Ulf Harnhammar from the Debian Security Audit Project reports: I have found a format string security vulnerability in bidwatcher. It affects at least the versions 1.3.3 and 1.3.16. The vulnerability occurs when printing an error message with data sent from the eBay servers. If eBay, or someone pretending to be eBay, sends certain data to a bidwatcher user, the format string bug will be executed. I have attached a POC written in PHP (see the comments in the source code for installation instructions), as well as a patch. I hope that we can coordinate our respective releases of bidwatcher, so updates for this vulnerability will be published at approximately the same time.
Created attachment 50983 [details, diff] bidwatcher.formstring.patch Debian patch.
Upstream answer: I believe that particular section of the code has been removed from the source during a conversion to libcurl. I don't see it in my CVS tree, so I think it's safe to say it's gone. I do not plan to release a 1.3.16.1 bugfix for this issue because 1.3.16 is fairly broken due to some heavy eBay changes. The CVS code is getting near to a release, so 1.3.17 should just handle the issue.
Early access to release tarball may be provided... Let's wait a little :)
Please keep this bug closed forever. My two cents. This code is pure shit. This program does not appear as if it was coded with security in mind. A simple grep intf *.cpp | grep -v \" | grep \;$ show a few things. bidwatcher.cpp: line 2955 user can walk all over himself but this displays bad coding practices. char homePath[200]; char lockBuffer[200]; strcpy(homePath,getenv("HOME")); strcat(homePath, "/.netscape/lock"); bidwatcher.h:106: #define MAX_STATUS_LEN 200 bidwatcher.cpp: void showBidStatus(char *arg) { char msg[MAX_STATUS_LEN]; sprintf(msg, "[%s] %s", getTimeStamp(), arg); line 509 void auctioninfo::getkey(float bid, int quantity) { ... .. On line 644 char lineBuff[8000]; ... .. showBidStatus(lineBuff); This abuse of sprintf(), strcpy() list goes on and on so I would not be supprised in the slightest if more exploitable holes would be uncovered in this pkg not to far off in the near future. Now.. This package has no metadata.xml and from reading the ChangeLog it appears that spider did the orignal commit but said he was not going to maintain it. ------------------------------------------------------------------------------- 28 May 2002; Spider <spider@gentoo.org> ChangeLog bidwatcher-1.3.3.ebuild : Initial release from bugzilla bug. modified and updated version This ebuild is free target, Feel free to take over maintainance ------------------------------------------------------------------------------- This type of thing needs to stop. If a dev is going to put a pkg in the tree he/she needs to maintain it. If he/she is unwilling to maintain it then it should not be going in the tree in the first place. For the most part it looks like Martin Holzer <mholzer@gentoo.org> (Mr_Bones) has been doing the version bumps. My vote.. From now on any pkg which we have todo any sort of security for needs to have an official "active" maintainer and this needs to be listed in the metadata.xml. If these two conditions can not be met then I vote for masking then the axe.
1.3.17 will be released on Feb 17th, but is it worth it ?
No maintainer -> punt it.
public as of http://secunia.com/advisories/14324/ and http://sourceforge.net/project/shownotes.php?release_id=305937 public bug #82460
*** This bug has been marked as a duplicate of 82460 ***
