Bug#287851: asterisk: format string vulnerabilities

Steve Langasek Steve Langasek <vorlon@debian.org>, 287851@bugs.debian.org
Sat, 8 Jan 2005 03:59:39 -0800


--3lcZGd9BuhuYXNfi
Content-Type: multipart/mixed; boundary="ikeVEW9yuYc//A+q"
Content-Disposition: inline


--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Confirmed using the command

  grep -rE 'ast_log\([^,]+,[^,"]+\)' .

over the sources that the cases fixed in the provided patch are the only
instances in the source where ast_log passes a variable name instead of a
format string as the second arg.

I've prepared a 0-day NMU for this bug, which will be uploaded shortly.  The
complete changeset for this NMU is attached.

Thanks,
--=20
Steve Langasek
postmodern programmer

--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="asterisk-287851.diff"
Content-Transfer-Encoding: quoted-printable

diff -u asterisk-1.0.2/debian/changelog asterisk-1.0.2/debian/changelog
--- asterisk-1.0.2/debian/changelog
+++ asterisk-1.0.2/debian/changelog
@@ -1,3 +1,12 @@
+asterisk (1:1.0.2-3.1) unstable; urgency=3Dhigh
+
+  * Non-maintainer upload.
+  * High-urgency upload for sarge-targetted RC bugfix
+  * Fix multiple format string vulnerabilities, reported by Jan
+    Niehusmann.  Closes: #287851.
+
+ -- Steve Langasek <vorlon@debian.org>  Sat,  8 Jan 2005 02:54:45 -0800
+
 asterisk (1:1.0.2-3) unstable; urgency=3Dlow
=20
   * Closes: #281524: running asterisk with realtime priority
only in patch2:
unchanged:
--- asterisk-1.0.2.orig/apps/app_voicemail.c
+++ asterisk-1.0.2/apps/app_voicemail.c
@@ -2333,7 +2333,7 @@
 				snprintf(todir, sizeof(todir), "%s/voicemail/%s/%s/INBOX",  (char *)as=
t_config_AST_SPOOL_DIR, vmtmp->context, vmtmp->mailbox);
 				snprintf(sys, sizeof(sys), "mkdir -p %s\n", todir);
 				snprintf(ext_context, sizeof(ext_context), "%s@%s", vmtmp->mailbox, vm=
tmp->context);
-				ast_log(LOG_DEBUG, sys);
+				ast_log(LOG_DEBUG, "%s", sys);
 				ast_safe_system(sys);
 	=09
 				todircount =3D count_messages(todir);
@@ -2344,11 +2344,11 @@
 					if (!strcasecmp(s, "wav49"))
 						s =3D "WAV";
 					snprintf(sys, sizeof(sys), "cp %s/msg%04d.%s %s/msg%04d.%s\n", dir, c=
urmsg, s, todir, todircount, s);
-					ast_log(LOG_DEBUG, sys);
+					ast_log(LOG_DEBUG, "%s", sys);
 					ast_safe_system(sys);
 				}
 				snprintf(sys, sizeof(sys), "cp %s/msg%04d.txt %s/msg%04d.txt\n", dir, =
curmsg, todir, todircount);
-				ast_log(LOG_DEBUG, sys);
+				ast_log(LOG_DEBUG, "%s", sys);
 				ast_safe_system(sys);
 				snprintf(fn, sizeof(fn), "%s/msg%04d", todir,todircount);
 =09
only in patch2:
unchanged:
--- asterisk-1.0.2.orig/loader.c
+++ asterisk-1.0.2/loader.c
@@ -67,7 +67,7 @@
 		strcat(buf, buf2);
 	}
 	strcat(buf, "\n");
-	ast_log(LOG_DEBUG, buf);
+	ast_log(LOG_DEBUG, "%s", buf);
 	return 0;
 }
=20
only in patch2:
unchanged:
--- asterisk-1.0.2.orig/logger.c
+++ asterisk-1.0.2/logger.c
@@ -642,7 +642,7 @@
 	} /* else
 		fprintf(stdout, stuff + opos); */
=20
-	ast_log(LOG_VERBOSE, stuff);
+	ast_log(LOG_VERBOSE, "%s", stuff);
=20
 	if (fmt[strlen(fmt)-1] !=3D '\n')=20
 		replacelast =3D 1;

--ikeVEW9yuYc//A+q--

--3lcZGd9BuhuYXNfi
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB38soKN6ufymYLloRAnjSAJ0cLvC/psjVd+y75mCIHRaSKG3K9ACgqgT8
XoCbShOEr0K48DdSK//GVao=
=4jPO
-----END PGP SIGNATURE-----

--3lcZGd9BuhuYXNfi--