Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 52430

Summary: net-ftp/jftpgw-0.13.4 format string vulnerability
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-05-30 03:24:56 UTC 
From Debian Security Advisory DSA 510-1:

jaguar@felinemenace.org discovered a vulnerability in jftpgw, an FTP
proxy program, whereby a remote user could potentially cause arbitrary
code to be executed with the privileges of the jftpgw server process.
By default, the server runs as user "nobody".

CAN-2004-0448: format string vulnerability via syslog(3) in log()
function
Comment 1 SpanKY gentoo-dev 2004-05-30 03:44:22 UTC 
maybe it's just me but i dont think 0.13.4 is vuln

if you look at the patch for 0.13.1 that debian provides to fix this exploit, you'll find this:
--- jftpgw-0.13.1.orig/log.c
+++ jftpgw-0.13.1/log.c
@@ -115,7 +115,7 @@
            logtype = LOG_ERR;
        }
        vsnprintf(str, LOGSIZE - 1, fmt, args);
-       syslog(logtype, str);
+       syslog(logtype, "%s", str);
    }
 
    va_end(args);

if you look through log.c in vanilla 0.13.4, you'll see that the calls to syslog are already exactly like this

we havent had 0.13.1 in our tree for a long time so i say we just close this as INVALID ... unless i missed something ...