This one time, at band camp, Ulf Harnhammar said: > > Debian Security Advisory DSA 1024-1 security@debian.org > > Package : clamav > > > CVE-2006-1615 > > Format string vulnerabilities in the logging code have been discovered, > > which might lead to the execution of arbitrary code. > > Is this about the strange looking syslog calls in shared/output.c? I have found them > too (boast boast), and I believe that they are no vulnerabilities at all, as the > offending data will always pass through this construct: > > while((pt = strchr(vbuff, '%'))) > *pt = '_'; > > (For the non-programmers out there, it changes all instances of "%" in vbuff to "_".) Yes, except that the actually safe way to escape random strings is to pass them as %s, rather than relying on some home brewed solution. What happens if vbuff contained a system() argument before being passed? -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature