Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 110467
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 110467 depends on: Show dependency tree
Bug 110467 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-10-25 13:26 0000 
From Steve Kemp: 
 
libgda2 format string attack 
---------------------------- 
 
  The gda2 library contains two format string bugs, both involving the 
 use of the syslog function. 
 
  The relevent code is contained in the file: 
 
      libgda2-1.2.1/libgda/gda-log.c 
 
  The two functions gda_log_error and gda_log_message both contain 
 this code: 
 
      syslog (LOG_USER | LOG_INFO, msg); 
 
 
Exploitation 
------------ 
 
  The logging functions are called throughout the code and are 
 often passed user controllable input.  For example: 
 
gda-xml-database.c: 
 gda_log_error (_("Invalid XML database file '%s'"), uri); 
 
  or 
 
gda-select.c: 
 gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql); 
 
 
  Whilst it is not likely that privileges could be gained by the 
 libary alone there are several routes for exploitation via other 
 applications which link to the code. 
 
  The most obvious is the "gnumeric-plugins-extra" package which 
 links to and uses the code. 
 
  
 
Fix 
--- 
 
  The following patch fixes this: 
 
--- gda-log.c-orig      2005-09-06 13:49:52.792070192 +0100 
+++ gda-log.c   2005-09-06 13:50:25.049166368 +0100 
@@ -111,7 +111,7 @@ 
 #ifdef LIBGDA_WIN32 
        g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg); 
 #else 
-       syslog (LOG_USER | LOG_INFO, msg); 
+       syslog (LOG_USER | LOG_INFO, "%s", msg); 
 #endif 
        g_free (msg); 
 } 
@@ -144,7 +144,7 @@ 
 #ifdef LIBGDA_WIN32 
        g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg); 
 #else 
-       syslog (LOG_USER | LOG_ERR, msg); 
+       syslog (LOG_USER | LOG_ERR, "%s", msg); 
 #endif 
        g_free (msg); 
 } 
 
Steve

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-10-25 22:23:25 0000 ------- 
Gnome please provide an updated ebuild.

------- Comment #2 From Leonardo Boshell (RETIRED) 2005-10-26 11:37:13 0000 ------- 
I've committed libgda-1.2.2-r1.ebuild, which includes a patch for this.

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-10-26 12:23:54 0000 ------- 
Thx Leonardo, arches please test and mark stable.

------- Comment #4 From Brent Baude 2005-10-26 18:59:15 0000 ------- 
Marked ppc64 stable. Thanks.

------- Comment #5 From Gustavo Zacarias (RETIRED) 2005-10-27 07:20:09 0000 ------- 
sparc stable.

------- Comment #6 From Simon Stelling (RETIRED) 2005-10-28 08:28:15 0000 ------- 
1.2.2-r1 fails on amd64 with the following sandbox error:

ACCESS DENIED  unlink:    /usr/lib64/libgdasql.so.3.0.0
/bin/install: cannot remove `/usr/lib64/libgdasql.so.3.0.0': Permission denied
make[2]: *** [install-libLTLIBRARIES] Error 1
make[2]: Leaving directory
`/var/tmp/portage/libgda-1.2.2-r1/work/libgda-1.2.2/libsql'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory
`/var/tmp/portage/libgda-1.2.2-r1/work/libgda-1.2.2/libsql'
make: *** [install-recursive] Error 1

!!! ERROR: gnome-extra/libgda-1.2.2-r1 failed.
!!! Function einstall, Line 524, Exitcode 2
!!! einstall failed

1.2.2 works fine though

 # cat /var/log/sandbox/sandbox-gnome-extra_-_libgda-1.2.2-r1-17475.log
unlink:    /usr/lib64/libgdasql.so.3.0.0
 #

------- Comment #7 From Leonardo Boshell (RETIRED) 2005-10-28 09:10:22 0000 ------- 
Simon,
I can't reproduce the problem on pitr, but could you verify if adding
USE_DESTDIR="1" to the ebuild resolves it?

------- Comment #8 From Simon Stelling (RETIRED) 2005-10-28 09:38:22 0000 ------- 
yup, works fine with USE_DESTDIR=1

------- Comment #9 From Leonardo Boshell (RETIRED) 2005-10-28 11:27:02 0000 ------- 
Thanks, the fix has been committed to the ebuild now.

------- Comment #10 From Fernando J. Pereda (RETIRED) 2005-10-28 13:52:17 0000 ------- 
stable on alpha

Cheers,
Ferdy

------- Comment #11 From Mark Loeser 2005-10-28 18:23:26 0000 ------- 
Stable on x86

------- Comment #12 From Michael Hanselmann (hansmi) (RETIRED) 2005-10-29 08:41:03 0000 ------- 
Stable on ppc.

------- Comment #13 From Simon Stelling (RETIRED) 2005-10-30 02:46:03 0000 ------- 
amd64 stable

------- Comment #14 From Thierry Carrez (RETIRED) 2005-11-02 09:02:19 0000 ------- 
GLSA 200511-01
For some unknown reason hppa and ia64 were forgotten along the way. Perhaps the
recent stable-ing of an older version...
hppa and ia64 should mark stable to benefit from GLSA.

------- Comment #15 From Michael Hanselmann (hansmi) (RETIRED) 2005-11-02 10:20:02 0000 ------- 
Straigth to stable on hppa.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug