Bugtraq mailing list archives
Format strings: bug #1: BSD-lpr
From: Chris Evans <chris () SCARY BEASTS ORG>
Date: Tue, 26 Sep 2000 00:57:04 +0100
Hi, INTRO ----- Welcome to a short series of security bugs, all involving mistakes with "user supplied format strings". This class of bug is very popular on Bugtraq at the moment, so what an ideal time for a few examples. BSD-lpr ------- If we look into lpr/lpd/printjob.c, we can find the following two lines of code if ((s = checkremote())) syslog(LOG_WARNING, s); This is a classic format string mistake. It may not be exploitable, because the failure strings returned by checkremote() in lpr/common_source/common.c, do not contain much data that a user could control. However, it illustrates that format string bugs creep in everywhere, even in code that gets syslog() calls correct the majority of the time, as is the case with BSD-lpr. Fix --- OpenBSD ship BSD-lpr. Not only have they already fixed this in their CVS, but they also offer web indexed CVS. They caught it independently as part of their "format strings" audit. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.19&r2=1.20 Conclusion ---------- The next format string bug in the series will be much more interesting. Cheers Chris
Current thread:
- Format strings: bug #1: BSD-lpr Chris Evans (Sep 25)
- Re: Format strings: bug #1: BSD-lpr Kris Kennaway (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Jouko Pynn?nen (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Valdis Kletnieks (Sep 27)