http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1719 Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD, and possibly other versions, allows local users to execute arbitrary code via a long command line argument, possibly involving the device name. ---- Didn't see any bug reports or responses from FreeBSD, thought I'd check if this was known, and if a fix is in place. How-To-Repeat: Exploit: http://milw0rm.com/exploits/3578
Responsible Changed From-To: freebsd-bugs->freebsd-ports-bugs Ports PR
Responsible Changed From-To: freebsd-ports-bugs->stefan Take.
stefan 2007-04-08 19:45:58 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: Add entry for exploitable buffer overflow in mcweject. PR: 111365 Submitted by: Jeff Forsythe<tornandfilthy2006@yahoo.com> Revision Changes Path 1.1307 +31 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
[Cc'd Jason Bacon, the author of the software and maintainer of the port.] Hi Jeff, thanks for your report; the portaudit database didn't have an entry, yet. I have added one and marked sysutils/mcweject FORBIDDEN to prevent installation without knowing about the vulnerability. I cannot say anything about a fix. - Jason? ;) Regards, Stefan
I'll look into it and submit a patch asap. Thanks for the tip... Jason Stefan Walter wrote: > [Cc'd Jason Bacon, the author of the software and maintainer of the port.] > > Hi Jeff, > > thanks for your report; the portaudit database didn't have an entry, yet. > I have added one and marked sysutils/mcweject FORBIDDEN to prevent > installation without knowing about the vulnerability. > > I cannot say anything about a fix. - Jason? ;) > > Regards, > Stefan >
Well, I must have been half-asleep when I wrote that segment (which is, unfortunately, not that uncommon). The code contained 2 calls to sprintf(), a function I've been harping on people not to use since the late 80s (and specifically flagged on p470 of my book). I even wrote my own strlcat(), strlcpy(), etc. functions way back when, before they became part of the standard dist. One more anecdote to support the "do as I say, not as I do" philosophy... I've replaced the calls with snprintf() and updated the distfile on MASTER_SITES. Anyone with the v0.9 port in their tree should run the following to reinstall the port from the patched source code: cd /usr/ports/sysutils/mcweject make distclean makesum deinstall reinstall I've been testing v1.0 for some time, and have patched that source as well. I'll submit a diff to update the official port to v1.0 shortly. I've also added egrep "strcpy|strcat|sprintf|gets| yada yada" *.c *.h to my pre-commit checklist to help filter out mistakes like this one in the future. Thanks to all the hackers out there searching for bugs like this one. Apologies for the inconvenience. Jason Stefan Walter wrote: > [Cc'd Jason Bacon, the author of the software and maintainer of the port.] > > Hi Jeff, > > thanks for your report; the portaudit database didn't have an entry, yet. > I have added one and marked sysutils/mcweject FORBIDDEN to prevent > installation without knowing about the vulnerability. > > I cannot say anything about a fix. - Jason? ;) > > Regards, > Stefan >
Please see PR 111421 regarding the port update to v1.0. The v0.9 distfile has also been patched on MASTER_SITES to address the buffer overflow. Packages regenerated from either version should eliminate the vulnerability for "pkg_add -r" users. Regards, Jason Stefan Walter wrote: > [Cc'd Jason Bacon, the author of the software and maintainer of the port.] > > Hi Jeff, > > thanks for your report; the portaudit database didn't have an entry, yet. > I have added one and marked sysutils/mcweject FORBIDDEN to prevent > installation without knowing about the vulnerability. > > I cannot say anything about a fix. - Jason? ;) > > Regards, > Stefan >
State Changed From-To: open->closed Vulnerability of old version was registered, new version is in the tree.