|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
man[v1.5l] catalog format strings patch.
From: Vade 79 (v9
fakehalo.deadpig.org)
Date: Fri Jun 06 2003 - 23:36:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
forgot to make a patch for the original posting of the exploit. the patch
will keep the functionality, while eliminating exploitation possibilities.
original exploit ref:
http://www.securityfocus.com/archive/1/323821/2003-05-28/2003-06-03/0
bash# tar -zxvf man.src.tgz
bash# patch -p0 <man.fmtbug.patch
--- man.fmtbug.patch --
diff -urP man-1.5l/src/gripes.c man-1.5l/src/gripes.c
--- man-1.5l/src/gripes.c Wed Jul 17 20:17:23 2002
+++ man-1.5l/src/gripes.c Fri Jun 6 14:51:21 2003
-28,0 +28,1
+#include <string.h>
-68,0 +68,2
+ unsigned int i = 0;
+ unsigned short fmt_n = 0;
-78,0 +78,13
+ /* routine to filter format string abuse. will */
+ /* only allow %d, %s, and %o through. no more */
+ /* than two formats needed for any response. */
+ for (i = 0; s[i] != 0x0; i++){
+ if (s[i] == '%' && s[i+1]){
+ if (strchr("dso", s[i+1])) /* %d,%s,%o. */
+ fmt_n++;
+ else
+ fmt_n=3; /* anything else = <limit. */
+ }
+ if (fmt_n > 2) /* failed, default reply. */
+ s = msg[n];
+ }
diff -urP man-1.5l/src/version.h man-1.5l/src/version.h
--- man-1.5l/src/version.h Fri Jun 6 14:36:40 2003
+++ man-1.5l/src/version.h Fri Jun 6 14:51:21 2003
-1,1 +1,1
-static char version[] = "1.5l";
+static char version[] = "1.5l-fmtfix";
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]