A stack-based buffer overflow flaw was found in the way Webalizer, a flexible web server log file analysis program, performed import of its cache from certain tab files. A remote attacker could provide a specially-crafted tab file that, when imported would lead to wcmgr executable crash or, potentially, arbitrary code execution with the privileges of the user running the wcmgr binary.
This issue was discovered by Murray McAllister of Red Hat Security Response Team.
This issue did NOT affect the version of the webalizer package, as shipped with Red Hat Enterprise Linux 5. -- This issue affects the version of the webalizer package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the version of the webalizer package, as shipped with Fedora release of 16, 17, and 18.
This was fixed upstream in between webalizer-2.23-05 and webalizer-2.23-08, where relevant sscanf now is: i = sscanf(buffer,"%47s\t%lu\t%d\t%" SMAXHOST "s",
Created webalizer tracking bugs for this issue: Affects: fedora-all [bug 1099872]
webalizer-2.23_08-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.