Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
libgda2 Format String Bugs May Let Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1015107
|
|
SecurityTracker URL: http://securitytracker.com/id?1015107
|
|
CVE Reference: CVE-2005-2958
(Links to External Site)
|
Date: Oct 26 2005
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: A vulnerability was reported in libgda2. A user may be able to cause a target application to execute arbitrary code.
The gda2 library contains two format string flaws, one in the gda_log_error() function and the other in the gda_log_message() function.
User-supplied input is processed without proper validation and without the proper format string specifiers.
A user may be able
to supply specially crafted input to cause an application that uses the library to execute arbitrary code.
The flaw resides in
'gda-log.c'.
Steve Kemp reported this vulnerability.
|
Impact: A user may be able to cause a target application to execute arbitrary code, potentially with elevated privileges (depending on the application that uses the affected library).
|
Solution: Various Linux distribution vendors are preparing/issuing fixes.
Debian has issued a fix:
http://www.debian.org/security/2005/dsa-871
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 26 Oct 2005 02:22:24 -0400
Subject: libgda2 vulnerability
|
Steve Kemp reported (via Red Hat):
libgda2 format string attack
----------------------------
The gda2 library contains two format string bugs, both involving the
use of the syslog function.
The relevent code is contained in the file:
libgda2-1.2.1/libgda/gda-log.c
The two functions gda_log_error and gda_log_message both contain
this code:
syslog (LOG_USER | LOG_INFO, msg);
Exploitation
------------
The logging functions are called throughout the code and are
often passed user controllable input. For example:
gda-xml-database.c:
gda_log_error (_("Invalid XML database file '%s'"), uri);
or
gda-select.c:
gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql);
Whilst it is not likely that privileges could be gained by the
libary alone there are several routes for exploitation via other
applications which link to the code.
The most obvious is the "gnumeric-plugins-extra" package which
links to and uses the code.
Fix
---
The following patch fixes this:
--- gda-log.c-orig 2005-09-06 13:49:52.792070192 +0100
+++ gda-log.c 2005-09-06 13:50:25.049166368 +0100
@@ -111,7 +111,7 @@
#ifdef LIBGDA_WIN32
g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg);
#else
- syslog (LOG_USER | LOG_INFO, msg);
+ syslog (LOG_USER | LOG_INFO, "%s", msg);
#endif
g_free (msg);
}
@@ -144,7 +144,7 @@
#ifdef LIBGDA_WIN32
g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg);
#else
- syslog (LOG_USER | LOG_ERR, msg);
+ syslog (LOG_USER | LOG_ERR, "%s", msg);
#endif
g_free (msg);
}
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
|
|
Go to the Top of This SecurityTracker Archive Page
|
