This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 171750 - CVE-2005-2958 libgda format string issue
CVE-2005-2958 libgda format string issue
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libgda (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Caolan McNamara
impact=moderate,source=vendorsec,publ...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-25 17:12 EDT by Josh Bressers
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.0.4-3.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-27 04:10:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-10-25 17:12:26 EDT
Debian reported this issue to vendor-sec

From Steve Kemp:

libgda2 format string attack
----------------------------

  The gda2 library contains two format string bugs, both involving the
 use of the syslog function.

  The relevent code is contained in the file:

      libgda2-1.2.1/libgda/gda-log.c

  The two functions gda_log_error and gda_log_message both contain
 this code:

      syslog (LOG_USER | LOG_INFO, msg);


Exploitation
------------

  The logging functions are called throughout the code and are
 often passed user controllable input.  For example:

gda-xml-database.c:
 gda_log_error (_("Invalid XML database file '%s'"), uri);

  or

gda-select.c:
 gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql);


  Whilst it is not likely that privileges could be gained by the
 libary alone there are several routes for exploitation via other
 applications which link to the code.

  The most obvious is the "gnumeric-plugins-extra" package which
 links to and uses the code.

Fix
---

  The following patch fixes this:

--- gda-log.c-orig      2005-09-06 13:49:52.792070192 +0100
+++ gda-log.c   2005-09-06 13:50:25.049166368 +0100
@@ -111,7 +111,7 @@
 #ifdef LIBGDA_WIN32
        g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg);
 #else
-       syslog (LOG_USER | LOG_INFO, msg);
+       syslog (LOG_USER | LOG_INFO, "%s", msg);
 #endif
        g_free (msg);
 }
@@ -144,7 +144,7 @@
 #ifdef LIBGDA_WIN32
        g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg);
 #else
-       syslog (LOG_USER | LOG_ERR, msg);
+       syslog (LOG_USER | LOG_ERR, "%s", msg);
 #endif
        g_free (msg);
 }

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Comment 1 Fedora Update System 2005-10-26 13:21:33 EDT
From User-Agent: XML-RPC

libgda-1.0.4-3.1 has been pushed for FC3, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 2 Fedora Update System 2005-11-07 14:14:17 EST
From User-Agent: XML-RPC

libgda-1.0.4-3.1 has been pushed for FC3, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.