Re: debian dhcpd, old format string bug
infamous41md@xxxxxxxxxx wrote:
On Thu, 28 Oct 2004 10:31:38 +1000
Tarragon Allen <tarragon@xxxxxxxxxxxx> wrote:
On Tuesday 26 October 2004 10:37, infamous41md@xxxxxxxxxx wrote:
Firstly, good etiquette would have been for you to actually report the bug
with Debian. I don't see any bugs raised against any of the appropriate
packages regarding this.
I've tried contacting the person in charge of the debian security audit project
numerous times to try and co-ordinate audits, and he doesn't respond. I have
better things to do with my time. I don't provide notice when people disregard
my emails. If you don't like, I don't care. My mother already taught me all
the etiquette I need, but thanks for the moral support. Btw, is it salad fork
left, or dinner fork left?
The Debian audit people are not the same as the official Debian
security team, which is the one in charge of preparing security
advisories and fixing security bugs in the stable release.
Please read: http://www.debian.org/security/faq
The first group is an internal project that is reviewing parts of
Debian and submitting bugs to the stable and unstable release, the
second group fixes only the former, while the later is fixed by the
package maintainers themselves.
http://www.debian.org/security/audit/
As to this vulnerability, CA-2002-12 is referenced as CAN-2002-0702
[1], that, based on the page that lists lists vulnerabilities that do
not affect the current Debian stable release [2] does not apply to the
dhcp3-server packages. And, indeed, reviewing the comon/print.c file
in dhcp3-server's source code you can see:
if (errorp)
log_error ("%s", obuf);
else
log_info ("%s", obuf);
instead of the (vulnerable):
if (errorp)
log_error (obuf);
else
log_info (obuf);
Which fixes the issue (see [3]). The code is _not_ present in the dhcp
packages (version 2.0pl5-11), so they aren't vulnerable to _this_
issue either.
I'm saying, grep -rn syslog * | grep -v \". Soon after I found that, I googled
and found the CERT detailing a format string in logging code. I assumed it was
the exact same thing I just found. I spoke with some debian person about this
yesterday, or day before, and they can release an advisory to clear it up.
That grep line brings a lot of code, some of it might be vulnerable to
format string attacks, but it's not related to the CERT advisory at
all. For those not having the code at hand:
$ grep -B 2 -A 2 -rn syslog * | grep -v \"
(...)
common/errwarn.c-73-#ifndef DEBUG
common/errwarn.c:74: syslog (log_priority | LOG_ERR, mbuf);
common/errwarn.c-75-#endif
Which could be easily fixed to prevent a format string attack (but is
not and is indeed vulnerable). Maybe this bug is related to
CAN-2001-0181 (BID-2215). I don't have access to Caldera's code so I
can review that...
Regards
Javier
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702
[2] http://www.debian.org/security/nonvulns-wood
[3] http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html