SILC Client version 1.1.18 was released mentioning a format string flaw fix in its changelog:
Fixed string format vulnerability in client entry handling.
Reported and patch provided by William Cummings.
Affected code is also included in libsilc 1.1.18. Upstream commit:
I have not looked if this is remotely exploitable or can only be triggered by local user setting odd nick. Upstream commit use term "vulnerability", so probably remote.
In Fedora, we usually do not need to worry much about format string flaws any more, as glibc hardening / FORTIFY_SOURCE catches this type of flaw (reduces impact to controlled abort only). SILC, however, seems to provide it's own snprintf implementation, which is likely to not benefit from glibc protections (I've not verified though):
Affected code was introduced via following upstream commits in 2007:
It is not part of libsilc as shipped in Red Hat Enterprise Linux 4 and 5.
libsilc-1.1.8-5.fc10 has been submitted as an update for Fedora 10.
libsilc-1.1.8-5.fc11 has been submitted as an update for Fedora 11.
More format string issues got fixed in SILC Toolkit 1.1.10:
More string format fixes in silcd and client libary
libsilc shipped in Fedora / Red Hat Enterprise Linux only contains SILC libraries and not client and server, first part of the commit fixing issue in silcd does not apply. Second part, lib/silcclient/command.c, is applicable to libsilc-1.1.8 packages in Fedora.
As with one of the previous issues, this problem was introduced in 2007 via following commit:
and hence this does not affect libsilc packages in Red Hat Enterprise Linux 4 and 5.
libsilc updates currently in F10 and F11 testing seems to need respin.
libsilc-1.1.8-7.fc11 has been submitted as an update for Fedora 11.
libsilc-1.1.8-7.fc10 has been submitted as an update for Fedora 10.
libsilc-1.1.8-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
libsilc-1.1.8-7.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Despite initial indication, this got two CVEs after all:
Multiple format string vulnerabilities in
lib/silcclient/client_entry.c in Secure Internet Live Conferencing
(SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow
remote attackers to execute arbitrary code via format string
specifiers in a nickname field, related to the (1)
silc_client_add_client, (2) silc_client_update_client, and (3)
-> this is for comment #0 issues
Multiple format string vulnerabilities in lib/silcclient/command.c in
Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and
SILC Client 1.1.8 and earlier, allow remote attackers to execute
arbitrary code via format string specifiers in a channel name, related
to (1) silc_client_command_topic, (2) silc_client_command_kick, (3)
silc_client_command_leave, and (4) silc_client_command_users.
-> this is for (client part of the) comment #3 issues