lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri Apr  7 21:49:20 2006
From: metaur at operamail.com (Ulf Harnhammar)
Subject: Re: [SECURITY] [DSA 1024-1] New clamav packages
 fix several vulnerabilities

> Debian Security Advisory DSA 1024-1 security@...ian.org
> Package : clamav

> CVE-2006-1615 
>     Format string vulnerabilities in the logging code have been discovered, 
>     which might lead to the execution of arbitrary code.

Is this about the strange looking syslog calls in shared/output.c? I have found them
too (boast boast), and I believe that they are no vulnerabilities at all, as the
offending data will always pass through this construct:

while((pt = strchr(vbuff, '%')))
    *pt = '_';

(For the non-programmers out there, it changes all instances of "%" in vbuff to "_".)

// Ulf Harnhammar



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ