Summary: | net-misc/bidwatcher format string security vulnerability (CAN-2005-0158) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED DUPLICATE | ||||||
Severity: | normal | ||||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | B2 [upstream tomask?] koon / CLASSIFIED | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-02-10 21:48:51 UTC
Created attachment 50983 [details, diff]
bidwatcher.formstring.patch
Debian patch.
Upstream answer: I believe that particular section of the code has been removed from the source during a conversion to libcurl. I don't see it in my CVS tree, so I think it's safe to say it's gone. I do not plan to release a 1.3.16.1 bugfix for this issue because 1.3.16 is fairly broken due to some heavy eBay changes. The CVS code is getting near to a release, so 1.3.17 should just handle the issue. Early access to release tarball may be provided... Let's wait a little :) Please keep this bug closed forever. My two cents. This code is pure shit. This program does not appear as if it was coded with security in mind. A simple grep intf *.cpp | grep -v \" | grep \;$ show a few things. bidwatcher.cpp: line 2955 user can walk all over himself but this displays bad coding practices. char homePath[200]; char lockBuffer[200]; strcpy(homePath,getenv("HOME")); strcat(homePath, "/.netscape/lock"); bidwatcher.h:106: #define MAX_STATUS_LEN 200 bidwatcher.cpp: void showBidStatus(char *arg) { char msg[MAX_STATUS_LEN]; sprintf(msg, "[%s] %s", getTimeStamp(), arg); line 509 void auctioninfo::getkey(float bid, int quantity) { ... .. On line 644 char lineBuff[8000]; ... .. showBidStatus(lineBuff); This abuse of sprintf(), strcpy() list goes on and on so I would not be supprised in the slightest if more exploitable holes would be uncovered in this pkg not to far off in the near future. Now.. This package has no metadata.xml and from reading the ChangeLog it appears that spider did the orignal commit but said he was not going to maintain it. ------------------------------------------------------------------------------- 28 May 2002; Spider <spider@gentoo.org> ChangeLog bidwatcher-1.3.3.ebuild : Initial release from bugzilla bug. modified and updated version This ebuild is free target, Feel free to take over maintainance ------------------------------------------------------------------------------- This type of thing needs to stop. If a dev is going to put a pkg in the tree he/she needs to maintain it. If he/she is unwilling to maintain it then it should not be going in the tree in the first place. For the most part it looks like Martin Holzer <mholzer@gentoo.org> (Mr_Bones) has been doing the version bumps. My vote.. From now on any pkg which we have todo any sort of security for needs to have an official "active" maintainer and this needs to be listed in the metadata.xml. If these two conditions can not be met then I vote for masking then the axe. 1.3.17 will be released on Feb 17th, but is it worth it ? No maintainer -> punt it. |