Bug 32555

Summary: Formatting string bug in cyrus sasl lib
Product: Ports & Packages Reporter: Alexey Rodin <alx>
Component: Individual Port(s)Assignee: freebsd-ports (Nobody) <ports>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch-cyrus-sasl none

Description Alexey Rodin 2001-12-06 15:10:01 UTC 
The Cyrus SASL library provides an authentication API for mail clients
    and servers.
    A format bug was found in one of the logging functions, that could be
    used by an attacker to gain access to a machine or to acquire higher
    privileges.

This issue may be already have been on list. I assume
that the moderator this case rejects this mail. 

On last non-beta version of cyrus-sasl library have 
formatting string bug on default logging callback.

Default cyrys sasl logging callback is

static int _sasl_syslog(void *context __attribute__((unused)),
                        int priority,
                        const char *message)

on end of that function there is is

    /* do the syslog call. do not need to call openlog */
    syslog(syslog_priority | LOG_AUTH, message);

    return SASL_OK;
}

syslog takes format string as argument.

That is cyrus-sasl-1.5.24. That is lastest non-beta version on
 ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/


I have told that this is fixed on beta version.
================================================
From: Lawrence Greenfield
Date: Sun, 30 Sep 2001 10:12:19 -0400

If you take a look at
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/BETA/cyrus-sasl-1.5.27.tar.gz

you'll notice that it has bug #326 fixed.

Fix: 

--- lib/common.c.orig	Maanantai Heina"kuu 17 20:21:02 2000
+++ lib/common.c	Tiistai Lokakuu  2 12:31:13 2001
@@ -596,7 +596,9 @@
     }
     
     /* do the syslog call. do not need to call openlog */
-    syslog(syslog_priority | LOG_AUTH, message);
+
+    /* Patched by Kari Hurtta -- 2001-10-02   */
+    syslog(syslog_priority | LOG_AUTH, "%s", message);
     
     return SASL_OK;
 }
How-To-Repeat: 
cd /usr/ports/security/cyrus-sasl && make
Comment 1 Scot W. Hetzel 2001-12-06 17:54:15 UTC 
From: "Alexey Rodin" <alx@cii.sumy.ua>

>     A format bug was found in one of the logging functions, that could be
>     used by an attacker to gain access to a machine or to acquire higher
>     privileges.
> 

I am working on the upgrade to 1.5.27, but if someone could commit this to
the current cyrus-sasl port as patch-lib::common.c.

Thanks,

Scot W. Hetzel
Cyrus-SASL Maintainer
Comment 2 osa 2001-12-07 09:56:21 UTC 
On Thu, Dec 06, 2001 at 10:00:04AM -0800, Scot W. Hetzel wrote:
> 
>  From: "Alexey Rodin" <alx@cii.sumy.ua>
>  >     A format bug was found in one of the logging functions, that could be
>  >     used by an attacker to gain access to a machine or to acquire higher
>  >     privileges.
>  
>  I am working on the upgrade to 1.5.27, but if someone could commit this to
>  the current cyrus-sasl port as patch-lib::common.c.

Please review and commit attached patch for port.
Thanks.

-- 

Rgdz,                                /"\ 
Sergey Osokin aka oZZ,               \ /  ASCII RIBBON CAMPAIGN
osa@freebsd.org.ru                    X     AGAINST HTML MAIL
http://freebsd.org.ru/~osa/          / \
Comment 3 dwcjr freebsd_committer freebsd_triage 2001-12-09 03:07:40 UTC 
State Changed
From-To: open->closed

Committed, thanks!