Re: debian dhcpd, old format string bug

From: Javier Fernandez-Sanguino (jfernandez_at_germinus.com)
Date: 11/02/04

  • Next message: Jeff Williams: "Re: New Whitepaper - "Second-order Code Injection Attacks""
    Date: Tue, 02 Nov 2004 18:14:28 +0100
    To: infamous41md@hotpop.com
    
    

    infamous41md@hotpop.com wrote:

    > On Thu, 28 Oct 2004 10:31:38 +1000
    > Tarragon Allen <tarragon@onthe.net.au> wrote:
    >>On Tuesday 26 October 2004 10:37, infamous41md@hotpop.com wrote:
    >>Firstly, good etiquette would have been for you to actually report the bug
    >>with Debian. I don't see any bugs raised against any of the appropriate
    >>packages regarding this.
    >>
    >
    >
    > I've tried contacting the person in charge of the debian security audit project
    > numerous times to try and co-ordinate audits, and he doesn't respond. I have
    > better things to do with my time. I don't provide notice when people disregard
    > my emails. If you don't like, I don't care. My mother already taught me all
    > the etiquette I need, but thanks for the moral support. Btw, is it salad fork
    > left, or dinner fork left?

    The Debian audit people are not the same as the official Debian
    security team, which is the one in charge of preparing security
    advisories and fixing security bugs in the stable release.
    Please read: http://www.debian.org/security/faq

    The first group is an internal project that is reviewing parts of
    Debian and submitting bugs to the stable and unstable release, the
    second group fixes only the former, while the later is fixed by the
    package maintainers themselves.
    http://www.debian.org/security/audit/

    As to this vulnerability, CA-2002-12 is referenced as CAN-2002-0702
    [1], that, based on the page that lists lists vulnerabilities that do
    not affect the current Debian stable release [2] does not apply to the
    dhcp3-server packages. And, indeed, reviewing the comon/print.c file
    in dhcp3-server's source code you can see:

             if (errorp)
                     log_error ("%s", obuf);
             else
                     log_info ("%s", obuf);

    instead of the (vulnerable):

             if (errorp)
                     log_error (obuf);
             else
                     log_info (obuf);

    Which fixes the issue (see [3]). The code is _not_ present in the dhcp
    packages (version 2.0pl5-11), so they aren't vulnerable to _this_
    issue either.

    > I'm saying, grep -rn syslog * | grep -v \". Soon after I found that, I googled
    > and found the CERT detailing a format string in logging code. I assumed it was
    > the exact same thing I just found. I spoke with some debian person about this
    > yesterday, or day before, and they can release an advisory to clear it up.

    That grep line brings a lot of code, some of it might be vulnerable to
    format string attacks, but it's not related to the CERT advisory at
    all. For those not having the code at hand:

    $ grep -B 2 -A 2 -rn syslog * | grep -v \"
    (...)
    common/errwarn.c-73-#ifndef DEBUG
    common/errwarn.c:74: syslog (log_priority | LOG_ERR, mbuf);
    common/errwarn.c-75-#endif

    Which could be easily fixed to prevent a format string attack (but is
    not and is indeed vulnerable). Maybe this bug is related to
    CAN-2001-0181 (BID-2215). I don't have access to Caldera's code so I
    can review that...

    Regards

    Javier

    [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702
    [2] http://www.debian.org/security/nonvulns-wood
    [3] http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html


  • Next message: Jeff Williams: "Re: New Whitepaper - "Second-order Code Injection Attacks""

    Relevant Pages

    • Re: Want to work with a Linux Group
      ... reporting bugs there are basically two things Debian developers do, ... The first step is to decide on which package you want to work. ... Request for adoption - a new maintainer is needed but the old one ...
      (Debian-User)
    • Re: Running testing? -- read this.
      ... I'm just an average Testing user, have been for a while, and around me almost every Debian users I know are using Testing, mostly because it's the Debian's flavour which can compare with other distros in term of being usable on a reasonably new computer, with up-to-date softwares. ... be considered a developer-only version, and according to my experience (i use it for work, along with Ubuntu stations... ... better still (it has NEWER packages!), but Unstable must not work well, ... You will also get the pleasure of finding all the bugs, ...
      (Debian-User)
    • [Full-disclosure] [SECURITY] [DSA 2699-1] iceweasel security update
      ... missing input sanitising vulnerabilities, use-after-free vulnerabilities, ... We're changing the approach for security updates for Iceweasel, ... Some Xul extensions currently packaged in the Debian archive are not ...
      (Full-Disclosure)
    • [SECURITY] [DSA 2699-1] iceweasel security update
      ... missing input sanitising vulnerabilities, use-after-free vulnerabilities, ... We're changing the approach for security updates for Iceweasel, ... Some Xul extensions currently packaged in the Debian archive are not ...
      (Bugtraq)
    • Re: Debian has turned unusable.
      ... I must say, Debian is quite good ... typically suffers from fewer bugs than unstable/sid. ... testing but was unhappy with it and finally went to sarge. ...
      (Debian-User)