Bug 91303 - net-proxy/oops: auth() Format String Flaw
Bug#: 91303 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: formula7@gentoo.org
Component: Vulnerabilities
URL:  http://securitytracker.com/alerts/2005/May/1013864.html
Summary: net-proxy/oops: auth() Format String Flaw
Keywords:  
Status Whiteboard: B1? [glsa] jaervosz
Opened: 2005-05-03 06:35 0000
Description:   Opened: 2005-05-03 06:35 0000 
CVE Reference:  CAN-2005-1121   (Links to External Site)  
 
Version(s): 1.5.23 and prior versions 
 
Description:  A format string vulnerability was reported in Oops! A remote user may be able to execute arbitrary code. 

The passwd_mysql/passwd_pgsql module auth() function contains a call to the my_xlog() function that does not include a format string specifier. A remote user can supply a specially crafted HTTP request to trigger the vulnerability and cause the service to crash or execute arbitrary code.

A demonstration exploit request is provided:

GET http://%s%s%s%s%s%s%s%s/ HTTP/1.0
Host: ghc.ru
Proxy-Authorization: Basic Z2hjOnJzdA==

The flaw resides in 'passwd_sql.c'.

Edisan from RST/GHC reported this vulnerability. 
 
Impact:  A remote user can cause the service to crash or execute arbitrary code.
 
Solution:  A patch is available at:

http://zipper.paco.net/~igor/oops/diff_from_1.5.23.patch.gz

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-05-03 13:26:25 0000 ------- 
net-proxy please advise.

------- Comment #2 From Alin Năstac 2005-05-03 15:36:10 0000 ------- 
bug confirmed.
I've bumped version to the current 1.5.24 pre-release and marked as stable on x86.

------- Comment #3 From Gustavo Zacarias (RETIRED) 2005-05-04 06:36:52 0000 ------- 
sparc done.

------- Comment #4 From Luke Macken (RETIRED) 2005-05-05 15:36:16 0000 ------- 
GLSA 200505-02, thanks everyone!