Bug 16331 - ypserv has possibly insecure yp_msg function
ypserv has possibly insecure yp_msg function
Status: CLOSED DEFERRED
Product: Red Hat Linux
Classification: Retired
Component: ypserv (Show other bugs)
6.2
All Linux
high Severity medium
: ---
: ---
Assigned To: Florian La Roche
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-08-16 09:07 EDT by Jarno Huuskonen
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-08-16 09:07:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jarno Huuskonen 2000-08-16 09:07:19 EDT
Hi !

This yp_msg function in yp_msg.c uses syslog in a quite insecure way:
----> syslog (LOG_NOTICE, msg);

Other functions call yp_msg like:
      yp_msg ("\t\tmapname = \"%s\"\n",
        key->map);

So if the user can somehow put format chars (%x %n etc.) to the input to
yp_msg might be able to exploit this.

NOTE: I haven't investigated this any further to see if it's exploitable !

Anyway this should be easy to patch:

--- yp_msg.c~   Sat Aug 21 10:22:20 1999
+++ yp_msg.c    Wed Aug 16 15:46:23 2000
@@ -54,7 +54,9 @@
     {
 #ifndef HAVE_VSYSLOG
       vsprintf (msg, fmt, ap);
-      syslog (LOG_NOTICE, msg);
+                       /* This looks dangerous ! -Jarno Huuskonen */
+                       /* syslog (LOG_NOTICE, msg); */
+      syslog (LOG_NOTICE, "%s", msg);
 #else
       vsyslog (LOG_NOTICE, fmt, ap);
 #endif

--
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen@uku.fi
University of Kuopio - Computer Center   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169
Comment 1 Florian La Roche 2000-08-16 09:55:32 EDT
On Linux, this shouldn't be an issue since vsyslog is used anyway. FYI: Our
current ypserv rpm
also has a patch to fix some other syslog() calls in ypxfrd.

cu,

Florian La Roche

Note You need to log in before you can comment on or make changes to this bug.