Summary: | app-admin/{webmin|usermin} possible miniserv.pl format string vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | eradicator, mcummings |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0976.html | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-11-29 03:02:32 UTC
eradicator, please bump with appropriate format string patches. Apparently this is under discussion on FD, we should probably first reproduce rather than blindly patching : "Sys::Syslog calls sprintf($format, @_). I tried testing this on perl 5.8.7 and don't see how this can be exploitable. The %n specifier results in the following error message: $ perl -e 'sprintf("%n")' Modification of a read-only value attempted at -e line 1. Using a thousand %p's results in the same address (presumably of the temporary char *) over and over again It is possible to memory starve webmin with a long %9999999999d string, but arbitrary memory writes seem to be out of the question. What version of perl was used by the third-party to exploit this?" The following versions contain the fix: usermin 1.180 webmin 1.250 Need keywording: alpha - webmin, usermin hppa - webmin, usermin mips - webmin (for about 3 exploits) ppc - webmin, usermin ppc64 - webmin, usermin s390 - webmin sh - webmin Looks like you need a very specific/old/borked version of Perl for this to work... not even sure it's possible to find an affecetd one with Gentoo. eradicator: did you reproduce the thing ? No, I didn't try reproducing the exploit on my box. I just bumped the versions in portage and tested them to work properly. OK, this is confirmed. Arches please test and mark stable accordingly. Note: this should probably be fixed Perl-wide through bug 114113... stable on ppc64 Stable on alpha Marked ppc stable. hppa done. GLSA 200512-02 arm, mips, s390 don't forget to mark stable to benifit from the GLSA. http://use.perl.org/article.pl?sid=05/12/13/1258222 - Sys::Syslog patch/update is available that would also fix this (since that's the module that exposes *min to the bug as I understand it). Just adding in case its worthy, ~mcummings |