Bug#807258: Logged transaction

To: BERTRAND Joël <joel.bertrand@systella.fr>, 807258@bugs.debian.org
Subject: Bug#807258: Logged transaction
From: Andreas Beckmann <anbe@debian.org>
Date: Tue, 08 Dec 2015 17:00:01 +0100
Message-id: <[🔎] 5666FE81.6030103@debian.org>
Reply-to: Andreas Beckmann <anbe@debian.org>, 807258@bugs.debian.org
In-reply-to: <[🔎] 5666A7C3.40209@systella.fr>
References: <[🔎] 5666A7C3.40209@systella.fr>

#0  fmtmsg (to=0x8de4b0 "testuser", num=num@entry=0x4a1e43 "550", enhsc=0x0, eno=eno@entry=0, fmt=fmt@entry=0x4a2871 "%s", ap=ap@entry=0x7ffde99f8358, eb=0x76be20 <MsgBuf> "")
    at err.c:920
#1  0x0000000000430416 in usrerr (fmt=fmt@entry=0x4a2871 "%s") at err.c:299
#2  0x0000000000476614 in smtp (nullserver=nullserver@entry=0x0, d_flags=d_flags@entry=0x765238 <Daemons+152>, e=e@entry=0x6c8b40 <MainEnvelope>) at srvrsmtp.c:3065
#3  0x000000000040a6b6 in main (argc=6, argv=0x7ffde9a00148, envp=<optimized out>) at main.c:2711

caused by debian/patches/format-security.patch which turns
  usrerr("451 4.7.1 Greylisting in action, please come back in 00:30:00")
into
  usrerr("%s", "451 4.7.1 Greylisting in action, please come back in 00:30:00")
and "%s" does not start with a smtp status code ... resulting in "550" from "num" 
parameter being used instead.

Help would be welcome for a proper fix. From a hardening POV this patch is needed
- we cannot pass an untrusted string (the status string returned by milter-greylist)
as a format string to printf.



Andreas

Reply to:

References:
- Bug#807258: Logged transaction
  - From: BERTRAND Joël <joel.bertrand@systella.fr>

Prev by Date: Bug#807258: For information
Next by Date: Processing of djagios_0.1.3+dfsg-3_source.changes
Previous by thread: Bug#807258: Logged transaction
Next by thread: Pećnice, hladnjaci, štednjaci, ploče i perilice olakšavaju Vašu svakodnevicu uz uštede do 1.000 kn
Index(es):
- Date
- Thread