Summary: | net-ftp/jftpgw-0.13.4 format string vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2004-05-30 03:24:56 UTC
maybe it's just me but i dont think 0.13.4 is vuln if you look at the patch for 0.13.1 that debian provides to fix this exploit, you'll find this: --- jftpgw-0.13.1.orig/log.c +++ jftpgw-0.13.1/log.c @@ -115,7 +115,7 @@ logtype = LOG_ERR; } vsnprintf(str, LOGSIZE - 1, fmt, args); - syslog(logtype, str); + syslog(logtype, "%s", str); } va_end(args); if you look through log.c in vanilla 0.13.4, you'll see that the calls to syslog are already exactly like this we havent had 0.13.1 in our tree for a long time so i say we just close this as INVALID ... unless i missed something ... |