Hi ! This yp_msg function in yp_msg.c uses syslog in a quite insecure way: ----> syslog (LOG_NOTICE, msg); Other functions call yp_msg like: yp_msg ("\t\tmapname = \"%s\"\n", key->map); So if the user can somehow put format chars (%x %n etc.) to the input to yp_msg might be able to exploit this. NOTE: I haven't investigated this any further to see if it's exploitable ! Anyway this should be easy to patch: --- yp_msg.c~ Sat Aug 21 10:22:20 1999 +++ yp_msg.c Wed Aug 16 15:46:23 2000 @@ -54,7 +54,9 @@ { #ifndef HAVE_VSYSLOG vsprintf (msg, fmt, ap); - syslog (LOG_NOTICE, msg); + /* This looks dangerous ! -Jarno Huuskonen */ + /* syslog (LOG_NOTICE, msg); */ + syslog (LOG_NOTICE, "%s", msg); #else vsyslog (LOG_NOTICE, fmt, ap); #endif -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen University of Kuopio - Computer Center | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169
On Linux, this shouldn't be an issue since vsyslog is used anyway. FYI: Our current ypserv rpm also has a patch to fix some other syslog() calls in ypxfrd. cu, Florian La Roche