[19005] in bugtraq
Re: m4 format string vulnerability
daemon@ATHENA.MIT.EDU (Valentin Nechayev)
Mon Feb 5 13:02:00 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Message-Id: <20010205104036.A3465@lucky.net>
Date: Mon, 5 Feb 2001 10:40:36 +0200
Reply-To: netch@lucky.net
From: Valentin Nechayev <netch@LUCKY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
> > confirmed for red hat linux 7.0:
> > [kerouac:mg:~]m4 -G %x
All folks tests it with -G, but it is not really needed.
FreeBSD ports:
netch@iv:~>gm4 -G %x
gm4: bfbffb8c: No such file or directory
netch@iv:~>gm4 %x
gm4: bfbffb8c: No such file or directory
netch@iv:~>gm4 %d
gm4: -1077937268: No such file or directory
netch@iv:~>gm4 %s
gm4: o�6Kes{
ex: No such file or directory
(port is m4-1.4)
RH 7.0:
netch@yacc:~>m4 %x
m4: 80499d9: No such file or directory
netch@yacc:~>m4 %d
m4: 134519257: No such file or directory
RH 6.2:
netch@sleipnir:~>m4 %x
m4: 401081cc: No such file or directory
netch@sleipnir:~>rpm -q m4
m4-1.4-12
and so on. Possibly all GNU versions are vulnerable.
Patch against this (tabs are broken by cut-and-paste):
--- src/m4.c.orig Wed Nov 2 05:14:28 1994
+++ src/m4.c Mon Feb 5 10:36:17 2001
@@ -466,7 +466,7 @@
fp = path_search (argv[optind]);
if (fp == NULL)
{
- error (0, errno, argv[optind]);
+ error (0, errno, "%s", argv[optind]);
continue;
}
else
Another the only bad usage of error():
m4.c:372: error (0, errno, optarg);
part of code:
==={{{
case 'o':
if (!debug_set_output (optarg))
error (0, errno, optarg);
break;
===}}}
patch is of the same idea.
> > m4: 80499d9: Datei oder Verzeichnis nicht gefunden
> > [kerouac:mg:~]cat /etc/redhat-release
> > Red Hat Linux release 7.0 (Guinness)
> > [kerouac:mg:~]rpm -q m4
> > m4-1.4.1-3
/netch
