Date: Sun, 2 Oct 2005 11:23:08 +0200 (CEST) From: Emanuel Haupt <ehaupt@critical.ch> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/86825: maintainer-update: ftp/weex - fix a remote format string security bug Message-ID: <200510020923.j929N8fP004863@beaver.critical.ch> Resent-Message-ID: <200510020930.j929U99g076490@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 86825 >Category: ports >Synopsis: maintainer-update: ftp/weex - fix a remote format string security bug >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sun Oct 02 09:30:09 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Emanuel Haupt >Release: FreeBSD 6.0-BETA5 i386 >Organization: >Environment: System: FreeBSD beaver.critical.ch 6.0-BETA5 FreeBSD 6.0-BETA5 #0: Tue Sep 27 19:38:58 CEST 2005 root@beaver.critical.ch:/usr/obj/usr/src/RELENG_6/src/sys/BEAVER i386 >Description: ftp/weex suffers from a remote format string security bug. Someone who controls an FTP server that weex will log in to can set up malicious data in the account that weex will use, and that will cause a format string bug that will allow remote code execution. It will only happen when weex is first run or when its cache files are rebuilt with the -r option, though. The behaviour is verified in versions 2.6.1 and 2.6.1.5. The following patch will fix the problem. >How-To-Repeat: // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/ [weex.capture text/plain (2319 bytes)] metaur@metaur:~$ cat ~/.weexrc [test] HostName = my.ip.number.here LoginName = weextest Password = topsecret;) SrcDir = /home/metaur/local DestDir = /home/weextest [default] metaur@metaur:~$ ls -al ~/local total 12 drwxr-xr-x 2 metaur metaur 4096 2005-10-02 03:37 . drwxr-xr-x 59 metaur metaur 8192 2005-10-02 03:45 .. metaur@metaur:~$ metaur@metaur:~$ ls -al /home/weextest total 12 drwxr-sr-x 3 weextest weextest 4096 2005-10-02 03:38 . drwxrwsr-x 6 root staff 4096 2005-10-02 03:33 .. drwx------ 2 root root 4096 2005-10-02 03:37 %n%n%n%n metaur@metaur:~$ metaur@metaur:~$ weex -r test Created directory `/home/metaur/.weex'. Connect : my.ip.number.here Rebuilding cache file `/home/metaur/.weex/weex.cache.test'. Entering : /home/weextest/ Entering : /home/weextest/%n%n%n%n/ Cannot change remote current working directory to `/home/weextest/%n%n%n%n/'. Disconnect : my.ip.number.here Segmentation fault metaur@metaur:~$ rm -rf .weex metaur@metaur:~$ gdb weex GNU gdb 6.3-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"...(no debugging symbols found) Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) r test Starting program: /usr/bin/weex test (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Created directory `/home/metaur/.weex'. Connect : my.ip.number.here (no debugging symbols found) Cache file `/home/metaur/.weex/weex.cache.test' does not exist. Creating a new one. Entering : /home/weextest/ Entering : /home/weextest/%n%n%n%n/ Cannot change remote current working directory to `/home/weextest/%n%n%n%n/'. Disconnect : my.ip.number.here Program received signal SIGSEGV, Segmentation fault. 0x400828a3 in vfprintf () from /lib/tls/libc.so.6 (gdb) q The program is running. Exit anyway? (y or n) y metaur@metaur:~$ >Fix: --- weex.patch begins here --- Index: Makefile =================================================================== RCS file: /home/ncvs/ports/ftp/weex/Makefile,v retrieving revision 1.2 diff -u -r1.2 Makefile --- Makefile 13 Sep 2005 18:18:40 -0000 1.2 +++ Makefile 2 Oct 2005 09:15:03 -0000 @@ -7,6 +7,7 @@ PORTNAME= weex PORTVERSION= 2.6.1.5 +PORTREVISION= 1 CATEGORIES= ftp MASTER_SITES= ${MASTER_SITE_SOURCEFORGE_EXTENDED} MASTER_SITE_SUBDIR= ${PORTNAME} Index: pkg-descr =================================================================== RCS file: /home/ncvs/ports/ftp/weex/pkg-descr,v retrieving revision 1.1 diff -u -r1.1 pkg-descr --- pkg-descr 8 Sep 2005 11:13:30 -0000 1.1 +++ pkg-descr 2 Oct 2005 09:15:03 -0000 @@ -9,6 +9,3 @@ * caching to speed up the synchronization process WWW: http://weex.sourceforge.net/ - -- ehaupt -ehaupt@critical.ch Index: files/patch-src-log.c =================================================================== RCS file: files/patch-src-log.c diff -N files/patch-src-log.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-src-log.c 2 Oct 2005 09:15:03 -0000 @@ -0,0 +1,11 @@ +--- src/log.c.orig Mon Aug 18 11:52:38 2003 ++++ src/log.c Sun Oct 2 11:06:58 2005 +@@ -183,7 +183,7 @@ + + fp=log_open(); + for(i=0;i<max_log;i++){ +- fprintf(fp,log_str[i]); ++ fprintf(fp,"%s",log_str[i]); + free(log_str[i]); + } + free(log_str); --- weex.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510020923.j929N8fP004863>