[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Format poissoning in argp-parse.c.

From: Mats Erik Andersson
Subject: Format poissoning in argp-parse.c.
Date: Fri, 6 Jan 2012 21:40:21 +0100
User-agent: Mutt/1.5.18 (2008-05-17)

Dear all,

there is a potential attack vector, and easily avoidable,
in "lib/argp-parser.c" of GNUlib. This came to my attention
by the modifications Guillem Jover [1] does to GNU Inetutils'
source archives. The relevant change is reproduced below.
(Yes, I will act myself on all those changes that only
concern our own source!)

The problem is that the result of dgettext() is fed directly
as format string into __argp_error(). A benevolent translator
would produce a constant string without format escapes, but
I know from practice that the depreciated format "%q" will
cause OpenSolaris to segfault, so a malevolent attacker
could in fact cause some damage.

Best regards,
  Mats Erik Andersson


diff --git a/lib/argp-parse.c b/lib/argp-parse.c
index 39b8336..d9f08b6 100644
--- a/lib/argp-parse.c
+++ b/lib/argp-parse.c
@@ -154,7 +154,7 @@ argp_version_parser (int key, char *arg, struct argp_state 
       else if (argp_program_version)
         fprintf (state->out_stream, "%s\n", argp_program_version);
-        __argp_error (state, dgettext (state->root_argp->argp_domain,
+        __argp_error (state, "%s", dgettext (state->root_argp->argp_domain,
                                        "(PROGRAM ERROR) No version known!?"));
       if (! (state->flags & ARGP_NO_EXIT))
         exit (0);

reply via email to

[Prev in Thread] Current Thread [Next in Thread]