From owner-freebsd-ports Tue Jan 30 3: 0:25 2001 Delivered-To: freebsd-ports@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2371F37B4EC for ; Tue, 30 Jan 2001 03:00:07 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0UB07602865; Tue, 30 Jan 2001 03:00:07 -0800 (PST) (envelope-from gnats) Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18]) by hub.freebsd.org (Postfix) with SMTP id 3F98C37B6CB for ; Tue, 30 Jan 2001 02:50:54 -0800 (PST) Received: (qmail 38823 invoked from network); 30 Jan 2001 10:52:15 -0000 Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11) by 0 with SMTP; 30 Jan 2001 10:52:15 -0000 Received: (qmail 17918 invoked from network); 30 Jan 2001 10:49:53 -0000 Received: from unknown (HELO riget.scene.pl) () by 0 with SMTP; 30 Jan 2001 10:49:53 -0000 Received: (qmail 17914 invoked by uid 1001); 30 Jan 2001 10:49:52 -0000 Message-Id: <20010130104952.17913.qmail@riget.scene.pl> Date: 30 Jan 2001 10:49:52 -0000 From: venglin@freebsd.lublin.pl Reply-To: venglin@freebsd.lublin.pl To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: ports/24733: mars_nwe remote format string vulnerability Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 24733 >Category: ports >Synopsis: mars_nwe remote format string vulnerability >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 30 03:00:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Przemyslaw Frasunek >Release: FreeBSD 4.2-STABLE i386 >Organization: ISMEDIA >Environment: /usr/ports/net/mars_nwe/ as of 30 Jan 2001 >Description: mars_nwe contains remote format string vulnerability, allowing to gain superuser privileges from DOS/Windows workstation. Author of Mars was notified, but didn't released any official patches yet. >How-To-Repeat: Fully exploitable, but no working exploits yet. >Fix: Incorporate following patch into ports collection, issue an advisory. --- mars_nwe/tools.c.orig Fri Jan 26 22:46:34 2001 +++ mars_nwe/tools.c Fri Jan 26 22:46:59 2001 @@ -189,7 +189,7 @@ sprintf(identstr, "%s %d %3d", get_debstr(0), act_connection, act_ncpsequence); openlog(identstr, LOG_CONS, LOG_DAEMON); - syslog(LOG_DEBUG, buf); + syslog(LOG_DEBUG, "%s", buf); closelog(); } else { int l=strlen(buf); @@ -249,7 +249,7 @@ } sprintf(identstr, "%s %d %3d", get_debstr(0), act_connection, act_ncpsequence); openlog(identstr, LOG_CONS, LOG_DAEMON); - syslog(prio, buf); + syslog(prio, "%s", buf); closelog(); if (!mode) return; lologfile=stderr; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message