Debian Bug report logs -
#347221
smstools: Format string attack in logging code
Reported by: Steve Kemp <skx@debian.org>
Date: Mon, 9 Jan 2006 15:03:08 UTC
Severity: grave
Tags: fixed, security
Found in version smstools/1.16-1+b1
Fixed in version 1.16-1.1
Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>:
Bug#347221; Package smstools.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Mark Purcell <msp@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: smstools
Version: 1.16-1+b1
Severity: grave
Justification: user security hole
Tags: security
*** Please type your report below this line ***
A DSA has just been released for smstools due to an insecure
usage of syslog in the logging code.
The following patch will correct the issue:
--- smstools-1.14.8.orig/src/logging.c
+++ smstools-1.14.8/src/logging.c
@@ -78,7 +78,7 @@
va_end(argp);
if (Filehandle<0)
{
- syslog(severity,text);
+ syslog(severity,"%s",text);
}
else
{
Steve
--
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.6-xen
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages smstools depends on:
ii libc6 2.3.5-11 GNU C Library: Shared libraries an
ii libmm14 1.4.0-1 Shared memory library - runtime
smstools recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>:
Bug#347221; Package smstools.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>.
(full text, mbox, link).
Message #10 received at 347221@bugs.debian.org (full text, mbox, reply):
* Steve Kemp:
> A DSA has just been released for smstools due to an insecure
> usage of syslog in the logging code.
Please mention the CVE name CVE-2006-0083 in the changelog when fixing
this bug.
Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>:
Bug#347221; Package smstools.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>.
(full text, mbox, link).
Message #15 received at 347221@bugs.debian.org (full text, mbox, reply):
Here's the actual patch I used for the NMU (Steve's doesn't apply
cleanly).
diff --git a/debian/changelog b/debian/changelog
index a9794e3..c84c65c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+smstools (1.16-1.1) unstable; urgency=high
+
+ * Non-maintainer upload
+ * CVE-2006-0083: Apply patch to fix format string issue
+ in logging code. Closes: #347221.
+
+ -- Florian Weimer <fw@deneb.enyo.de> Mon, 23 Jan 2006 13:49:46 +0100
+
smstools (1.16-1) unstable; urgency=low
* New upstream release
diff --git a/src/logging.c b/src/logging.c
index f33ff8b..5e9974e 100644
--- a/src/logging.c
+++ b/src/logging.c
@@ -83,7 +83,7 @@ void writelogfile(int severity,char* for
if (severity<=Level)
{
if (Filehandle<0)
- syslog(severity,text);
+ syslog(severity,"%s",text);
else
{
time(&now);
Tags added: fixed
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 1.16-1.1, send any further explanations to Steve Kemp <skx@debian.org>
Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
to control@bugs.debian.org.
(full text, mbox, link).
Message #22 received at 347221-submitter@bugs.debian.org (full text, mbox, reply):
Hi,
You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #347221 in the smstools
package, which you reported.
Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.
Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.
Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.
[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:
- the bug was fixed in one version but subsequently found to exist
in a later version
- the bug existed in multiple distributions (for instance, "unstable"
and "stable") and was thus fixed in a separate upload to each
distribution
]
Regards,
Adam
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 20:29:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon