From Steve Kemp:
libgda2 format string attack
The gda2 library contains two format string bugs, both involving the
use of the syslog function.
The relevent code is contained in the file:
The two functions gda_log_error and gda_log_message both contain
syslog (LOG_USER | LOG_INFO, msg);
The logging functions are called throughout the code and are
often passed user controllable input. For example:
gda_log_error (_("Invalid XML database file '%s'"), uri);
gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql);
Whilst it is not likely that privileges could be gained by the
libary alone there are several routes for exploitation via other
applications which link to the code.
The most obvious is the "gnumeric-plugins-extra" package which
links to and uses the code.
The following patch fixes this:
--- gda-log.c-orig 2005-09-06 13:49:52.792070192 +0100
+++ gda-log.c 2005-09-06 13:50:25.049166368 +0100
@@ -111,7 +111,7 @@
g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg);
- syslog (LOG_USER | LOG_INFO, msg);
+ syslog (LOG_USER | LOG_INFO, "%s", msg);
@@ -144,7 +144,7 @@
g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg);
- syslog (LOG_USER | LOG_ERR, msg);
+ syslog (LOG_USER | LOG_ERR, "%s", msg);
Gnome please provide an updated ebuild.
I've committed libgda-1.2.2-r1.ebuild, which includes a patch for this.
Thx Leonardo, arches please test and mark stable.
Marked ppc64 stable. Thanks.
1.2.2-r1 fails on amd64 with the following sandbox error:
ACCESS DENIED unlink: /usr/lib64/libgdasql.so.3.0.0
/bin/install: cannot remove `/usr/lib64/libgdasql.so.3.0.0': Permission denied
make: *** [install-libLTLIBRARIES] Error 1
make: Leaving directory
make: *** [install-am] Error 2
make: Leaving directory
make: *** [install-recursive] Error 1
!!! ERROR: gnome-extra/libgda-1.2.2-r1 failed.
!!! Function einstall, Line 524, Exitcode 2
!!! einstall failed
1.2.2 works fine though
# cat /var/log/sandbox/sandbox-gnome-extra_-_libgda-1.2.2-r1-17475.log
I can't reproduce the problem on pitr, but could you verify if adding
USE_DESTDIR="1" to the ebuild resolves it?
yup, works fine with USE_DESTDIR=1
Thanks, the fix has been committed to the ebuild now.
stable on alpha
Stable on x86
Stable on ppc.
For some unknown reason hppa and ia64 were forgotten along the way. Perhaps the
recent stable-ing of an older version...
hppa and ia64 should mark stable to benefit from GLSA.
Straigth to stable on hppa.