Ubuntu
vde2 package

unsafe use of syslog(3)

Bug #1119983 reported by Seth Arnold
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vde2 (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

if ((pwd=getpwuid(port_user(port))) == NULL)
        username="(none)";
else
        username=pwd->pw_name;
iov[1].iov_len=snprintf(msg,sizeof(msg),"ipv%d %s mac=%02x:%02x:%02x:%02x:%02x:%02x port=%d vlan=%d user=%s",
                (len==4)?4:6, hostname,
                srcmac[0], srcmac[1], srcmac[2], srcmac[3], srcmac[4], srcmac[5],
                port, vlan, username);
for (epn=0; (descr=port_descr(port,epn)) != NULL; epn++) {
        int len=iov[1].iov_len;
        int descrlen=snprintf(msg+len,sizeof(msg)-len," \"%s\"",descr);
        iov[1].iov_len+=descrlen;
}
if (logfilefd >= 0) {
        time_t ntime=time(&ntime);
        ctime_r(&ntime,stime);
        writev(logfilefd,iov,3);
} else if (logfilefd != -1)
        syslog(LOG_INFO, msg);

If the hostname or the username contains format string specifiers, such as %n, this may be a format string vulnerability.

The fix should be simple, replace the final line with:

syslog(LOG_INFO, "%s", msg);

Revision history for this message
Seth Arnold (seth-arnold) wrote :

https://sourceforge.net/tracker/?func=detail&aid=3603895&group_id=95403&atid=611248

Jamie Strandboge (jdstrand)
Changed in vde2 (Ubuntu):
status: New → Triaged
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.