
- bb_perror_msg_and_die(bb_path_mtab_file);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg_and_die(bb_path_mtab_file);
+ */
+ bb_perror_msg_and_die("%s", bb_path_mtab_file);
}
--- busybox-1.17.0/coreutils/expand.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/coreutils/expand.c 2010-07-09 09:36:26.000000000 +0000
@@ -199,5 +199,9 @@
/* (if we didn't read from it, it's a no-op) */
if (fclose(stdin))
- bb_perror_msg_and_die(bb_msg_standard_input);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg_and_die(bb_msg_standard_input);
+ */
+ bb_perror_msg_and_die("%s", bb_msg_standard_input);
fflush_stdout_and_exit(exit_status);
--- busybox-1.17.0/coreutils/od_bloaty.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/coreutils/od_bloaty.c 2010-07-09 09:38:06.000000000 +0000
@@ -503,5 +503,9 @@
if (ferror(stdout)) {
- bb_error_msg(bb_msg_write_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg(bb_msg_write_error);
+ */
+ bb_error_msg("%s", bb_msg_write_error);
ioerror = 1;
}
@@ -1424,5 +1428,9 @@
if (fclose(stdin) == EOF)
- bb_perror_msg_and_die(bb_msg_standard_input);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg_and_die(bb_msg_standard_input);
+ */
+ bb_perror_msg_and_die("%s", bb_msg_standard_input);
return ioerror;
--- busybox-1.17.0/coreutils/tail.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/coreutils/tail.c 2010-07-09 09:39:02.000000000 +0000
@@ -60,5 +60,9 @@
r = full_read(fd, buf, count);
if (r < 0) {
- bb_perror_msg(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg(bb_msg_read_error);
+ */
+ bb_perror_msg("%s", bb_msg_read_error);
G.status = EXIT_FAILURE;
}
--- busybox-1.17.0/coreutils/tr.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/coreutils/tr.c 2010-07-09 09:39:58.000000000 +0000
@@ -308,5 +308,9 @@
if (read_chars <= 0) {
if (read_chars < 0)
- bb_perror_msg_and_die(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg_and_die(bb_msg_read_error);
+ */
+ bb_perror_msg_and_die("%s", bb_msg_read_error);
break;
}
--- busybox-1.17.0/coreutils/uuencode.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/coreutils/uuencode.c 2010-07-09 09:40:44.000000000 +0000
@@ -46,5 +46,9 @@
break;
if ((ssize_t)size < 0)
- bb_perror_msg_and_die(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg_and_die(bb_msg_read_error);
+ */
+ bb_perror_msg_and_die("%s", bb_msg_read_error);
/* Encode the buffer we just read in */
bb_uuencode(dst_buf, src_buf, size, tbl);
--- busybox-1.17.0/editors/sed.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/editors/sed.c 2010-07-09 09:41:35.000000000 +0000
@@ -845,5 +845,9 @@
if (ferror(file)) {
xfunc_error_retval = 4; /* It's what gnu sed exits with... */
- bb_error_msg_and_die(bb_msg_write_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_write_error);
+ */
+ bb_error_msg_and_die("%s", bb_msg_write_error);
}
*last_puts_char = lpc;
--- busybox-1.17.0/include/NUM_APPLETS.h 1970-01-01 00:00:00.000000000 +0000
+++ busybox-1.17.0.fixed/include/NUM_APPLETS.h 2010-07-09 09:23:40.000000000 +0000
@@ -0,0 +1 @@
+#define NUM_APPLETS 347
--- busybox-1.17.0/libbb/copyfd.c 2010-06-26 21:08:56.000000000 +0000
+++ busybox-1.17.0.fixed/libbb/copyfd.c 2010-07-09 09:43:10.000000000 +0000
@@ -67,5 +67,9 @@
}
if (rd < 0) {
- bb_perror_msg(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg(bb_msg_read_error);
+ */
+ bb_perror_msg("%s", bb_msg_read_error);
break;
}
@@ -75,5 +79,9 @@
if (wr < rd) {
if (!continue_on_write_error) {
- bb_perror_msg(bb_msg_write_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg(bb_msg_write_error);
+ */
+ bb_perror_msg("%s", bb_msg_write_error);
break;
}
--- busybox-1.17.0/libbb/create_icmp6_socket.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/libbb/create_icmp6_socket.c 2010-07-09 09:44:42.000000000 +0000
@@ -27,6 +27,11 @@
if (sock < 0) {
if (errno == EPERM)
- bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
- bb_perror_msg_and_die(bb_msg_can_not_create_raw_socket);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ * bb_perror_msg_and_die(bb_msg_can_not_create_raw_socket);
+ */
+ bb_error_msg_and_die("%s", bb_msg_perm_denied_are_you_root);
+ bb_perror_msg_and_die("%s", bb_msg_can_not_create_raw_socket);
}
--- busybox-1.17.0/libbb/create_icmp_socket.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/libbb/create_icmp_socket.c 2010-07-09 09:45:47.000000000 +0000
@@ -26,6 +26,11 @@
if (sock < 0) {
if (errno == EPERM)
- bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
- bb_perror_msg_and_die(bb_msg_can_not_create_raw_socket);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ * bb_perror_msg_and_die(bb_msg_can_not_create_raw_socket);
+ */
+ bb_error_msg_and_die("%s", bb_msg_perm_denied_are_you_root);
+ bb_perror_msg_and_die("%s", bb_msg_can_not_create_raw_socket);
}
--- busybox-1.17.0/libbb/dump.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/libbb/dump.c 2010-07-09 09:48:03.000000000 +0000
@@ -616,5 +616,9 @@
break;
case F_TEXT:
- printf(pr->fmt);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * printf(pr->fmt);
+ */
+ printf("%s", pr->fmt);
break;
case F_U:
@@ -666,5 +670,9 @@
break;
case F_TEXT:
- printf(pr->fmt);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * printf(pr->fmt);
+ */
+ printf("%s", pr->fmt);
break;
}
--- busybox-1.17.0/libbb/fflush_stdout_and_exit.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/libbb/fflush_stdout_and_exit.c 2010-07-09 09:49:03.000000000 +0000
@@ -17,5 +17,9 @@
{
if (fflush(stdout))
- bb_perror_msg_and_die(bb_msg_standard_output);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg_and_die(bb_msg_standard_output);
+ */
+ bb_perror_msg_and_die("%s", bb_msg_standard_output);
if (ENABLE_FEATURE_PREFER_APPLETS && die_sleep < 0) {
--- busybox-1.17.0/libbb/mtab.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/libbb/mtab.c 2010-07-09 09:50:43.000000000 +0000
@@ -23,5 +23,9 @@
if (!mountTable) mountTable = setmntent("/proc/mounts", "r");
if (!mountTable) {
- bb_perror_msg(bb_path_mtab_file);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg(bb_path_mtab_file);
+ */
+ bb_perror_msg("%s", bb_path_mtab_file);
return;
}
@@ -51,5 +55,9 @@
endmntent(mountTable);
} else if (errno != EROFS)
- bb_perror_msg(bb_path_mtab_file);
+ /*
+ * Vulnerable arbitrary format strings.
+ * bb_perror_msg(bb_path_mtab_file);
+ */
+ bb_perror_msg("%s", bb_path_mtab_file);
}
#endif
--- busybox-1.17.0/libbb/wfopen.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/libbb/wfopen.c 2010-07-09 09:51:43.000000000 +0000
@@ -44,5 +44,9 @@
FILE* fp = fdopen(fd_and_rw_bit >> 1, fd_and_rw_bit & 1 ? "w" : "r");
if (!fp)
- bb_error_msg_and_die(bb_msg_memory_exhausted);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_memory_exhausted);
+ */
+ bb_error_msg_and_die("%s", bb_msg_memory_exhausted);
return fp;
}
--- busybox-1.17.0/libbb/xfuncs_printf.c 2010-07-04 13:32:24.000000000 +0000
+++ busybox-1.17.0.fixed/libbb/xfuncs_printf.c 2010-07-09 09:56:37.000000000 +0000
@@ -38,5 +38,9 @@
void *ptr = malloc(size);
if (ptr == NULL && size != 0)
- bb_error_msg(bb_msg_memory_exhausted);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg(bb_msg_memory_exhausted);
+ */
+ bb_error_msg("%s", bb_msg_memory_exhausted);
return ptr;
}
@@ -47,5 +51,9 @@
void *ptr = malloc(size);
if (ptr == NULL && size != 0)
- bb_error_msg_and_die(bb_msg_memory_exhausted);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_memory_exhausted);
+ */
+ bb_error_msg_and_die("%s", bb_msg_memory_exhausted);
return ptr;
}
@@ -58,5 +66,9 @@
ptr = realloc(ptr, size);
if (ptr == NULL && size != 0)
- bb_error_msg_and_die(bb_msg_memory_exhausted);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_memory_exhausted);
+ */
+ bb_error_msg_and_die("%s", bb_msg_memory_exhausted);
return ptr;
}
@@ -82,5 +94,9 @@
if (t == NULL)
- bb_error_msg_and_die(bb_msg_memory_exhausted);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_memory_exhausted);
+ */
+ bb_error_msg_and_die("%s", bb_msg_memory_exhausted);
return t;
@@ -292,5 +308,9 @@
if (r < 0)
- bb_error_msg_and_die(bb_msg_memory_exhausted);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_memory_exhausted);
+ */
+ bb_error_msg_and_die("%s", bb_msg_memory_exhausted);
return string_ptr;
}
@@ -299,5 +319,9 @@
{
if (setenv(key, value, 1))
- bb_error_msg_and_die(bb_msg_memory_exhausted);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_memory_exhausted);
+ */
+ bb_error_msg_and_die("%s", bb_msg_memory_exhausted);
}
--- busybox-1.17.0/loginutils/addgroup.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/loginutils/addgroup.c 2010-07-09 09:57:35.000000000 +0000
@@ -122,5 +122,9 @@
/* need to be root */
if (geteuid()) {
- bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_perm_denied_are_you_root);
}
#if ENABLE_FEATURE_ADDGROUP_LONG_OPTIONS
--- busybox-1.17.0/loginutils/adduser.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/loginutils/adduser.c 2010-07-09 09:58:40.000000000 +0000
@@ -120,5 +120,9 @@
/* got root? */
if (geteuid()) {
- bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_perm_denied_are_you_root);
}
--- busybox-1.17.0/loginutils/chpasswd.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/loginutils/chpasswd.c 2010-07-09 09:59:59.000000000 +0000
@@ -27,5 +27,9 @@
if (getuid())
- bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_perm_denied_are_you_root);
opt_complementary = "m--e:e--m";
--- busybox-1.17.0/loginutils/deluser.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/loginutils/deluser.c 2010-07-09 10:00:54.000000000 +0000
@@ -31,5 +31,9 @@
if (geteuid())
- bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_perm_denied_are_you_root);
if ((ENABLE_FEATURE_DEL_USER_FROM_GROUP && argc != 3)
--- busybox-1.17.0/mailutils/mail.c 2010-07-04 13:32:24.000000000 +0000
+++ busybox-1.17.0.fixed/mailutils/mail.c 2010-07-09 10:04:30.000000000 +0000
@@ -139,5 +139,9 @@
size = fread((char *)src_buf, 1, SRC_BUF_SIZE, fp);
if ((ssize_t)size < 0)
- bb_perror_msg_and_die(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg_and_die(bb_msg_read_error);
+ */
+ bb_perror_msg_and_die("%s", bb_msg_read_error);
} else {
size = len;
@@ -181,5 +185,9 @@
ch = fgetc(src_stream);
if (ch == EOF) {
- bb_error_msg_and_die(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_read_error);
+ */
+ bb_error_msg_and_die("%s", bb_msg_read_error);
}
// - means end of MIME section
--- busybox-1.17.0/miscutils/crontab.c 2010-07-04 13:32:24.000000000 +0000
+++ busybox-1.17.0.fixed/miscutils/crontab.c 2010-07-09 10:05:22.000000000 +0000
@@ -105,5 +105,9 @@
/* Run by non-root */
if (opt_ler & (OPT_u|OPT_c))
- bb_error_msg_and_die(bb_msg_you_must_be_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_you_must_be_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_you_must_be_root);
}
--- busybox-1.17.0/networking/ntpd.c 2010-06-24 22:23:06.000000000 +0000
+++ busybox-1.17.0.fixed/networking/ntpd.c 2010-07-09 10:07:05.000000000 +0000
@@ -1883,5 +1883,9 @@
if (getuid())
- bb_error_msg_and_die(bb_msg_you_must_be_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_you_must_be_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_you_must_be_root);
/* Set some globals */
--- busybox-1.17.0/networking/ping.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/networking/ping.c 2010-07-09 10:14:27.000000000 +0000
@@ -341,5 +341,9 @@
sz = xsendto(pingsock, pkt, size_pkt, &pingaddr.sa, sizeof(pingaddr));
if (sz != size_pkt)
- bb_error_msg_and_die(bb_msg_write_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_write_error);
+ */
+ bb_error_msg_and_die("%s", bb_msg_write_error);
if (pingcount == 0 || deadline || ntransmitted < pingcount) {
--- busybox-1.17.0/networking/traceroute.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/networking/traceroute.c 2010-07-09 10:15:31.000000000 +0000
@@ -837,5 +837,9 @@
*/
if (getuid() != 0)
- bb_error_msg_and_die(bb_msg_you_must_be_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_you_must_be_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_you_must_be_root);
}
if (op & OPT_WAITTIME)
--- busybox-1.17.0/networking/udhcp/arpping.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/networking/udhcp/arpping.c 2010-07-09 10:20:02.000000000 +0000
@@ -51,5 +51,9 @@
s = socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ARP));
if (s == -1) {
- bb_perror_msg(bb_msg_can_not_create_raw_socket);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg(bb_msg_can_not_create_raw_socket);
+ */
+ bb_perror_msg("%s", bb_msg_can_not_create_raw_socket);
return -1;
}
--- busybox-1.17.0/networking/wget.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/networking/wget.c 2010-07-09 10:17:18.000000000 +0000
@@ -475,5 +475,9 @@
if (ferror(dfp)) {
/* perror will not work: ferror doesn't set errno */
- bb_error_msg_and_die(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_read_error);
+ */
+ bb_error_msg_and_die("%s", bb_msg_read_error);
}
break;
--- busybox-1.17.0/networking/zcip.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/networking/zcip.c 2010-07-09 10:18:55.000000000 +0000
@@ -462,5 +462,9 @@
// read ARP packet
if (safe_read(sock_fd, &p, sizeof(p)) < 0) {
- bb_perror_msg_and_die(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg_and_die(bb_msg_read_error);
+ */
+ bb_perror_msg_and_die("%s", bb_msg_read_error);
}
if (p.eth.ether_type != htons(ETHERTYPE_ARP))
--- busybox-1.17.0/shell/hush.c 2010-07-06 00:15:46.000000000 +0000
+++ busybox-1.17.0.fixed/shell/hush.c 2010-07-09 10:20:52.000000000 +0000
@@ -2277,5 +2277,9 @@
}
if (gr == GLOB_NOSPACE)
- bb_error_msg_and_die(bb_msg_memory_exhausted);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_memory_exhausted);
+ */
+ bb_error_msg_and_die("%s", bb_msg_memory_exhausted);
/* GLOB_ABORTED? Only happens with GLOB_ERR flag,
* but we didn't specify it. Paranoia again. */
--- busybox-1.17.0/shell/ash.c 2010-06-26 20:55:37.000000000 +0000
+++ busybox-1.17.0.fixed/shell/ash.c 2010-07-09 10:21:49.000000000 +0000
@@ -3757,5 +3757,9 @@
}
st &= 0x7f;
- col = fmtstr(s, 32, strsignal(st));
+ /*
+ * Vulnerable to arbitrary format strings.
+ * col = fmtstr(s, 32, strsignal(st));
+ */
+ col = fmtstr(s, 32, "%s", strsignal(st));
if (WCOREDUMP(status)) {
col += fmtstr(s + col, 16, " (core dumped)");
--- busybox-1.17.0/sysklogd/logread.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/sysklogd/logread.c 2010-07-09 10:21:35.000000000 +0000
@@ -49,5 +49,9 @@
//release all acquired resources
shmdt(shbuf);
- bb_perror_msg_and_die(str);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg_and_die(str);
+ */
+ bb_perror_msg_and_die("%s", str);
}
--- busybox-1.17.0/util-linux/fdformat.c 2010-06-24 02:40:43.000000000 +0000
+++ busybox-1.17.0.fixed/util-linux/fdformat.c 2010-07-09 10:22:14.000000000 +0000
@@ -102,5 +102,9 @@
if (read_bytes != n) {
if (read_bytes < 0) {
- bb_perror_msg(bb_msg_read_error);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_perror_msg(bb_msg_read_error);
+ */
+ bb_perror_msg("%s", bb_msg_read_error);
}
bb_error_msg_and_die("problem reading cylinder %d, "
--- busybox-1.17.0/util-linux/mount.c 2010-06-27 14:47:31.000000000 +0000
+++ busybox-1.17.0.fixed/util-linux/mount.c 2010-07-09 10:26:29.000000000 +0000
@@ -475,5 +475,9 @@
if (rc && errno == EPERM)
- bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_perm_denied_are_you_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_perm_denied_are_you_root);
// If the mount was successful, and we're maintaining an old-style
@@ -1706,5 +1710,9 @@
if (set_loop(&mp->mnt_fsname, loopFile, 0) < 0) {
if (errno == EPERM || errno == EACCES)
- bb_error_msg(bb_msg_perm_denied_are_you_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg(bb_msg_perm_denied_are_you_root);
+ */
+ bb_error_msg("%s", bb_msg_perm_denied_are_you_root);
else
bb_perror_msg("can't setup loop device");
@@ -1890,5 +1898,9 @@
if (argv[1]) {
if (nonroot)
- bb_error_msg_and_die(bb_msg_you_must_be_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_you_must_be_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_you_must_be_root);
mtpair->mnt_fsname = argv[0];
mtpair->mnt_dir = argv[1];
@@ -1907,5 +1919,9 @@
i = parse_mount_options(cmdopts, NULL); // FIXME: should be "long", not "int"
if (nonroot && (i & ~MS_SILENT)) // Non-root users cannot specify flags
- bb_error_msg_and_die(bb_msg_you_must_be_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_you_must_be_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_you_must_be_root);
// If we have a shared subtree flag, don't worry about fstab or mtab.
@@ -1970,5 +1986,9 @@
// even user mounts, for mere humans
if (nonroot)
- bb_error_msg_and_die(bb_msg_you_must_be_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_you_must_be_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_you_must_be_root);
// Does type match? (NULL matches always)
@@ -2050,5 +2070,9 @@
l = parse_mount_options(mtcur->mnt_opts, NULL);
if (!(l & MOUNT_USERS))
- bb_error_msg_and_die(bb_msg_you_must_be_root);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * bb_error_msg_and_die(bb_msg_you_must_be_root);
+ */
+ bb_error_msg_and_die("%s", bb_msg_you_must_be_root);
}
busybox-1.17.0.patch.sig
Description: PGP signature
_______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
