Re: Release-critical Bugreport for August 10, 2001
tags 104394 patch
thanks
On Fri, Aug 10, 2001 at 06:00:02AM -0500, BugScan reporter wrote:
> Package: cfingerd (debian/main)
> Maintainer: Martin Schulze <joey@debian.org>
> 104394 Exploitable to gain local root shell
I've prepared an NMU to fix this bug, applying the relevant portions of the
patch applied to potato (the syslog format string bugs in main.c and the
off-by-one in rfc1413.c appear to have been fixed already in 1.4.3). The diff
is attached.
Since this is a critical bug that has been open for 30 days, I'll upload in a
few days if there is no maintainer activity.
--
- mdz
diff -ru cfingerd-1.4.3/src/configure.c cfingerd-1.4.3+mdz/src/configure.c
--- cfingerd-1.4.3/src/configure.c Thu Aug 12 10:16:09 1999
+++ cfingerd-1.4.3+mdz/src/configure.c Sat Aug 11 02:28:08 2001
@@ -692,7 +692,8 @@
if (file)
while(!feof(file)) {
- char *line, ch = fgetc(file);
+ char *line;
+ int ch = fgetc(file);
/* Patch by Kevin Rosenberg 10/21/95 */
if (ch == EOF)
diff -ru cfingerd-1.4.3/src/util.c cfingerd-1.4.3+mdz/src/util.c
--- cfingerd-1.4.3/src/util.c Sat Aug 11 02:29:43 2001
+++ cfingerd-1.4.3+mdz/src/util.c Sat Aug 11 02:28:41 2001
@@ -178,7 +178,7 @@
pos++;
- while((line[pos] != ' ') && (!done)) {
+ while((line[pos] != ' ') && (!done) && (newpos<80)) {
command[newpos] = line[pos];
if (line[pos] == ' ')
@@ -298,7 +298,7 @@
for(x = 0; x < center_dist; x++)
printf(" ");
- printf(displine);
+ printf("%s", displine);
free(displine);
}
Reply to: