Bug#287851: asterisk: format string vulnerabilities
Steve Langasek
Steve Langasek <vorlon@debian.org>, 287851@bugs.debian.org
Sat, 8 Jan 2005 03:59:39 -0800
--3lcZGd9BuhuYXNfi
Content-Type: multipart/mixed; boundary="ikeVEW9yuYc//A+q"
Content-Disposition: inline
--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Confirmed using the command
grep -rE 'ast_log\([^,]+,[^,"]+\)' .
over the sources that the cases fixed in the provided patch are the only
instances in the source where ast_log passes a variable name instead of a
format string as the second arg.
I've prepared a 0-day NMU for this bug, which will be uploaded shortly. The
complete changeset for this NMU is attached.
Thanks,
--=20
Steve Langasek
postmodern programmer
--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="asterisk-287851.diff"
Content-Transfer-Encoding: quoted-printable
diff -u asterisk-1.0.2/debian/changelog asterisk-1.0.2/debian/changelog
--- asterisk-1.0.2/debian/changelog
+++ asterisk-1.0.2/debian/changelog
@@ -1,3 +1,12 @@
+asterisk (1:1.0.2-3.1) unstable; urgency=3Dhigh
+
+ * Non-maintainer upload.
+ * High-urgency upload for sarge-targetted RC bugfix
+ * Fix multiple format string vulnerabilities, reported by Jan
+ Niehusmann. Closes: #287851.
+
+ -- Steve Langasek <vorlon@debian.org> Sat, 8 Jan 2005 02:54:45 -0800
+
asterisk (1:1.0.2-3) unstable; urgency=3Dlow
=20
* Closes: #281524: running asterisk with realtime priority
only in patch2:
unchanged:
--- asterisk-1.0.2.orig/apps/app_voicemail.c
+++ asterisk-1.0.2/apps/app_voicemail.c
@@ -2333,7 +2333,7 @@
snprintf(todir, sizeof(todir), "%s/voicemail/%s/%s/INBOX", (char *)as=
t_config_AST_SPOOL_DIR, vmtmp->context, vmtmp->mailbox);
snprintf(sys, sizeof(sys), "mkdir -p %s\n", todir);
snprintf(ext_context, sizeof(ext_context), "%s@%s", vmtmp->mailbox, vm=
tmp->context);
- ast_log(LOG_DEBUG, sys);
+ ast_log(LOG_DEBUG, "%s", sys);
ast_safe_system(sys);
=09
todircount =3D count_messages(todir);
@@ -2344,11 +2344,11 @@
if (!strcasecmp(s, "wav49"))
s =3D "WAV";
snprintf(sys, sizeof(sys), "cp %s/msg%04d.%s %s/msg%04d.%s\n", dir, c=
urmsg, s, todir, todircount, s);
- ast_log(LOG_DEBUG, sys);
+ ast_log(LOG_DEBUG, "%s", sys);
ast_safe_system(sys);
}
snprintf(sys, sizeof(sys), "cp %s/msg%04d.txt %s/msg%04d.txt\n", dir, =
curmsg, todir, todircount);
- ast_log(LOG_DEBUG, sys);
+ ast_log(LOG_DEBUG, "%s", sys);
ast_safe_system(sys);
snprintf(fn, sizeof(fn), "%s/msg%04d", todir,todircount);
=09
only in patch2:
unchanged:
--- asterisk-1.0.2.orig/loader.c
+++ asterisk-1.0.2/loader.c
@@ -67,7 +67,7 @@
strcat(buf, buf2);
}
strcat(buf, "\n");
- ast_log(LOG_DEBUG, buf);
+ ast_log(LOG_DEBUG, "%s", buf);
return 0;
}
=20
only in patch2:
unchanged:
--- asterisk-1.0.2.orig/logger.c
+++ asterisk-1.0.2/logger.c
@@ -642,7 +642,7 @@
} /* else
fprintf(stdout, stuff + opos); */
=20
- ast_log(LOG_VERBOSE, stuff);
+ ast_log(LOG_VERBOSE, "%s", stuff);
=20
if (fmt[strlen(fmt)-1] !=3D '\n')=20
replacelast =3D 1;
--ikeVEW9yuYc//A+q--
--3lcZGd9BuhuYXNfi
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB38soKN6ufymYLloRAnjSAJ0cLvC/psjVd+y75mCIHRaSKG3K9ACgqgT8
XoCbShOEr0K48DdSK//GVao=
=4jPO
-----END PGP SIGNATURE-----
--3lcZGd9BuhuYXNfi--