Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 107849
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Tavis Ormandy (RETIRED) <taviso@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
weex.formatstring.txt patch provided by Ulf Harnhammar patch Tavis Ormandy (RETIRED) 2005-10-02 00:56 0000 291 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 107849 depends on: Show dependency tree
Bug 107849 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-10-02 00:53 0000 
This received at security@gentoo.org:

----------------------------------------
Date: Sun, 2 Oct 2005 04:12:49 +0200
From: Ulf Harnhammar <metaur@telia.com>
Subject: weex remote format string bug

Hello all,

weex suffers from a remote format string security bug.

Someone who controls an FTP server that weex will log in to can
set up malicious data in the account that weex will use, and that
will cause a format string bug that will allow remote code
execution. It will only happen when weex is first run or when its
cache files are rebuilt with the -r option, though.

I have verified this behaviour in versions 2.6.1 and 2.6.1.5. I have
attached a patch that corrects this problem, as well as a session
capture that shows it.

I hope that we can co-ordinate our respective updates of weex.

// Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/

------------------------------------------------

------- Comment #1 From Tavis Ormandy (RETIRED) 2005-10-02 00:56:33 0000 ------- 
Created an attachment (id=69687) [details]
patch provided by Ulf Harnhammar

------- Comment #2 From Thierry Carrez (RETIRED) 2005-10-03 02:13:35 0000 ------- 
phosphan: please bump in CVS with patch.

------- Comment #3 From Patrick Kursawe 2005-10-04 02:33:43 0000 ------- 
In CVS, thanks for the hint and patch.

------- Comment #4 From Thierry Carrez (RETIRED) 2005-10-04 06:02:40 0000 ------- 
Calling specific arch testers (x86, amd64) to test and mark stable. We keep it
low-profile for now.

------- Comment #5 From Patrick Kursawe 2005-10-04 06:39:25 0000 ------- 
*blush* Ok, that's not what the policy asked me to do, but I just left keywords
the way they were - this patch is just too trivial, sorry.

------- Comment #6 From Thierry Carrez (RETIRED) 2005-10-04 06:42:58 0000 ------- 
Hehe. Security doesn't take position in maintainer/archteams conflicts :)

blubb and tester can scream at you if needed when they'll test. But I agree it's
a very non-disruptive bugfix.

------- Comment #7 From Simon Stelling (RETIRED) 2005-10-04 06:48:58 0000 ------- 
it compiles fine here, and the patch is really trivial, so amd64 is happy :)

------- Comment #8 From Thierry Carrez (RETIRED) 2005-10-05 07:35:45 0000 ------- 
"It will only happen when weex is first run or when its cache files are rebuilt
with the -r option, though."

That quite complicates exploitation...

------- Comment #9 From Olivier Crete 2005-10-05 20:03:21 0000 ------- 
seems to work ok on x86...

------- Comment #10 From Sune Kloppenborg Jeppesen 2005-10-05 22:27:22 0000 ------- 
This one is ready for GLSA.

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-10-06 12:53:41 0000 ------- 
Please use CAN-2005-3150 instead.

------- Comment #12 From Sune Kloppenborg Jeppesen 2005-10-08 09:29:23 0000 ------- 
GLSA 200510-09
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug