|Summary:||net-ftp/weex: format string error (CAN-2005-3150)|
|Product:||Gentoo Security||Reporter:||Tavis Ormandy (RETIRED) <taviso>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Tavis Ormandy (RETIRED) 2005-10-02 00:53:12 UTC
This received at firstname.lastname@example.org: ---------------------------------------- Date: Sun, 2 Oct 2005 04:12:49 +0200 From: Ulf Harnhammar <email@example.com> Subject: weex remote format string bug Hello all, weex suffers from a remote format string security bug. Someone who controls an FTP server that weex will log in to can set up malicious data in the account that weex will use, and that will cause a format string bug that will allow remote code execution. It will only happen when weex is first run or when its cache files are rebuilt with the -r option, though. I have verified this behaviour in versions 2.6.1 and 18.104.22.168. I have attached a patch that corrects this problem, as well as a session capture that shows it. I hope that we can co-ordinate our respective updates of weex. // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/ ------------------------------------------------
Comment 1 Tavis Ormandy (RETIRED) 2005-10-02 00:56:33 UTC
Created attachment 69687 [details, diff] patch provided by Ulf Harnhammar
Comment 2 Thierry Carrez (RETIRED) 2005-10-03 02:13:35 UTC
phosphan: please bump in CVS with patch.
Comment 3 Patrick Kursawe (RETIRED) 2005-10-04 02:33:43 UTC
In CVS, thanks for the hint and patch.
Comment 4 Thierry Carrez (RETIRED) 2005-10-04 06:02:40 UTC
Calling specific arch testers (x86, amd64) to test and mark stable. We keep it low-profile for now.
Comment 5 Patrick Kursawe (RETIRED) 2005-10-04 06:39:25 UTC
*blush* Ok, that's not what the policy asked me to do, but I just left keywords the way they were - this patch is just too trivial, sorry.
Comment 6 Thierry Carrez (RETIRED) 2005-10-04 06:42:58 UTC
Hehe. Security doesn't take position in maintainer/archteams conflicts :) blubb and tester can scream at you if needed when they'll test. But I agree it's a very non-disruptive bugfix.
Comment 7 Simon Stelling (RETIRED) 2005-10-04 06:48:58 UTC
it compiles fine here, and the patch is really trivial, so amd64 is happy :)
Comment 8 Thierry Carrez (RETIRED) 2005-10-05 07:35:45 UTC
"It will only happen when weex is first run or when its cache files are rebuilt with the -r option, though." That quite complicates exploitation...
Comment 9 Olivier Crete (RETIRED) 2005-10-05 20:03:21 UTC
seems to work ok on x86...
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2005-10-05 22:27:22 UTC
This one is ready for GLSA.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2005-10-06 12:53:41 UTC
Please use CAN-2005-3150 instead.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) 2005-10-08 09:29:23 UTC