[Secure-testing-team] Bug#693657: Error logging on Linux is dangerous
Ben Hutchings
ben at decadent.org.uk
Mon Nov 19 01:44:57 UTC 2012
Source: oss4
Version: 4.2-build2006-2
Severity: normal
Tags: security patch
The Linux implementation of oss_cmn_err() uses a fixed-size temporary
buffer and does not protect against overflow. Although this is not
obviously exploitable, it could well become exploitable in future.
The argument counting and copying is also unportable and generally
incorrect.
Ben.
-- System Information:
Debian Release: wheezy/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux-error-logging-fixes.patch
Type: text/x-diff
Size: 1723 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20121119/e1f8414d/attachment.patch>
More information about the Secure-testing-team
mailing list