lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4187C074.8040602@germinus.com>
Date: Tue, 02 Nov 2004 18:14:28 +0100
From: Javier Fernandez-Sanguino <jfernandez@...minus.com>
To: infamous41md@...pop.com
Cc: bugtraq@...urityfocus.com, dhcp@...kages.debian.org
Subject: Re: debian dhcpd, old format string bug


infamous41md@...pop.com wrote:

> On Thu, 28 Oct 2004 10:31:38 +1000
> Tarragon Allen <tarragon@...he.net.au> wrote:
>>On Tuesday 26 October 2004 10:37, infamous41md@...pop.com wrote:
>>Firstly, good etiquette would have been for you to actually report the bug 
>>with Debian. I don't see any bugs raised against any of the appropriate 
>>packages regarding this.
>>
> 
> 
> I've tried contacting the person in charge of the debian security audit project
> numerous times to try and co-ordinate audits, and he doesn't respond.  I have
> better things to do with my time.  I don't provide notice when people disregard
> my emails.  If you don't like, I don't care.  My mother already taught me all
> the etiquette I need, but thanks for the moral support.  Btw, is it salad fork
> left, or dinner fork left?

The Debian audit people are not the same as the official Debian 
security team, which is the one in charge of preparing security 
advisories and fixing security bugs in the stable release.
Please read: http://www.debian.org/security/faq

The first group is an internal project that is reviewing parts of 
Debian and submitting bugs to the stable and unstable release, the 
second group fixes only the former, while the later is fixed by the 
package maintainers themselves.
http://www.debian.org/security/audit/

As to this vulnerability, CA-2002-12 is referenced as CAN-2002-0702 
[1], that, based on the page that lists lists vulnerabilities that do 
not affect the current Debian stable release [2] does not apply to the 
dhcp3-server packages. And, indeed, reviewing the comon/print.c file 
in dhcp3-server's source code you can see:

         if (errorp)
                 log_error ("%s", obuf);
         else
                 log_info ("%s", obuf);

instead of the (vulnerable):

         if (errorp)
                 log_error (obuf);
         else
                 log_info (obuf);

Which fixes the issue (see [3]). The code is _not_ present in the dhcp 
packages (version 2.0pl5-11), so they aren't vulnerable to _this_ 
issue either.

> I'm saying, grep -rn syslog * | grep -v \". Soon after I found that, I googled
> and found the CERT detailing a format string in logging code.  I assumed it was
> the exact same thing I just found.  I spoke with some debian person about this
> yesterday, or day before, and they can release an advisory to clear it up. 

That grep line brings a lot of code, some of it might be vulnerable to 
format string attacks, but it's not related to the CERT advisory at 
all. For those not having the code at hand:

$ grep -B 2 -A 2  -rn syslog * | grep -v \"
(...)
common/errwarn.c-73-#ifndef DEBUG
common/errwarn.c:74:  syslog (log_priority | LOG_ERR, mbuf);
common/errwarn.c-75-#endif

Which could be easily fixed to prevent a format string attack (but is 
not and is indeed vulnerable). Maybe this bug is related to 
CAN-2001-0181 (BID-2215). I don't have access to Caldera's code so I 
can review that...

Regards

Javier



[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702
[2] http://www.debian.org/security/nonvulns-wood
[3] http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ