Bug#714612: yardradius: Multiple Format String Vulnerabilities

[Hamid Zamani]

Package: yardradius
Version: 1.1.2-4
Severity: critical ( security)

Dear Maintainer,

Several Format String vulnerabilities was found in the latest `yardradius` 
version as explained further below :

src/log.c :

void
log_msg(int priority,char *fmt, va_list args)
{
...
 char buffer[1024];
...
 vfprintf(msgfd, fmt, args);
...
        vsnprintf(buffer,1024,fmt, args); 
#if defined(HAVE_SYSLOG)
        syslog(priority, buffer); 
...
        vsyslog(priority, fmt, args); 
...
}

So an attacker can fill fmt by for ex. "%x" and see the addressess.

############

src/version.c :

#define STRVER "%s : YARD Radius Server %s ... $ "

void
version(void)
{
        char buffer[1024];

        build_version(buffer,sizeof(buffer));
        fprintf(stderr, buffer);
        exit(-1);
}

...

void
build_version(char *bp,size_t sizeofbp)
{
        snprintf(bp,sizeofbp-1,STRVER, progname, VERSION);
..

$ ln -s radiusd %x
$ ./%x -v
./b77c0ff4 : YARD Radius Server 1.1 ...

It seems more of this type vulnerability exists in the source
if i find any other bug i will file them ...

if i can help in patching or anything , please let me know

Thank you
Hamid Zamani


-- System Information:
Debian Release: Kali Linux 1.0
Architecture: i386 (i686)

Kernel: Linux 3.7-trunk-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages yardradius depends on:
ii  libc6           2.13-38
ii  libgdbm3        1.8.3-11
ii  libpam-runtime  1.1.3-7.1
ii  libpam0g        1.1.3-7.1

yardradius recommends no packages.

yardradius suggests no packages.

-- no debconf information