Bug 171750

Summary: CVE-2005-2958 libgda format string issue
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: libgdaAssignee: Caolan McNamara <caolanm>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,source=vendorsec,public=20051025,reported=20051025
Fixed In Version: 1.0.4-3.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-27 08:10:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-10-25 21:12:26 UTC 
Debian reported this issue to vendor-sec

From Steve Kemp:

libgda2 format string attack
----------------------------

  The gda2 library contains two format string bugs, both involving the
 use of the syslog function.

  The relevent code is contained in the file:

      libgda2-1.2.1/libgda/gda-log.c

  The two functions gda_log_error and gda_log_message both contain
 this code:

      syslog (LOG_USER | LOG_INFO, msg);


Exploitation
------------

  The logging functions are called throughout the code and are
 often passed user controllable input.  For example:

gda-xml-database.c:
 gda_log_error (_("Invalid XML database file '%s'"), uri);

  or

gda-select.c:
 gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql);


  Whilst it is not likely that privileges could be gained by the
 libary alone there are several routes for exploitation via other
 applications which link to the code.

  The most obvious is the "gnumeric-plugins-extra" package which
 links to and uses the code.

Fix
---

  The following patch fixes this:

--- gda-log.c-orig      2005-09-06 13:49:52.792070192 +0100
+++ gda-log.c   2005-09-06 13:50:25.049166368 +0100
@@ -111,7 +111,7 @@
 #ifdef LIBGDA_WIN32
        g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg);
 #else
-       syslog (LOG_USER | LOG_INFO, msg);
+       syslog (LOG_USER | LOG_INFO, "%s", msg);
 #endif
        g_free (msg);
 }
@@ -144,7 +144,7 @@
 #ifdef LIBGDA_WIN32
        g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg);
 #else
-       syslog (LOG_USER | LOG_ERR, msg);
+       syslog (LOG_USER | LOG_ERR, "%s", msg);
 #endif
        g_free (msg);
 }

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Comment 1 Fedora Update System 2005-10-26 17:21:33 UTC 
From User-Agent: XML-RPC

libgda-1.0.4-3.1 has been pushed for FC3, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 2 Fedora Update System 2005-11-07 19:14:17 UTC 
From User-Agent: XML-RPC

libgda-1.0.4-3.1 has been pushed for FC3, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.