Bugs item #3603895, was opened at 2013-02-08 18:10
Message generated for change (Settings changed) made by danielel
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603895&group_id=95403

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: Yes
Submitted By: https://www.google.com/accounts ()
>Assigned to: Daniele Lacamera (danielel)
Summary: unsafe use of syslog(3)

Initial Comment:
Hello, while performing an audit of vde2 
(https://bugs.launchpad.net/ubuntu/+source/vde2/+bug/776818) I found a bug; it 
may even be a security bug. If you decide this is a security issue, please 
contact the linux-distros security list to coordinate a release and request a 
CVE number. (See http://oss-security.openwall.org/wiki/mailing-lists/distros 
for details on using the linux-distros list. Note especially that [vs] is 
required in the Subject: header.)

                        if ((pwd=getpwuid(port_user(port))) == NULL)
                                username="(none)";
                        else
                                username=pwd->pw_name;
                        iov[1].iov_len=snprintf(msg,sizeof(msg),"ipv%d %s 
mac=%02x:%02x:%02x:%02x:%02x:%02x port=%d vlan=%d user=%s",
                                        (len==4)?4:6, hostname,
                                        srcmac[0], srcmac[1], srcmac[2], 
srcmac[3], srcmac[4], srcmac[5],
                                        port, vlan, username);
                        for (epn=0; (descr=port_descr(port,epn)) != NULL; 
epn++) {
                                int len=iov[1].iov_len;
                                int descrlen=snprintf(msg+len,sizeof(msg)-len," 
\"%s\"",descr);
                                iov[1].iov_len+=descrlen;
                        }
                        if (logfilefd >= 0) {
                                time_t ntime=time(&ntime);
                                ctime_r(&ntime,stime);
                                writev(logfilefd,iov,3);
                        } else if (logfilefd != -1)
                                syslog(LOG_INFO, msg);

If the hostname or the username contains format string specifiers, such as %n, 
this may be a format string vulnerability.

The fix should be simple, replace the final line with:

syslog(LOG_INFO, "%s", msg);

Thanks

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603895&group_id=95403

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
vde-users mailing list
vde-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/vde-users

Reply via email to