Debian Bug report logs - #278577
syslog format string vulnerability in gnats logging

version graph

Package: gnats; Maintainer for gnats is Debian QA Group <packages@qa.debian.org>; Source for gnats is src:gnats.

Reported by: Joey Hess <joeyh@debian.org>

Date: Wed, 27 Oct 2004 23:03:02 UTC

Severity: serious

Tags: sarge

Found in version 4.0-2

Done: Frank Lichtenheld <djpig@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Chad Walstrom <chewie@debian.org>:
Bug#278577; Package gnats. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Chad Walstrom <chewie@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: syslog format string vulnerability in gnats logging
Date: Wed, 27 Oct 2004 18:54:37 -0400
[Message part 1 (text/plain, inline)]
Package: gnats
Version: 4.0-2
Severity: serious

CAN-2004-0623 describes a security hole in gnats:

  Phase: Assigned (20040629)
  Reference: BUGTRAQ:20040625 format string vulnerability in Gnats
  Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108820000823191&w=2
  Reference: BID:10609
  Reference: URL:http://www.securityfocus.com/bid/10609
  Reference: XF:gnats-format-string(16517)
  Reference: URL:http://xforce.iss.net/xforce/xfdb/16517

  Description:
  Format string vulnerability in misc.c in GNU GNATS 4.00 may allow remote attackers to execute arbitrary code via format string specifiers in a string that gets logged by syslog. 

Our gnats package is apparently vulnerable, as it contains this code:

#ifdef HAVE_SYSLOG_H
        case SYSLOG:
          syslog (severity, buf);
          break;
#endif

This is a classic format string bug[1]: since the entire buf is used as
a format string, if an attacker can control what is logged, they can exploit
the syslog function to overflow memory. However, there seems to be no known
exploit at this time.

This simple change would close the hole:

	syslog (severity, "%s", buf);

-- 
see shy jo

[1] http://www.linuxfocus.org/English/July2001/article191.meta.shtml
    http://www.chinaunix.net/jh/29/18275.html
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chad Walstrom <chewie@debian.org>:
Bug#278577; Package gnats. Full text and rfc822 format available.

Acknowledgement sent to "Chad C. Walstrom" <chewie@wookimus.net>:
Extra info received and forwarded to list. Copy sent to Chad Walstrom <chewie@debian.org>. Full text and rfc822 format available.

Message #10 received at 278577@bugs.debian.org (full text, mbox):

From: "Chad C. Walstrom" <chewie@wookimus.net>
To: Joey Hess <joeyh@debian.org>, 278577@bugs.debian.org
Subject: Re: Bug#278577: syslog format string vulnerability in gnats logging
Date: Wed, 27 Oct 2004 18:10:36 -0500
I'll get to it right away.

-- 
Chad Walstrom <chewie@wookimus.net>                 | a.k.a. ^chewie
http://www.wookimus.net/                            | s.k.a. gunnarr



Information forwarded to debian-bugs-dist@lists.debian.org, Chad Walstrom <chewie@debian.org>:
Bug#278577; Package gnats. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Chad Walstrom <chewie@debian.org>. Full text and rfc822 format available.

Message #15 received at 278577@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: "Chad C. Walstrom" <chewie@wookimus.net>, 278577@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>
Subject: Re: Bug#278577: syslog format string vulnerability in gnats logging
Date: Sat, 30 Oct 2004 01:29:12 +0200
NMU patch:

diff -Naur gnats-4.0.bak/debian/changelog gnats-4.0/debian/changelog
--- gnats-4.0.bak/debian/changelog	2004-10-30 00:30:35.000000000 +0200
+++ gnats-4.0/debian/changelog	2004-10-30 00:42:19.000000000 +0200
@@ -1,3 +1,13 @@
+gnats (4.0-6.1) unstable; urgency=high
+
+  * Non-maintainer upload as requested by maintainer.
+  * CAN-2004-0623: Fix format string vulnerability in misc.c
+    (Closes: #278577) Report and patch by Joey Hess
+  * Include French translation of debconf templates by
+    Michel Grentzinger (Closes: #267572)
+
+ -- Frank Lichtenheld <djpig@debian.org>  Sat, 30 Oct 2004 00:33:09 +0200
+
 gnats (4.0-6) unstable; urgency=low
 
   * debian/gnats-user.install, debian/rules: Builds were failing because the
diff -Naur gnats-4.0.bak/debian/po/fr.po gnats-4.0/debian/po/fr.po
--- gnats-4.0.bak/debian/po/fr.po	1970-01-01 01:00:00.000000000 +0100
+++ gnats-4.0/debian/po/fr.po	2004-10-30 00:41:08.000000000 +0200
@@ -0,0 +1,226 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans#
+#    Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: gnats_4.0-6\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-07-14 17:39-0500\n"
+"PO-Revision-Date: 2004-08-09 22:47+0200\n"
+"Last-Translator: Michel Grentzinger <mic.grentz@online.fr>\n"
+"Language-Team: French <debian-l10n-french@lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-15\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: string
+#. Description
+#: ../templates:3
+msgid "What is the name of the GNATS site?"
+msgstr "Nom du site GNATS :"
+
+#. Type: string
+#. Description
+#: ../templates:3
+msgid ""
+"This name should be a single word, it is used as a part of the e-mail alias "
+"for delivering problem reports."
+msgstr ""
+"Le nom de site GNATS devrait être un mot simple ; il est utilisé comme un alias d'adresse "
+"pour les rapports sur les incidents de livraison de courrier."
+
+#. Type: note
+#. Description
+#: ../templates:9
+msgid "Database moved to ${GNATSDBDIR}."
+msgstr "Base de données déplacée vers ${GNATSDBDIR}"
+
+#. Type: note
+#. Description
+#: ../templates:9
+msgid ""
+"A previous package version put the GNATS database under ${BADDIR}. It has "
+"now been moved to the right location."
+msgstr ""
+"Une ancienne version du paquet avait placé la base de données sous "
+"${BADDIR}. Elle vient d'être déplacée vers l'emplacement correct."
+
+#. Type: note
+#. Description
+#: ../templates:15
+msgid "You must move the database to ${GNATSDBDIR}."
+msgstr "Déplacement nécessaire de la base de données vers ${GNATSDBDIR}"
+
+#. Type: note
+#. Description
+#: ../templates:15
+msgid ""
+"A previous package version put the GNATS database under ${BADDIR}. I could "
+"not move it to the right location, so you have to do so manually."
+msgstr ""
+"Une ancienne version du paquet avait placé la base de données GNATS sous "
+"${BADDIR}. Il n'est pas possible de la déplacer vers son emplacement correct "
+"de façon automatique : vous devez le faire vous-même."
+
+#. Type: note
+#. Description
+#: ../templates:21
+msgid ""
+"It seems you have installed Exim, with script handling disabled in its "
+"configuration.  If this is so, GNATS will not be able to receive bug reports "
+"via e-mail.  I would suggest you to uncomment one of the lines"
+msgstr ""
+"Exim semble être installé mais le traitement des scripts semble "
+"désactivé dans sa configuration. Si c'est bien le cas, GNATS ne sera pas "
+"capable de recevoir les rapports de bogues par messagerie. Il est conseillé "
+"de décommenter l'une des lignes suivantes :"
+
+#. Type: note
+#. Description
+#: ../templates:21
+msgid "${LINES}"
+msgstr "${LINES}"
+
+#. Type: note
+#. Description
+#: ../templates:21
+msgid "in your file ${EXIMCONF}, in the section \"system_aliases\"."
+msgstr "Cette modification doit se faire dans le fichier ${EXIMCONF}, à la section \"system_aliases\"."
+
+#. Type: note
+#. Description
+#: ../templates:32
+msgid "You should enable scripts in the Exim configuration."
+msgstr ""
+"Activation nécessaire du traitement des scripts dans la configuration d'Exim"
+
+#. Type: note
+#. Description
+#: ../templates:32
+msgid ""
+"It seems you have installed Exim, with no script handling enabled in its "
+"configuration.  If this is so, GNATS will not be able to receive bug reports "
+"via e-mail.  I would suggest you to add the line"
+msgstr ""
+"Exim semble installé mais le traitement des scripts est "
+"désactivé dans sa configuration. Si c'est bien le cas, GNATS ne sera pas "
+"capable de recevoir les rapports de bogues par messagerie. Il est conseillé "
+"d'ajouter la ligne suivante :"
+
+#. Type: note
+#. Description
+#: ../templates:32
+msgid "user = gnats"
+msgstr "user = gnats"
+
+#. Type: note
+#. Description
+#: ../templates:32
+msgid "to your file ${EXIMCONF}, in the section \"system_aliases\"."
+msgstr "Ce changement doit se faire dans le fichier ${EXIMCONF}, à la section \"system_aliases\"."
+
+#. Type: note
+#. Description
+#: ../templates:43
+msgid "You should set up qmail aliases for GNATS."
+msgstr "Définition des alias qmail pour GNATS"
+
+#. Type: note
+#. Description
+#: ../templates:43
+msgid ""
+"It seems you use qmail as your mail transfer program.  It is recommended to "
+"add the following lines into your qmail users/assign file:"
+msgstr ""
+"Vous semblez utiliser qmail comme agent de transport de courrier. "
+"Il est recommandé d'ajouter les lignes suivantes à votre fichier users/"
+"assign de qmail :"
+
+#. Type: note
+#. Description
+#: ../templates:43
+msgid ""
+"=gnats:gnats:41:41:/var/lib/gnats/gnats-adm::: =gnats-admin:gnats:41:41:/var/"
+"lib/gnats/gnats-adm::: =bugs:gnats:41:41:/var/lib/gnats/gnats-adm:-:bugs: "
+"=query-pr:gnats:41:41:/var/lib/gnats/gnats-adm:-:query: =${SITE}-gnats:"
+"gnats:41:41:/var/lib/gnats/gnats-adm:-:bugs:"
+msgstr ""
+"=gnats:gnats:41:41:/var/lib/gnats/gnats-adm::: =gnats-admin:gnats:41:41:/var/"
+"lib/gnats/gnats-adm::: =bugs:gnats:41:41:/var/lib/gnats/gnats-adm:-:bugs: "
+"=query-pr:gnats:41:41:/var/lib/gnats/gnats-adm:-:query: =${SITE}-gnats:"
+"gnats:41:41:/var/lib/gnats/gnats-adm:-:bugs:"
+
+#. Type: note
+#. Description
+#: ../templates:55
+msgid "You should set up GNATS mail aliases."
+msgstr "Définition des alias d'adresse GNATS"
+
+#. Type: note
+#. Description
+#: ../templates:55
+msgid ""
+"GNATS can be set to receive bug reports and database queries through mail. "
+"However, it seems you are using a mailer I am not able to setup myself, so "
+"you must do it by hand. The following addresses on localhost and appropriate "
+"actions for them should be set up:"
+msgstr ""
+"GNATS peut être paramétré pour recevoir des rapports de bogues et des "
+"requêtes de base de données à travers la messagerie. Cependant, vous semblez "
+"utiliser un client de courrier dont le paramétrage automatique est "
+"impossible. Vous devez donc le faire vous-même. L'adresse suivante sur "
+"l'hôte local et les actions appropriées pour le faire doivent être définis."
+
+#. Type: note
+#. Description
+#: ../templates:55
+msgid ""
+"gnats: redirect this to GNATS administrator\"s address gnats-admin: alias "
+"for \"gnats\" bugs: pipe it to the command \"| /usr/lib/gnats/queue-pr -q\" "
+"query-pr: pipe it to the command \"| /usr/lib/gnats/mail-query\" ${SITE}-"
+"gnats: alias for \"bugs\""
+msgstr ""
+"gnats: redirige ceci vers l'administrateur GNATS \"s adresse gnats-admin: "
+"alias pour les bogues \"gnats\": il faut le lier \"| /usr/lib/gnats/mail-"
+"query\" ${SITE}-gnats: alias pour \"bugs\""
+
+#. Type: note
+#. Description
+#: ../templates:68
+msgid "Multiple listings of the \"gnats\" userid were found in ${PASSWDFILE}."
+msgstr ""
+"Définitions multiples de l'identifiant gnats dans ${PASSWDFILE}"
+
+#. Type: note
+#. Description
+#: ../templates:68
+msgid "You should have only one \"gnats\" userid in your password file."
+msgstr ""
+"Vous ne devriez posséder qu'un seul identifiant « gnats » dans votre fichier "
+"de mots de passe."
+
+#. Type: note
+#. Description
+#: ../templates:73
+msgid "GNATS configuration needs change."
+msgstr "Modifications nécessaires de la configuration de GNATS"
+
+#. Type: note
+#. Description
+#: ../templates:73
+msgid ""
+" Please note that some GNATS configuration files have changed in the\n"
+" version 4.  You can find examples of the new configuration files in the\n"
+" directory \"/etc/gnats/defaults\"."
+msgstr ""
+"Veuillez noter que certains fichiers de configuration de GNATS ont changé "
+"dans la version 4. Vous trouverez des exemples de nouveaux fichiers de "
+"configuration dans le répertoire « /etc/gnats/defaults »."
diff -Naur gnats-4.0.bak/gnats/misc.c gnats-4.0/gnats/misc.c
--- gnats-4.0.bak/gnats/misc.c	2002-12-01 04:14:58.000000000 +0100
+++ gnats-4.0/gnats/misc.c	2004-10-30 00:32:48.000000000 +0200
@@ -93,7 +93,7 @@
 	{
 #ifdef HAVE_SYSLOG_H
 	case SYSLOG:
-	  syslog (severity, buf);
+	  syslog (severity, "%s", buf);
 	  break;
 #endif
 	case MAIL:

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Tags added: fixed Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: fixed Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Frank Lichtenheld <djpig@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #26 received at 278577-done@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: 278577-done@bugs.debian.org
Subject: fixed version reached testing
Date: Wed, 3 Nov 2004 01:32:54 +0100
The fixed version of gnats reached testing today.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Information forwarded to debian-bugs-dist@lists.debian.org, Chad Walstrom <chewie@debian.org>:
Bug#278577; Package gnats. Full text and rfc822 format available.

Acknowledgement sent to Chad Walstrom <chewie@wookimus.net>:
Extra info received and forwarded to list. Copy sent to Chad Walstrom <chewie@debian.org>. Full text and rfc822 format available.

Message #31 received at 278577@bugs.debian.org (full text, mbox):

From: Chad Walstrom <chewie@wookimus.net>
To: 278577@bugs.debian.org
Cc: Frank Lichtenheld <djpig@debian.org>
Subject: gnats_4.0-6.1 is segfaulting
Date: Thu, 4 Nov 2004 11:45:07 -0600
[Message part 1 (text/plain, inline)]
This patch seems to have made gnatsd unstable.  gnatsd segfaults upon
starting.  I'll have to take a closer look at this one.

-- 
Chad Walstrom <chewie@wookimus.net>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chad Walstrom <chewie@debian.org>:
Bug#278577; Package gnats. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Chad Walstrom <chewie@debian.org>. Full text and rfc822 format available.

Message #36 received at 278577@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: Chad Walstrom <chewie@wookimus.net>
Cc: 278577@bugs.debian.org
Subject: Re: gnats_4.0-6.1 is segfaulting
Date: Fri, 5 Nov 2004 05:55:28 +0100
On Thu, Nov 04, 2004 at 11:45:07AM -0600, Chad Walstrom wrote:
> This patch seems to have made gnatsd unstable.  gnatsd segfaults upon
> starting.  I'll have to take a closer look at this one.

Huh, which would very surprise me :/ However, if I can assist you in any way
please let me know.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:16:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.