From Steve Kemp: libgda2 format string attack ---------------------------- The gda2 library contains two format string bugs, both involving the use of the syslog function. The relevent code is contained in the file: libgda2-1.2.1/libgda/gda-log.c The two functions gda_log_error and gda_log_message both contain this code: syslog (LOG_USER | LOG_INFO, msg); Exploitation ------------ The logging functions are called throughout the code and are often passed user controllable input. For example: gda-xml-database.c: gda_log_error (_("Invalid XML database file '%s'"), uri); or gda-select.c: gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql); Whilst it is not likely that privileges could be gained by the libary alone there are several routes for exploitation via other applications which link to the code. The most obvious is the "gnumeric-plugins-extra" package which links to and uses the code. Fix --- The following patch fixes this: --- gda-log.c-orig 2005-09-06 13:49:52.792070192 +0100 +++ gda-log.c 2005-09-06 13:50:25.049166368 +0100 @@ -111,7 +111,7 @@ #ifdef LIBGDA_WIN32 g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg); #else - syslog (LOG_USER | LOG_INFO, msg); + syslog (LOG_USER | LOG_INFO, "%s", msg); #endif g_free (msg); } @@ -144,7 +144,7 @@ #ifdef LIBGDA_WIN32 g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg); #else - syslog (LOG_USER | LOG_ERR, msg); + syslog (LOG_USER | LOG_ERR, "%s", msg); #endif g_free (msg); } Steve
Gnome please provide an updated ebuild.
I've committed libgda-1.2.2-r1.ebuild, which includes a patch for this.
Thx Leonardo, arches please test and mark stable.
Marked ppc64 stable. Thanks.
sparc stable.
1.2.2-r1 fails on amd64 with the following sandbox error: ACCESS DENIED unlink: /usr/lib64/libgdasql.so.3.0.0 /bin/install: cannot remove `/usr/lib64/libgdasql.so.3.0.0': Permission denied make[2]: *** [install-libLTLIBRARIES] Error 1 make[2]: Leaving directory `/var/tmp/portage/libgda-1.2.2-r1/work/libgda-1.2.2/libsql' make[1]: *** [install-am] Error 2 make[1]: Leaving directory `/var/tmp/portage/libgda-1.2.2-r1/work/libgda-1.2.2/libsql' make: *** [install-recursive] Error 1 !!! ERROR: gnome-extra/libgda-1.2.2-r1 failed. !!! Function einstall, Line 524, Exitcode 2 !!! einstall failed 1.2.2 works fine though # cat /var/log/sandbox/sandbox-gnome-extra_-_libgda-1.2.2-r1-17475.log unlink: /usr/lib64/libgdasql.so.3.0.0 #
Simon, I can't reproduce the problem on pitr, but could you verify if adding USE_DESTDIR="1" to the ebuild resolves it?
yup, works fine with USE_DESTDIR=1
Thanks, the fix has been committed to the ebuild now.
stable on alpha Cheers, Ferdy
Stable on x86
Stable on ppc.
amd64 stable
GLSA 200511-01 For some unknown reason hppa and ia64 were forgotten along the way. Perhaps the recent stable-ing of an older version... hppa and ia64 should mark stable to benefit from GLSA.
Straigth to stable on hppa.