Bug 55455

Summary: syslog missing a parameter in util linux.c
Product: [Retired] Red Hat Linux Reporter: Tim Woodall <tim>
Component: util-linuxAssignee: Elliot Lee <sopwith>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: tim
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-10-31 16:36:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
fixes missing parameter to syslog in login.c none

Description Tim Woodall 2001-10-31 16:35:15 UTC 
Description of Problem:
syslog missing a parameter in util linux.c - parameters do not match 
format string.

Version-Release number of selected component (if applicable):
util-linux-2.11f

How Reproducible:
Compile time problem (in code only reached during error conditions)

Steps to Reproduce:
Compile login.c
Note warnings:
warning: format argument is not a pointer (arg4)
warning: too few arguments for format
 

Actual Results:
N/A

Expected Results:
N/A

Additional Information:
I don't think that this line should ever be reached in normal usage.

However, it can be reached on ENOMEM error from getpwnam() which will 
then result in login coredumping due to passing an integer parameter to a 
%s format.

I don't believe so but this might just be exploitable if an already 
logged in user can consume all the available memory. (I'm not an expert 
on exploiting format string bugs)

I have attached a patch (below)
Comment 1 Tim Woodall 2001-10-31 16:36:16 UTC 
Created attachment 35845 [details]
fixes missing parameter to syslog in login.c
Comment 2 Elliot Lee 2001-11-12 22:46:06 UTC 
Fixed as part of the fix to bug #54741