Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 91303

Summary: net-proxy/oops: auth() Format String Flaw
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-proxy+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://securitytracker.com/alerts/2005/May/1013864.html
Whiteboard: B1? [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-05-03 06:35:51 UTC
CVE Reference:  CAN-2005-1121   (Links to External Site)  
 
Version(s): 1.5.23 and prior versions 
 
Description:  A format string vulnerability was reported in Oops! A remote user may be able to execute arbitrary code. 

The passwd_mysql/passwd_pgsql module auth() function contains a call to the my_xlog() function that does not include a format string specifier. A remote user can supply a specially crafted HTTP request to trigger the vulnerability and cause the service to crash or execute arbitrary code.

A demonstration exploit request is provided:

GET http://%s%s%s%s%s%s%s%s/ HTTP/1.0
Host: ghc.ru
Proxy-Authorization: Basic Z2hjOnJzdA==

The flaw resides in 'passwd_sql.c'.

Edisan from RST/GHC reported this vulnerability. 
 
Impact:  A remote user can cause the service to crash or execute arbitrary code.
 
Solution:  A patch is available at:

http://zipper.paco.net/~igor/oops/diff_from_1.5.23.patch.gz
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-03 13:26:25 UTC
net-proxy please advise.
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2005-05-03 15:36:10 UTC
bug confirmed.
I've bumped version to the current 1.5.24 pre-release and marked as stable on x86.
Comment 3 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-04 06:36:52 UTC
sparc done.
Comment 4 Luke Macken (RETIRED) gentoo-dev 2005-05-05 15:36:16 UTC
GLSA 200505-02, thanks everyone!