Re: m4 format string vulnerability
confirmed for red hat linux 7.0: [kerouac:mg:~]m4 -G %x All folks tests it with -G, but it is not really needed. FreeBSD ports: netch@iv:~gm4 -G %x gm4: bfbffb8c: No such file or directory netch@iv:~gm4 %x gm4: bfbffb8c: No such file or directory netch@iv:~gm4 %d gm4: -1077937268: No such file or directory netch@iv:~gm4 %s gm4: oü¿¿ü¿¿ü¿¿³ü¿¿Êü¿¿åü¿¿ñü¿¿úü¿¿ý¿¿ý¿¿6ý¿¿Ký¿¿eý¿¿sý¿¿{ý¿¿ý¿¿«ý¿¿¹ý¿¿Ëý¿ ¿Øý¿¿îý¿¿eþ¿¿xþ¿¿þ¿¿: No such file or directory (port is m4-1.4) RH 7.0: netch@yacc:~m4 %x m4: 80499d9: No such file or directory netch@yacc:~m4 %d m4: 134519257: No such file or directory RH 6.2: netch@sleipnir:~m4 %x m4: 401081cc: No such file or directory netch@sleipnir:~rpm -q m4 m4-1.4-12 and so on. Possibly all GNU versions are vulnerable. Patch against this (tabs are broken by cut-and-paste): --- src/m4.c.orig Wed Nov 2 05:14:28 1994 +++ src/m4.cMon Feb 5 10:36:17 2001 @@ -466,7 +466,7 @@ fp = path_search (argv[optind]); if (fp == NULL) { - error (0, errno, argv[optind]); + error (0, errno, "%s", argv[optind]); continue; } else Another the only bad usage of error(): m4.c:372: error (0, errno, optarg); part of code: ==={{{ case 'o': if (!debug_set_output (optarg)) error (0, errno, optarg); break; ===}}} patch is of the same idea. m4: 80499d9: Datei oder Verzeichnis nicht gefunden [kerouac:mg:~]cat /etc/redhat-release Red Hat Linux release 7.0 (Guinness) [kerouac:mg:~]rpm -q m4 m4-1.4.1-3 /netch
Re: m4 format string vulnerability [was: Re: SuSe / Debian man package ...]
"m4 -G %n" will make m4 seg fault on SuSE 6.4 (without the "" ofcourse) sorry for the mistake feh sj _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Re: m4 format string vulnerability [was: Re: SuSe / Debian man package ...]
On Saturday 03 February 2001 14:54, Mike Gerber wrote: confirmed for red hat linux 7.0: [kerouac:mg:~]m4 -G %x m4: 80499d9: Datei oder Verzeichnis nicht gefunden [kerouac:mg:~]cat /etc/redhat-release Red Hat Linux release 7.0 (Guinness) [kerouac:mg:~]rpm -q m4 m4-1.4.1-3 Same here: [ivo@vanity ~]$ m4 -G %x m4: 80497fb: No such file or directory [ivo@vanity ~]$ rpm -q m4 m4-1.4-17mdk [ivo@vanity ~]$ cat /etc/mandrake-release Linux Mandrake release 7.2 (Odyssey) for i586 --Ivo -- If the Windows desktop starts to topple, it's like a redwood tree. It takes a long time for it to fall, but it's really hard to stop once it starts. -- Carl Howe.
Re: m4 format string vulnerability
On Sat, Feb 03, Mike Gerber wrote: confirmed for red hat linux 7.0: [kerouac:mg:~]m4 -G %x m4: 80499d9: Datei oder Verzeichnis nicht gefunden [kerouac:mg:~]cat /etc/redhat-release Red Hat Linux release 7.0 (Guinness) [kerouac:mg:~]rpm -q m4 m4-1.4.1-3 I don't see this as a big problem, but here's a patch: --- m4-1.4/src/m4.c.origSat Feb 3 23:06:37 2001 +++ m4-1.4/src/m4.c Sat Feb 3 23:07:26 2001 @@ -369,7 +369,7 @@ case 'o': if (!debug_set_output (optarg)) - error (0, errno, optarg); + error (0, errno, "%s", optarg); break; case 's': @@ -466,7 +466,7 @@ fp = path_search (argv[optind]); if (fp == NULL) { - error (0, errno, argv[optind]); + error (0, errno, "%s", argv[optind]); continue; } else One thing I noticed: if your system doesn't have mkstemp/tmpfile m4 comes with its own implementation of tmpfile/mkstemp. This uses mktemp and open (w/out O_EXCL). -Jarno
m4 format string vulnerability [was: Re: SuSe / Debian man package ...]
On Fre, Feb 02, 2001 at 09:36:29 +0100, Tomasz Kuniar wrote: The same problem in most (all?) distributions is with m4 - GNU macro processor code, when trying use -G option: mezon@beata:~$ m4 -G %x%x%x%x m4: 40012a48380491e00: No such file or directory confirmed for red hat linux 7.0: [kerouac:mg:~]m4 -G %x m4: 80499d9: Datei oder Verzeichnis nicht gefunden [kerouac:mg:~]cat /etc/redhat-release Red Hat Linux release 7.0 (Guinness) [kerouac:mg:~]rpm -q m4 m4-1.4.1-3 -- mike gerber