| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030607043626.29775.qmail@www.securityfocus.com>
Date: 7 Jun 2003 04:36:26 -0000
From: Vade 79 <v9@...ehalo.deadpig.org>
To: bugtraq@...urityfocus.com
Subject: man[v1.5l] catalog format strings patch.
forgot to make a patch for the original posting of the exploit. the patch
will keep the functionality, while eliminating exploitation possibilities.
original exploit ref:
http://www.securityfocus.com/archive/1/323821/2003-05-28/2003-06-03/0
bash# tar -zxvf man.src.tgz
bash# patch -p0 <man.fmtbug.patch
--- man.fmtbug.patch --
diff -urP man-1.5l/src/gripes.c man-1.5l/src/gripes.c
--- man-1.5l/src/gripes.c Wed Jul 17 20:17:23 2002
+++ man-1.5l/src/gripes.c Fri Jun 6 14:51:21 2003
@@ -28,0 +28,1 @@
+#include <string.h>
@@ -68,0 +68,2 @@
+ unsigned int i = 0;
+ unsigned short fmt_n = 0;
@@ -78,0 +78,13 @@
+ /* routine to filter format string abuse. will */
+ /* only allow %d, %s, and %o through. no more */
+ /* than two formats needed for any response. */
+ for (i = 0; s[i] != 0x0; i++){
+ if (s[i] == '%' && s[i+1]){
+ if (strchr("dso", s[i+1])) /* %d,%s,%o. */
+ fmt_n++;
+ else
+ fmt_n=3; /* anything else = <limit. */
+ }
+ if (fmt_n > 2) /* failed, default reply. */
+ s = msg[n];
+ }
diff -urP man-1.5l/src/version.h man-1.5l/src/version.h
--- man-1.5l/src/version.h Fri Jun 6 14:36:40 2003
+++ man-1.5l/src/version.h Fri Jun 6 14:51:21 2003
@@ -1,1 +1,1 @@
-static char version[] = "1.5l";
+static char version[] = "1.5l-fmtfix";
Powered by blists - more mailing lists