Bug 110467 - gnome-extra/libgda syslog format string attack
|
Bug#:
110467
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: gnome-extra/libgda syslog format string attack
|
|
Keywords:
|
|
Status Whiteboard: B2? [glsa] jaervosz
|
|
Opened: 2005-10-25 13:26 0000
|
From Steve Kemp:
libgda2 format string attack
----------------------------
The gda2 library contains two format string bugs, both involving the
use of the syslog function.
The relevent code is contained in the file:
libgda2-1.2.1/libgda/gda-log.c
The two functions gda_log_error and gda_log_message both contain
this code:
syslog (LOG_USER | LOG_INFO, msg);
Exploitation
------------
The logging functions are called throughout the code and are
often passed user controllable input. For example:
gda-xml-database.c:
gda_log_error (_("Invalid XML database file '%s'"), uri);
or
gda-select.c:
gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql);
Whilst it is not likely that privileges could be gained by the
libary alone there are several routes for exploitation via other
applications which link to the code.
The most obvious is the "gnumeric-plugins-extra" package which
links to and uses the code.
Fix
---
The following patch fixes this:
--- gda-log.c-orig 2005-09-06 13:49:52.792070192 +0100
+++ gda-log.c 2005-09-06 13:50:25.049166368 +0100
@@ -111,7 +111,7 @@
#ifdef LIBGDA_WIN32
g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg);
#else
- syslog (LOG_USER | LOG_INFO, msg);
+ syslog (LOG_USER | LOG_INFO, "%s", msg);
#endif
g_free (msg);
}
@@ -144,7 +144,7 @@
#ifdef LIBGDA_WIN32
g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg);
#else
- syslog (LOG_USER | LOG_ERR, msg);
+ syslog (LOG_USER | LOG_ERR, "%s", msg);
#endif
g_free (msg);
}
Steve
Gnome please provide an updated ebuild.
I've committed libgda-1.2.2-r1.ebuild, which includes a patch for this.
Thx Leonardo, arches please test and mark stable.
Marked ppc64 stable. Thanks.
1.2.2-r1 fails on amd64 with the following sandbox error:
ACCESS DENIED unlink: /usr/lib64/libgdasql.so.3.0.0
/bin/install: cannot remove `/usr/lib64/libgdasql.so.3.0.0': Permission denied
make[2]: *** [install-libLTLIBRARIES] Error 1
make[2]: Leaving directory
`/var/tmp/portage/libgda-1.2.2-r1/work/libgda-1.2.2/libsql'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory
`/var/tmp/portage/libgda-1.2.2-r1/work/libgda-1.2.2/libsql'
make: *** [install-recursive] Error 1
!!! ERROR: gnome-extra/libgda-1.2.2-r1 failed.
!!! Function einstall, Line 524, Exitcode 2
!!! einstall failed
1.2.2 works fine though
# cat /var/log/sandbox/sandbox-gnome-extra_-_libgda-1.2.2-r1-17475.log
unlink: /usr/lib64/libgdasql.so.3.0.0
#
Simon,
I can't reproduce the problem on pitr, but could you verify if adding
USE_DESTDIR="1" to the ebuild resolves it?
yup, works fine with USE_DESTDIR=1
Thanks, the fix has been committed to the ebuild now.
stable on alpha
Cheers,
Ferdy
GLSA 200511-01
For some unknown reason hppa and ia64 were forgotten along the way. Perhaps the
recent stable-ing of an older version...
hppa and ia64 should mark stable to benefit from GLSA.
Straigth to stable on hppa.
