Bugs item #3603895, was opened at 2013-02-08 18:10 Message generated for change (Tracker Item Submitted) made by You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603895&group_id=95403
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: Yes Submitted By: https://www.google.com/accounts () Assigned to: Nobody/Anonymous (nobody) Summary: unsafe use of syslog(3) Initial Comment: Hello, while performing an audit of vde2 (https://bugs.launchpad.net/ubuntu/+source/vde2/+bug/776818) I found a bug; it may even be a security bug. If you decide this is a security issue, please contact the linux-distros security list to coordinate a release and request a CVE number. (See http://oss-security.openwall.org/wiki/mailing-lists/distros for details on using the linux-distros list. Note especially that [vs] is required in the Subject: header.) if ((pwd=getpwuid(port_user(port))) == NULL) username="(none)"; else username=pwd->pw_name; iov[1].iov_len=snprintf(msg,sizeof(msg),"ipv%d %s mac=%02x:%02x:%02x:%02x:%02x:%02x port=%d vlan=%d user=%s", (len==4)?4:6, hostname, srcmac[0], srcmac[1], srcmac[2], srcmac[3], srcmac[4], srcmac[5], port, vlan, username); for (epn=0; (descr=port_descr(port,epn)) != NULL; epn++) { int len=iov[1].iov_len; int descrlen=snprintf(msg+len,sizeof(msg)-len," \"%s\"",descr); iov[1].iov_len+=descrlen; } if (logfilefd >= 0) { time_t ntime=time(&ntime); ctime_r(&ntime,stime); writev(logfilefd,iov,3); } else if (logfilefd != -1) syslog(LOG_INFO, msg); If the hostname or the username contains format string specifiers, such as %n, this may be a format string vulnerability. The fix should be simple, replace the final line with: syslog(LOG_INFO, "%s", msg); Thanks ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603895&group_id=95403 ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ vde-users mailing list vde-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/vde-users