('binary' encoding is not supported, stored as-is) forgot to make a patch for the original posting of the exploit. the patch will keep the functionality, while eliminating exploitation possibilities. original exploit ref: http://www.securityfocus.com/archive/1/323821/2003-05-28/2003-06-03/0 bash# tar -zxvf man.src.tgz bash# patch -p0 <man.fmtbug.patch --- man.fmtbug.patch -- diff -urP man-1.5l/src/gripes.c man-1.5l/src/gripes.c --- man-1.5l/src/gripes.c Wed Jul 17 20:17:23 2002 +++ man-1.5l/src/gripes.c Fri Jun 6 14:51:21 2003 @@ -28,0 +28,1 @@ +#include <string.h> @@ -68,0 +68,2 @@ + unsigned int i = 0; + unsigned short fmt_n = 0; @@ -78,0 +78,13 @@ + /* routine to filter format string abuse. will */ + /* only allow %d, %s, and %o through. no more */ + /* than two formats needed for any response. */ + for (i = 0; s[i] != 0x0; i++){ + if (s[i] == '%' && s[i+1]){ + if (strchr("dso", s[i+1])) /* %d,%s,%o. */ + fmt_n++; + else + fmt_n=3; /* anything else = <limit. */ + } + if (fmt_n > 2) /* failed, default reply. */ + s = msg[n]; + } diff -urP man-1.5l/src/version.h man-1.5l/src/version.h --- man-1.5l/src/version.h Fri Jun 6 14:36:40 2003 +++ man-1.5l/src/version.h Fri Jun 6 14:51:21 2003 @@ -1,1 +1,1 @@ -static char version[] = "1.5l"; +static char version[] = "1.5l-fmtfix";
This archive was generated by hypermail 2b30 : Sat Jun 07 2003 - 12:33:36 PDT