Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 110467 - gnome-extra/libgda syslog format string attack
Summary: gnome-extra/libgda syslog format string attack
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-25 13:26 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-03-24 06:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-25 13:26:45 UTC
From Steve Kemp: 
 
libgda2 format string attack 
---------------------------- 
 
  The gda2 library contains two format string bugs, both involving the 
 use of the syslog function. 
 
  The relevent code is contained in the file: 
 
      libgda2-1.2.1/libgda/gda-log.c 
 
  The two functions gda_log_error and gda_log_message both contain 
 this code: 
 
      syslog (LOG_USER | LOG_INFO, msg); 
 
 
Exploitation 
------------ 
 
  The logging functions are called throughout the code and are 
 often passed user controllable input.  For example: 
 
gda-xml-database.c: 
 gda_log_error (_("Invalid XML database file '%s'"), uri); 
 
  or 
 
gda-select.c: 
 gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql); 
 
 
  Whilst it is not likely that privileges could be gained by the 
 libary alone there are several routes for exploitation via other 
 applications which link to the code. 
 
  The most obvious is the "gnumeric-plugins-extra" package which 
 links to and uses the code. 
 
  
 
Fix 
--- 
 
  The following patch fixes this: 
 
--- gda-log.c-orig      2005-09-06 13:49:52.792070192 +0100 
+++ gda-log.c   2005-09-06 13:50:25.049166368 +0100 
@@ -111,7 +111,7 @@ 
 #ifdef LIBGDA_WIN32 
        g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg); 
 #else 
-       syslog (LOG_USER | LOG_INFO, msg); 
+       syslog (LOG_USER | LOG_INFO, "%s", msg); 
 #endif 
        g_free (msg); 
 } 
@@ -144,7 +144,7 @@ 
 #ifdef LIBGDA_WIN32 
        g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg); 
 #else 
-       syslog (LOG_USER | LOG_ERR, msg); 
+       syslog (LOG_USER | LOG_ERR, "%s", msg); 
 #endif 
        g_free (msg); 
 } 
 
Steve
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-25 22:23:25 UTC
Gnome please provide an updated ebuild. 
Comment 2 Leonardo Boshell (RETIRED) gentoo-dev 2005-10-26 11:37:13 UTC
I've committed libgda-1.2.2-r1.ebuild, which includes a patch for this.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-26 12:23:54 UTC
Thx Leonardo, arches please test and mark stable. 
Comment 4 Brent Baude (RETIRED) gentoo-dev 2005-10-26 18:59:15 UTC
Marked ppc64 stable. Thanks.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-27 07:20:09 UTC
sparc stable.
Comment 6 Simon Stelling (RETIRED) gentoo-dev 2005-10-28 08:28:15 UTC
1.2.2-r1 fails on amd64 with the following sandbox error:

ACCESS DENIED  unlink:    /usr/lib64/libgdasql.so.3.0.0
/bin/install: cannot remove `/usr/lib64/libgdasql.so.3.0.0': Permission denied
make[2]: *** [install-libLTLIBRARIES] Error 1
make[2]: Leaving directory
`/var/tmp/portage/libgda-1.2.2-r1/work/libgda-1.2.2/libsql'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory
`/var/tmp/portage/libgda-1.2.2-r1/work/libgda-1.2.2/libsql'
make: *** [install-recursive] Error 1

!!! ERROR: gnome-extra/libgda-1.2.2-r1 failed.
!!! Function einstall, Line 524, Exitcode 2
!!! einstall failed

1.2.2 works fine though

 # cat /var/log/sandbox/sandbox-gnome-extra_-_libgda-1.2.2-r1-17475.log
unlink:    /usr/lib64/libgdasql.so.3.0.0
 #
Comment 7 Leonardo Boshell (RETIRED) gentoo-dev 2005-10-28 09:10:22 UTC
Simon,
I can't reproduce the problem on pitr, but could you verify if adding
USE_DESTDIR="1" to the ebuild resolves it?
Comment 8 Simon Stelling (RETIRED) gentoo-dev 2005-10-28 09:38:22 UTC
yup, works fine with USE_DESTDIR=1
Comment 9 Leonardo Boshell (RETIRED) gentoo-dev 2005-10-28 11:27:02 UTC
Thanks, the fix has been committed to the ebuild now.
Comment 10 Fernando J. Pereda (RETIRED) gentoo-dev 2005-10-28 13:52:17 UTC
stable on alpha

Cheers,
Ferdy
Comment 11 Mark Loeser (RETIRED) gentoo-dev 2005-10-28 18:23:26 UTC
Stable on x86
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-29 08:41:03 UTC
Stable on ppc.
Comment 13 Simon Stelling (RETIRED) gentoo-dev 2005-10-30 02:46:03 UTC
amd64 stable
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-11-02 09:02:19 UTC
GLSA 200511-01
For some unknown reason hppa and ia64 were forgotten along the way. Perhaps the
recent stable-ing of an older version...
hppa and ia64 should mark stable to benefit from GLSA.
Comment 15 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-11-02 10:20:02 UTC
Straigth to stable on hppa.