Red Hat Bugzilla – Bug 171750
CVE-2005-2958 libgda format string issue
Last modified: 2007-11-30 17:11:16 EST
Debian reported this issue to vendor-sec
From Steve Kemp:
libgda2 format string attack
The gda2 library contains two format string bugs, both involving the
use of the syslog function.
The relevent code is contained in the file:
The two functions gda_log_error and gda_log_message both contain
syslog (LOG_USER | LOG_INFO, msg);
The logging functions are called throughout the code and are
often passed user controllable input. For example:
gda_log_error (_("Invalid XML database file '%s'"), uri);
gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql);
Whilst it is not likely that privileges could be gained by the
libary alone there are several routes for exploitation via other
applications which link to the code.
The most obvious is the "gnumeric-plugins-extra" package which
links to and uses the code.
The following patch fixes this:
--- gda-log.c-orig 2005-09-06 13:49:52.792070192 +0100
+++ gda-log.c 2005-09-06 13:50:25.049166368 +0100
@@ -111,7 +111,7 @@
g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg);
- syslog (LOG_USER | LOG_INFO, msg);
+ syslog (LOG_USER | LOG_INFO, "%s", msg);
@@ -144,7 +144,7 @@
g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg);
- syslog (LOG_USER | LOG_ERR, msg);
+ syslog (LOG_USER | LOG_ERR, "%s", msg);
# The Debian Security Audit Project.
From User-Agent: XML-RPC
libgda-1.0.4-3.1 has been pushed for FC3, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.