Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 107849

Summary: net-ftp/weex: format string error (CAN-2005-3150)
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: phosphan
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
patch provided by Ulf Harnhammar none

Description Tavis Ormandy (RETIRED) gentoo-dev 2005-10-02 00:53:12 UTC
This received at security@gentoo.org:

----------------------------------------
Date: Sun, 2 Oct 2005 04:12:49 +0200
From: Ulf Harnhammar <metaur@telia.com>
Subject: weex remote format string bug

Hello all,

weex suffers from a remote format string security bug.

Someone who controls an FTP server that weex will log in to can
set up malicious data in the account that weex will use, and that
will cause a format string bug that will allow remote code
execution. It will only happen when weex is first run or when its
cache files are rebuilt with the -r option, though.

I have verified this behaviour in versions 2.6.1 and 2.6.1.5. I have
attached a patch that corrects this problem, as well as a session
capture that shows it.

I hope that we can co-ordinate our respective updates of weex.

// Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/

------------------------------------------------
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-10-02 00:56:33 UTC
Created attachment 69687 [details, diff]
patch provided by Ulf Harnhammar
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-10-03 02:13:35 UTC
phosphan: please bump in CVS with patch.
Comment 3 Patrick Kursawe (RETIRED) gentoo-dev 2005-10-04 02:33:43 UTC
In CVS, thanks for the hint and patch.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-10-04 06:02:40 UTC
Calling specific arch testers (x86, amd64) to test and mark stable. We keep it
low-profile for now.
Comment 5 Patrick Kursawe (RETIRED) gentoo-dev 2005-10-04 06:39:25 UTC
*blush* Ok, that's not what the policy asked me to do, but I just left keywords
the way they were - this patch is just too trivial, sorry.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-10-04 06:42:58 UTC
Hehe. Security doesn't take position in maintainer/archteams conflicts :)

blubb and tester can scream at you if needed when they'll test. But I agree it's
a very non-disruptive bugfix.
Comment 7 Simon Stelling (RETIRED) gentoo-dev 2005-10-04 06:48:58 UTC
it compiles fine here, and the patch is really trivial, so amd64 is happy :)
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-10-05 07:35:45 UTC
"It will only happen when weex is first run or when its cache files are rebuilt
with the -r option, though."

That quite complicates exploitation...
Comment 9 Olivier Crete (RETIRED) gentoo-dev 2005-10-05 20:03:21 UTC
seems to work ok on x86... 
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-05 22:27:22 UTC
This one is ready for GLSA. 
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-06 12:53:41 UTC
Please use CAN-2005-3150 instead. 
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-08 09:29:23 UTC
GLSA 200510-09