Bugs item #3603894, was opened at 2013-02-08 18:06 Message generated for change (Tracker Item Submitted) made by You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603894&group_id=95403
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: Yes Submitted By: https://www.google.com/accounts () Assigned to: Nobody/Anonymous (nobody) Summary: unsafe use of system(3), sprintf(3) Initial Comment: Hello, while performing an audit of vde2 (https://bugs.launchpad.net/ubuntu/+source/vde2/+bug/776818) I found a security bug. If you decide this is a security issue, please contact the linux-distros security list to coordinate a release and request a CVE number. (See http://oss-security.openwall.org/wiki/mailing-lists/distros for details on using the linux-distros list. Note especially that [vs] is required in the Subject: header.) The system(3) and sprintf(3) library calls are used in an unsafe manner in cryptcab: if(!pre_shared){ vc_printlog(2,"Sending key over ssh channel:"); if(remoteusr) sprintf(command,"scp %s /tmp/.blowfish.key %s@%s:/tmp/.%s.key 2>&1", scp_extra_options?scp_extra_options:"", remoteusr, remotehost, ret->id); else sprintf(command,"scp %s /tmp/.blowfish.key %s:/tmp/.%s.key 2>&1", scp_extra_options?scp_extra_options:"", remotehost, ret->id); //fprintf(stderr,"Contacting host: %s ",remotehost); res=system(command); Every use of %s indicates a place where an attacker may supply shell metacharacters, if the corresponding variable is under control of an attacker. Further, note that command is declared to hold only 255 bytes, but this code does not prevent overwriting the buffer. Far better would be to build an array of strings for execution directly by execve(2) or one of the related functions, and avoid use of the shell. This will prevent shell metacharacters from being used for evil. This will also prevent the buffer overflow. This probably requires two separate CVE entries, one for the buffer overflows and one for the unsafe use of system(3). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603894&group_id=95403 ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ vde-users mailing list vde-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/vde-users