Re: [Helios Security and Administration::another bug in m4]

[Colin Phipps <cph () NETCRAFT COM>]

On Thu, Feb 22, 2001 at 06:12:18PM +0100, honoriak wrote:
> [Helios Security and Administration]
>
> - Program: m4-1.4.0

It would be better to say "GNU m4", there are other implementations around.

> - Vulnerability: format string bug
>
> - Details: Another format string buf in m4 1.4.0.
>
> This time is with -d option, another exists in -G option.
>
> - Risk: Low (Nothing). It's not setuid. It's useless but it's a vulnerability of course.

Debatable. If you're allowing untrusted users to specify parameters to
an interpreter like m4, you're already in trouble.

> - Example:
>
> $ m4 -d "`perl -e 'print " %n"x3'`"
> m4: Segmentation fault (core dumped)

The space after the -d means you aren't supplying arguments to the -d option,
m4 is interpreting the argument as a filename.

On a RedHat 6.2 box:
% rpm -q m4
m4-1.4-12
% m4 -d"`perl -e 'print " %n"x4'`"
m4: bad debug flags: ` %n %n %n'
% m4 -d "`perl -e 'print " %n"x3'`"
m4: zsh: segmentation fault  m4 -d  %n %n %n
% m4 -d "`perl -e 'print " %p"x4'`"
m4:  0x4010b1cc 0x4000aea0 0xbffffd64 0xbffffd38: No such file or directory

On Debian with the latest updates, the bug is fixed:
% cat /etc/debian_version
testing/unstable
% m4 --version
GNU m4 1.4
% dpkg -l m4
ii  m4             1.4-12         a macro processing language
% m4 -d "`perl -e 'print " %n"x3'`"
m4:  %n %n %n: No such file or directory
% m4 -d"`perl -e 'print " %n"x3'`"
m4: bad debug flags: ` %n %n %n'

> $ m4 -G "`perl -e 'print " %p"x4'`"
> m4:  0x4010848c 0x4000a610 0xbffffc14 0xbffffbe8: No such file or directory

-G doesn't take a parameter in GNU m4, it's an alias for --traditional.
You're just seeing a bug in the filename handling again.

Current Debian again not affected:
nausea% m4 -G "`perl -e 'print " %p"x4'`"
m4:  %p %p %p %p: No such file or directory

--
Colin Phipps                            http://www.netcraft.com/