> Date: Mon, 1 Jul 2013 12:31:46 +0200
> From: [email protected]
> To: [email protected]; [email protected]
> CC: [email protected]
> Subject: Re: Bug#714612: yardradius: Multiple Format String Vulnerabilities
>
> Hi, thanks for your report. While the next issue can be easily exploited,
> the previous one is not evident for me: it depends on the args use
> at every single call. Are you suggesting of checking each call to see
> if it is exploitable?
No, i almost checked all calls , but at the use of functions like
syslog,vsyslog,snprintf, vfprintf since you have used buffer in log_msg() and
we don't know its content (maybe %x , %n) and then used by vsnprintf , it is
highly recommended to use a "format string" to block the way of exploiting by
an attacker.
so for ex. instead of :
#if defined(HAVE_SYSLOG)
syslog(priority, buffer);
i should use :
#if defined(HAVE_SYSLOG)
syslog(priority, "%s", buffer);
also in other function that i mentioned above , use an exact format string is
recomended.
thanks for your response,
Hamid Zamani
