Re: m4 format string vulnerability

[Valentin Nechayev]

  confirmed for red hat linux 7.0:
  [kerouac:mg:~]m4 -G %x

All folks tests it with -G, but it is not really needed.

FreeBSD ports:

netch@iv:~gm4 -G %x
gm4: bfbffb8c: No such file or directory
netch@iv:~gm4 %x
gm4: bfbffb8c: No such file or directory
netch@iv:~gm4 %d
gm4: -1077937268: No such file or directory
netch@iv:~gm4 %s
gm4: oü¿¿„ü¿¿žü¿¿³ü¿¿Êü¿¿åü¿¿ñü¿¿úü¿¿ý¿¿ý¿¿6ý¿¿Ký¿¿eý¿¿sý¿¿{ý¿¿‘ý¿¿«ý¿¿¹ý¿¿Ëý¿
¿Øý¿¿îý¿¿eþ¿¿xþ¿¿þ¿¿: No such file or directory

(port is m4-1.4)

RH 7.0:

netch@yacc:~m4 %x
m4: 80499d9: No such file or directory
netch@yacc:~m4 %d
m4: 134519257: No such file or directory

RH 6.2:

netch@sleipnir:~m4 %x
m4: 401081cc: No such file or directory
netch@sleipnir:~rpm -q m4
m4-1.4-12

and so on. Possibly all GNU versions are vulnerable.

Patch against this (tabs are broken by cut-and-paste):

--- src/m4.c.orig   Wed Nov  2 05:14:28 1994
+++ src/m4.cMon Feb  5 10:36:17 2001
@@ -466,7 +466,7 @@
fp = path_search (argv[optind]);
if (fp == NULL)
  {
-   error (0, errno, argv[optind]);
+   error (0, errno, "%s", argv[optind]);
continue;
  }
else

Another the only bad usage of error():

m4.c:372: error (0, errno, optarg);

part of code:

==={{{
  case 'o':
if (!debug_set_output (optarg))
  error (0, errno, optarg);
break;
===}}}

patch is of the same idea.

  m4: 80499d9: Datei oder Verzeichnis nicht gefunden
  [kerouac:mg:~]cat /etc/redhat-release
  Red Hat Linux release 7.0 (Guinness)
  [kerouac:mg:~]rpm -q m4
  m4-1.4.1-3


/netch

Re: m4 format string vulnerability [was: Re: SuSe / Debian man package ...]

[starman jones]

"m4 -G %n" will make m4 seg fault on SuSE 6.4 (without the "" ofcourse)

sorry for the mistake
feh

sj
_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Re: m4 format string vulnerability [was: Re: SuSe / Debian man package ...]

[Ivo van Poorten]

On Saturday 03 February 2001 14:54, Mike Gerber wrote:
 confirmed for red hat linux 7.0:

 [kerouac:mg:~]m4 -G %x
 m4: 80499d9: Datei oder Verzeichnis nicht gefunden
 [kerouac:mg:~]cat /etc/redhat-release
 Red Hat Linux release 7.0 (Guinness)
 [kerouac:mg:~]rpm -q m4
 m4-1.4.1-3

Same here:

[ivo@vanity ~]$ m4 -G %x
m4: 80497fb: No such file or directory
[ivo@vanity ~]$ rpm -q m4
m4-1.4-17mdk
[ivo@vanity ~]$ cat /etc/mandrake-release
Linux Mandrake release 7.2 (Odyssey) for i586

--Ivo

--
If the Windows desktop starts to topple, it's like a redwood tree.
It takes a long time for it to fall, but it's really hard to stop once
it starts. -- Carl Howe.

Re: m4 format string vulnerability

[Jarno Huuskonen]

On Sat, Feb 03, Mike Gerber wrote:
 confirmed for red hat linux 7.0:

 [kerouac:mg:~]m4 -G %x
 m4: 80499d9: Datei oder Verzeichnis nicht gefunden
 [kerouac:mg:~]cat /etc/redhat-release
 Red Hat Linux release 7.0 (Guinness)
 [kerouac:mg:~]rpm -q m4
 m4-1.4.1-3

I don't see this as a big problem, but here's a patch:

--- m4-1.4/src/m4.c.origSat Feb  3 23:06:37 2001
+++ m4-1.4/src/m4.c Sat Feb  3 23:07:26 2001
@@ -369,7 +369,7 @@

   case 'o':
if (!debug_set_output (optarg))
- error (0, errno, optarg);
+ error (0, errno, "%s", optarg);
break;

   case 's':
@@ -466,7 +466,7 @@
fp = path_search (argv[optind]);
if (fp == NULL)
  {
-   error (0, errno, argv[optind]);
+   error (0, errno, "%s", argv[optind]);
continue;
  }
else

One thing I noticed: if your system doesn't have mkstemp/tmpfile
m4 comes with its own implementation of tmpfile/mkstemp.
This uses mktemp and open (w/out O_EXCL).

-Jarno

m4 format string vulnerability [was: Re: SuSe / Debian man package ...]

[Mike Gerber]

On Fre, Feb 02, 2001 at 09:36:29 +0100, Tomasz Kuniar wrote:
 The same problem in most (all?) distributions is with m4 - GNU macro
 processor code, when trying use -G option:

 mezon@beata:~$ m4 -G %x%x%x%x
 m4: 40012a48380491e00: No such file or directory

confirmed for red hat linux 7.0:

[kerouac:mg:~]m4 -G %x
m4: 80499d9: Datei oder Verzeichnis nicht gefunden
[kerouac:mg:~]cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)
[kerouac:mg:~]rpm -q m4
m4-1.4.1-3

--
mike gerber