Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 110467

Summary: gnome-extra/libgda syslog format string attack
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2? [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-25 13:26:45 UTC
From Steve Kemp: 
libgda2 format string attack 
  The gda2 library contains two format string bugs, both involving the 
 use of the syslog function. 
  The relevent code is contained in the file: 
  The two functions gda_log_error and gda_log_message both contain 
 this code: 
      syslog (LOG_USER | LOG_INFO, msg); 
  The logging functions are called throughout the code and are 
 often passed user controllable input.  For example: 
 gda_log_error (_("Invalid XML database file '%s'"), uri); 
 gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql); 
  Whilst it is not likely that privileges could be gained by the 
 libary alone there are several routes for exploitation via other 
 applications which link to the code. 
  The most obvious is the "gnumeric-plugins-extra" package which 
 links to and uses the code. 
  The following patch fixes this: 
--- gda-log.c-orig      2005-09-06 13:49:52.792070192 +0100 
+++ gda-log.c   2005-09-06 13:50:25.049166368 +0100 
@@ -111,7 +111,7 @@ 
 #ifdef LIBGDA_WIN32 
        g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg); 
-       syslog (LOG_USER | LOG_INFO, msg); 
+       syslog (LOG_USER | LOG_INFO, "%s", msg); 
        g_free (msg); 
@@ -144,7 +144,7 @@ 
 #ifdef LIBGDA_WIN32 
        g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg); 
-       syslog (LOG_USER | LOG_ERR, msg); 
+       syslog (LOG_USER | LOG_ERR, "%s", msg); 
        g_free (msg); 
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-25 22:23:25 UTC
Gnome please provide an updated ebuild. 
Comment 2 Leonardo Boshell (RETIRED) gentoo-dev 2005-10-26 11:37:13 UTC
I've committed libgda-1.2.2-r1.ebuild, which includes a patch for this.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-26 12:23:54 UTC
Thx Leonardo, arches please test and mark stable. 
Comment 4 Brent Baude (RETIRED) gentoo-dev 2005-10-26 18:59:15 UTC
Marked ppc64 stable. Thanks.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-27 07:20:09 UTC
sparc stable.
Comment 6 Simon Stelling (RETIRED) gentoo-dev 2005-10-28 08:28:15 UTC
1.2.2-r1 fails on amd64 with the following sandbox error:

ACCESS DENIED  unlink:    /usr/lib64/
/bin/install: cannot remove `/usr/lib64/': Permission denied
make[2]: *** [install-libLTLIBRARIES] Error 1
make[2]: Leaving directory
make[1]: *** [install-am] Error 2
make[1]: Leaving directory
make: *** [install-recursive] Error 1

!!! ERROR: gnome-extra/libgda-1.2.2-r1 failed.
!!! Function einstall, Line 524, Exitcode 2
!!! einstall failed

1.2.2 works fine though

 # cat /var/log/sandbox/sandbox-gnome-extra_-_libgda-1.2.2-r1-17475.log
unlink:    /usr/lib64/
Comment 7 Leonardo Boshell (RETIRED) gentoo-dev 2005-10-28 09:10:22 UTC
I can't reproduce the problem on pitr, but could you verify if adding
USE_DESTDIR="1" to the ebuild resolves it?
Comment 8 Simon Stelling (RETIRED) gentoo-dev 2005-10-28 09:38:22 UTC
yup, works fine with USE_DESTDIR=1
Comment 9 Leonardo Boshell (RETIRED) gentoo-dev 2005-10-28 11:27:02 UTC
Thanks, the fix has been committed to the ebuild now.
Comment 10 Fernando J. Pereda (RETIRED) gentoo-dev 2005-10-28 13:52:17 UTC
stable on alpha

Comment 11 Mark Loeser (RETIRED) gentoo-dev 2005-10-28 18:23:26 UTC
Stable on x86
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-29 08:41:03 UTC
Stable on ppc.
Comment 13 Simon Stelling (RETIRED) gentoo-dev 2005-10-30 02:46:03 UTC
amd64 stable
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-11-02 09:02:19 UTC
GLSA 200511-01
For some unknown reason hppa and ia64 were forgotten along the way. Perhaps the
recent stable-ing of an older version...
hppa and ia64 should mark stable to benefit from GLSA.
Comment 15 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-11-02 10:20:02 UTC
Straigth to stable on hppa.