6032185 2001-01-31 14:22 +0000 /28 rader/ Joao Gouveia <tharbad@KAOTIK.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-31 19:55 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: tharbad@kaotik.org
Mottagare: Bugtraq (import) <15114>
Ärende: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Joao Gouveia <tharbad@KAOTIK.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <008301c08b91$2df28080$501fb00a@cerc.dgaccp.pt>
Hi,
This issue has been discussed in vuln-dev (2001-01-26), see:
http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
4&fromthread=0&start=2001-01-21&threads=1&list=82&
Posted also on suse security list, and aparently overlooked.
The man package that ships with SuSe Linux ( at least versions 6.1
throught 7.0 ) has a format string vulnerability. Also debian 2.2r2 (
at least ), is confirmed to have the same problem.
<quote>
jroberto@spike:~ > man -l %x%x%x%x
man: 4000bc7438049af00: No such file or directory
</quote>
Regards,
Joao Gouveia
------------
tharbad@kaotik.org
(6032185) --------------------------------(Ombruten)
Kommentar i text 6032897 av Roman Drahtmueller <draht@SUSE.DE>
Kommentar i text 6041962 av =?iso-8859-2?Q?Tomasz_Ku=BCniar?= <mezon@PROFNET.PL>
Kommentar i text 6044760 av StyX <styx@MAILBOX.AS>
6032897 2001-01-31 20:43 +0100 /49 rader/ Roman Drahtmueller <draht@SUSE.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-31 23:48 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: draht@SUSE.DE
Mottagare: Bugtraq (import) <15119>
Kommentar till text 6032185 av Joao Gouveia <tharbad@KAOTIK.ORG>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Roman Drahtmueller <draht@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0101312039510.830-100000@dent.suse.de>
>
> Hi,
>
> This issue has been discussed in vuln-dev (2001-01-26), see:
> http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> 4&fromthread=0&start=2001-01-21&threads=1&list=82&
>
> Posted also on suse security list, and aparently overlooked.
Yes, it was overread on suse-security@suse.com, the discussion list.
SuSE's security contact is security@suse.de.
There is no guarantee that all of the interesting postings on
suse-security@suse.com can be read. :-(
> The man package that ships with SuSe Linux ( at least versions 6.1 throught
> 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
> confirmed to have the same problem.
We'll fix it. As soon as we can.
Thanks for the note.
>
> <quote>
> jroberto@spike:~ > man -l %x%x%x%x
> man: 4000bc7438049af00: No such file or directory
> </quote>
>
> Regards,
>
> Joao Gouveia
> ------------
> tharbad@kaotik.org
>
Roman.
--
- -
| Roman Drahtmüller <draht@suse.de> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -
(6032897) ------------------------------------------
6041962 2001-02-02 09:36 +0100 /27 rader/ =?iso-8859-2?Q?Tomasz_Ku=BCniar?= <mezon@PROFNET.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-02 21:45 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: mezon@PROFNET.PL
Mottagare: Bugtraq (import) <15177>
Kommentar till text 6032185 av Joao Gouveia <tharbad@KAOTIK.ORG>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: =?iso-8859-2?Q?Tomasz_Ku=BCniar?= <mezon@PROFNET.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010202093629.A23686@ania.profnet.pl>
On Wed, Jan 31, 2001 at 02:22:01PM -0000, Joao Gouveia wrote:
: The man package that ships with SuSe Linux ( at least versions 6.1 throught
: 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
: confirmed to have the same problem.
:
: <quote>
: jroberto@spike:~ > man -l %x%x%x%x
: man: 4000bc7438049af00: No such file or directory
: </quote>
The same problem in most (all?) distributions is with m4 - GNU macro
processor code, when trying use -G option:
mezon@beata:~$ m4 -G %x%x%x%x
m4: 40012a48380491e00: No such file or directory
--
Tomasz Kuzniar <mezon@profnet.pl>
* Polska Platforma Internetowa *
~ ~ ~
"Wyjsc na ludzi - Go out on people"
(6041962) ------------------------------------------
Kommentar i text 6044747 av Mike Gerber <bluehell@GMX.NET>
6044747 2001-02-03 15:54 +0100 /25 rader/ Mike Gerber <bluehell@GMX.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-03 23:36 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bluehell@GMX.NET
Mottagare: Bugtraq (import) <15197>
Kommentar till text 6041962 av =?iso-8859-2?Q?Tomasz_Ku=BCniar?= <mezon@PROFNET.PL>
Ärende: m4 format string vulnerability [was: Re: SuSe / Debian man
------------------------------------------------------------
package ...]
From: Mike Gerber <bluehell@GMX.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010203155430.A3312@kerouac.mg.de>
On Fre, Feb 02, 2001 at 09:36:29 +0100, Tomasz Ku¼niar wrote:
> The same problem in most (all?) distributions is with m4 - GNU macro
> processor code, when trying use -G option:
>
> mezon@beata:~$ m4 -G %x%x%x%x
> m4: 40012a48380491e00: No such file or directory
confirmed for red hat linux 7.0:
[kerouac:mg:~]m4 -G %x
m4: 80499d9: Datei oder Verzeichnis nicht gefunden
[kerouac:mg:~]cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)
[kerouac:mg:~]rpm -q m4
m4-1.4.1-3
--
mike gerber
(6044747) ------------------------------------------
Kommentar i text 6048043 av Jarno Huuskonen <Jarno.Huuskonen@UKU.FI>
Kommentar i text 6048058 av Ivo van Poorten <ipoorten@CS.VU.NL>
6048043 2001-02-04 10:27 +0200 /44 rader/ Jarno Huuskonen <Jarno.Huuskonen@UKU.FI>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05 05:25 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Jarno.Huuskonen@UKU.FI
Mottagare: Bugtraq (import) <15209>
Kommentar till text 6044747 av Mike Gerber <bluehell@GMX.NET>
Ärende: Re: m4 format string vulnerability
------------------------------------------------------------
From: Jarno Huuskonen <Jarno.Huuskonen@UKU.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010204102731.A100390@messi.uku.fi>
On Sat, Feb 03, Mike Gerber wrote:
> confirmed for red hat linux 7.0:
>
> [kerouac:mg:~]m4 -G %x
> m4: 80499d9: Datei oder Verzeichnis nicht gefunden
> [kerouac:mg:~]cat /etc/redhat-release
> Red Hat Linux release 7.0 (Guinness)
> [kerouac:mg:~]rpm -q m4
> m4-1.4.1-3
I don't see this as a big problem, but here's a patch:
--- m4-1.4/src/m4.c.orig Sat Feb 3 23:06:37 2001
+++ m4-1.4/src/m4.c Sat Feb 3 23:07:26 2001
@@ -369,7 +369,7 @@
case 'o':
if (!debug_set_output (optarg))
- error (0, errno, optarg);
+ error (0, errno, "%s", optarg);
break;
case 's':
@@ -466,7 +466,7 @@
fp = path_search (argv[optind]);
if (fp == NULL)
{
- error (0, errno, argv[optind]);
+ error (0, errno, "%s", argv[optind]);
continue;
}
else
One thing I noticed: if your system doesn't have mkstemp/tmpfile
m4 comes with its own implementation of tmpfile/mkstemp.
This uses mktemp and open (w/out O_EXCL).
-Jarno
(6048043) ------------------------------------------
6048058 2001-02-04 04:05 +0000 /32 rader/ Ivo van Poorten <ipoorten@CS.VU.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05 05:45 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: ivop@euronet.nl
Mottagare: Bugtraq (import) <15213>
Kommentar till text 6044747 av Mike Gerber <bluehell@GMX.NET>
Ärende: Re: m4 format string vulnerability [was: Re: SuSe / Debian man
------------------------------------------------------------
package ...]
From: Ivo van Poorten <ipoorten@CS.VU.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <01020404055500.18404@morris.paisley.park>
On Saturday 03 February 2001 14:54, Mike Gerber wrote:
> confirmed for red hat linux 7.0:
>
> [kerouac:mg:~]m4 -G %x
> m4: 80499d9: Datei oder Verzeichnis nicht gefunden
> [kerouac:mg:~]cat /etc/redhat-release
> Red Hat Linux release 7.0 (Guinness)
> [kerouac:mg:~]rpm -q m4
> m4-1.4.1-3
Same here:
[ivo@vanity ~]$ m4 -G %x
m4: 80497fb: No such file or directory
[ivo@vanity ~]$ rpm -q m4
m4-1.4-17mdk
[ivo@vanity ~]$ cat /etc/mandrake-release
Linux Mandrake release 7.2 (Odyssey) for i586
--Ivo
--
If the Windows desktop starts to topple, it's like a redwood tree.
It takes a long time for it to fall, but it's really hard to stop once
it starts. -- Carl Howe.
(6048058) ------------------------------------------
6044760 2001-02-03 16:30 +0100 /50 rader/ StyX <styx@MAILBOX.AS>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-03 23:41 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: styx@MAILBOX.AS
Mottagare: Bugtraq (import) <15198>
Kommentar till text 6032185 av Joao Gouveia <tharbad@KAOTIK.ORG>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: StyX <styx@MAILBOX.AS>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3A7C2431.35F9FD10@mailbox.as>
Joao Gouveia wrote:
>
> Hi,
>
> This issue has been discussed in vuln-dev (2001-01-26), see:
> http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> 4&fromthread=0&start=2001-01-21&threads=1&list=82&
>
> Posted also on suse security list, and aparently overlooked.
>
> The man package that ships with SuSe Linux ( at least versions 6.1 throught
> 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
> confirmed to have the same problem.
>
> <quote>
> jroberto@spike:~ > man -l %x%x%x%x
> man: 4000bc7438049af00: No such file or directory
> </quote>
>
> Regards,
>
> Joao Gouveia
> ------------
> tharbad@kaotik.org
Hmm... What about this?
styx@SuxOS-devel:~$ man -l %n%n%n%n
man: Segmentation fault
styx@SuxOS-devel:~$
This was on my Debian 2.2 potato system (It doesn't dump core though).
--
StyX
styx@mailbox.as
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM/CS/CC/IT d?>d s:>s++:++ a? C++>C++++$ UL++++
P+>P+++++ L+++>L+++++ E--- W++>$ N++ w--- PS PE Y+
PGP>PGP+++ t+ 5 X+ R+ tv+ b+ D-- G++ e->e+++++ h-->h++ y?
------END GEEK CODE BLOCK------
(6044760) ------------------------------------------
Kommentar i text 6048039 av Robert van der Meulen <rvdm@CISTRON.NL>
Kommentar i text 6048048 av Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
6048039 2001-02-04 01:48 +0100 /24 rader/ Robert van der Meulen <rvdm@CISTRON.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05 05:21 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rvdm@CISTRON.NL
Mottagare: Bugtraq (import) <15208>
Kommentar till text 6044760 av StyX <styx@MAILBOX.AS>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Robert van der Meulen <rvdm@CISTRON.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010204014834.A1351@lin-gen.com>
Hi,
Quoting StyX (styx@MAILBOX.AS):
> styx@SuxOS-devel:~$ man -l %n%n%n%n
> man: Segmentation fault
> styx@SuxOS-devel:~$
>
> This was on my Debian 2.2 potato system (It doesn't dump core though).
Just for the record:
on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
this doesn't impose a security problem.
I don't know about Suse/Redhat/others.
Greets,
Robert
--
Linux Generation
(6048039) ------------------------------------------
Kommentar i text 6048120 av Ethan Benson <erbenson@ALASKA.NET>
Kommentar i text 6048136 av Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
6048120 2001-02-04 21:06 -0900 /34 rader/ Ethan Benson <erbenson@ALASKA.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05 07:31 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: erbenson@ALASKA.NET
Mottagare: Bugtraq (import) <15216>
Kommentar till text 6048039 av Robert van der Meulen <rvdm@CISTRON.NL>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
On Sun, Feb 04, 2001 at 01:48:34AM +0100, Robert van der Meulen wrote:
> Hi,
>
> Quoting StyX (styx@MAILBOX.AS):
> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
> I don't know about Suse/Redhat/others.
This is not correct, on debian man is suid man and /var/cache/man
(cached preformatted man pages) is owned by user man. It is suid
rather then setgid so users do not end up owning more files in /var.
on debian /usr/bin/man is really a wrapper program which when run as
root does a setuid man before execing /usr/lib/man-db/man. The idea
is to prevent a user man compromise from turning into a root
compromise. (compromise user man, replace man binaries, wait for root
or cron to run man/mandb)
$ ls -l /usr/lib/man-db/man*
-rwsr-xr-x 1 man root 94676 Apr 6 2000 /usr/lib/man-db/man
-rwsr-xr-x 1 man root 74168 Apr 6 2000 /usr/lib/man-db/mandb
$
--
Ethan Benson
http://www.alaska.net/~erbenson/
(6048120) ------------------------------------------
Bilaga (application/pgp-signature) i text 6048121
6048121 2001-02-04 21:06 -0900 /10 rader/ Ethan Benson <erbenson@ALASKA.NET>
Importerad: 2001-02-05 07:31 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: erbenson@ALASKA.NET
Mottagare: Bugtraq (import) <15217>
Bilaga (text/plain) till text 6048120
Ärende: Bilaga till: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjp+QuAACgkQJKx7GixEevx3mQCdHcal/va+li1PnWthNOKQixmb
vR0An0Ut/xWY9t1ad45V9jEzBjNdnZ3M
=r2C7
-----END PGP SIGNATURE-----
(6048121) ------------------------------------------
6048136 2001-02-05 00:12 -0500 /22 rader/ Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05 07:51 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Valdis.Kletnieks@VT.EDU
Mottagare: Bugtraq (import) <15219>
Kommentar till text 6048039 av Robert van der Meulen <rvdm@CISTRON.NL>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200102050512.f155CVV19060@foo-bar-baz.cc.vt.edu>
On Sun, 04 Feb 2001 01:48:34 +0100, Robert van der Meulen <rvdm@CISTRON.NL> said:
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
Although it may not apply to *this* *particular* issue, let's all not
forget that just because something is not suid/sgid it's not a
security issue. I'm sure that both 'man' and 'm4' get run a *lot* as
root, and have we forgotten the .sy nroff command and trojan
manpages? ;)
It will be a security problem as soon as somebody finds a way to get
root to run 'man -l %n' or 'm4 -G %n'.... ;)
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
(6048136) --------------------------------(Ombruten)
6048048 2001-02-04 11:05 +0100 /52 rader/ Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05 05:34 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: joey@infodrom.north.de
Mottagare: Bugtraq (import) <15211>
Kommentar till text 6044760 av StyX <styx@MAILBOX.AS>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010204110554.V15483@finlandia.infodrom.north.de>
StyX wrote:
> Joao Gouveia wrote:
> >
> > Hi,
> >
> > This issue has been discussed in vuln-dev (2001-01-26), see:
> > http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> > 4&fromthread=0&start=2001-01-21&threads=1&list=82&
> >
> > Posted also on suse security list, and aparently overlooked.
> >
> > The man package that ships with SuSe Linux ( at least versions 6.1 throught
> > 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
> > confirmed to have the same problem.
> >
> > <quote>
> > jroberto@spike:~ > man -l %x%x%x%x
> > man: 4000bc7438049af00: No such file or directory
> > </quote>
> >
> > Regards,
> >
> > Joao Gouveia
> > ------------
> > tharbad@kaotik.org
>
> Hmm... What about this?
>
> styx@SuxOS-devel:~$ man -l %n%n%n%n
> man: Segmentation fault
> styx@SuxOS-devel:~$
>
> This was on my Debian 2.2 potato system (It doesn't dump core though).
Please tell me what you gain from this. man does not run setuid
root/man but only setgid man. So all you can exploit this to is a
shell running under your ownl user ide.
Please correct me if I'm mistaken.
Regards,
Joey
--
GNU GPL: "The source will be with you... always."
(6048048) --------------------------------(Ombruten)
Kommentar i text 6048133 av Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
6048133 2001-02-04 23:29 -0500 /19 rader/ Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05 07:49 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jose@BIOCSERVER.BIOC.CWRU.EDU
Mottagare: Bugtraq (import) <15218>
Kommentar till text 6048048 av Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0102042328410.23404-100000@biocserver.BIOC.CWRU.Edu>
On Sun, 4 Feb 2001, Martin Schulze wrote:
> Please tell me what you gain from this. man does not run setuid
> root/man but only setgid man. So all you can exploit this to is a
> shell running under your ownl user ide.
sucker admins who m4 their sendmail.mc's as root, chiefly if you trick
them into processing an untrusted and untrustworthy .mc file.
____________________________
jose nazario jose@cwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
(6048133) ------------------------------------------
6041677 2001-02-02 11:10 +0100 /14 rader/ Manuel Martinez Herraiz <maherma@JAZZFREE.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-02 19:48 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: maherma@JAZZFREE.COM
Mottagare: Bugtraq (import) <15173>
Ärende: Re: String vun. in m4 macro processor (same as in man)
------------------------------------------------------------
Hi,
RedHat 6.1/6.2 also have this problem:
REDHAT 6.2
[root@haendel mmh]# m4 -G %p
m4: 0x401091ec: No existe el fichero o el directorio
REDHAT 6.1
[root@mandanga mmh]# m4 -G %p
m4: 0x4010548c: No existe el fichero o el directorio
Manuel Martinez.
(6041677) ------------------------------------------