[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: texinfo vulnerability still working in 4.11
|
From: |
Cody Rester |
|
Subject: |
Re: texinfo vulnerability still working in 4.11 |
|
Date: |
Sun, 18 Nov 2007 10:15:27 -0600 |
I think a better solution would be to specify a format string for
stderr. I believe that's the proper way of handling it, and not
including a format string specifier opens you up to a vulnerability.
Cody
On Nov 16, 2007 5:46 PM, Karl Berry <address@hidden> wrote:
> info --file="%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x."
>
> Thanks for the report. I'll fix it as soon as I can, unless someone
> else here can provide a patch. One expedient fix (worked for me anyway)
> is included below and is in Texinfo CVS now. I think a better fix would
> be to double any % characters in filename in the filesys_error_string
> function, which I'll try to get to soon. (The best fix would be to
> implement error handling completely differently, but I can't undertake
> that.)
>
> I'm just as happy you didn't send a fully-working exploit to make things
> easy for the crackers.
>
> Best,
> Karl
>
> --- info.c.~1.21.~ 2007-09-21 15:49:26.000000000 -0700
> +++ info.c 2007-11-16 15:37:54.000000000 -0800
> @@ -570,3 +570,6 @@
> fprintf (stderr, "%s: ", program_name);
> - fprintf (stderr, format, arg1, arg2);
> + if (arg1)
> + fprintf (stderr, format, arg1, arg2);
> + else
> + fputs (format, stderr);
> fprintf (stderr, "\n");
>