Vulnerability Update [VU#825121]
mark at kingant.net
Wed Feb 28 19:03:42 EST 2007
On Wed, 28 Feb 2007 18:00:32 -0500, Luke Schierer wrote
> On Feb 28, 2007, at 17:37 EST, Daniel Atallah wrote:
> > On 2/28/07, Luke Schierer <lschiere at pidgin.im> wrote:
> >> - --- Begin report - Not for public distribution ----------
> >> There is a function whose prototype is :
> >> void gaim_debug(GaimDebugLevel level, const char *category, const
> >> char *format, ...);
> >> declared in my /usr/include/gaim/debug.h header.
> >> Now, if you look at the source file in <somepath>/gaim-1.5.0/
> >> plugins/perl/common/Gaim.c
> >> you'll find this function missused in 3 places :
> >> line 204: gaim_debug(level, category, string);
> >> line 220:Â gaim_debug(GAIM_DEBUG_MISC, category, string);
> >> line 237:Â gaim_debug(GAIM_DEBUG_INFO, category, string);
> >> In those 3 places, the "string" variable can allow an attacker to
> >> inject its own format string, and therefore,
> >> read or write anywhere in the process's memory, potentially
> >> allowing
> >> arbitrary execution.
> >> - --- End Report - Not for public distribution -----------
> > Has anyone actually verified that this is actually exploitable
> > remotely?
> > These are just in the Perl bindings - a malicious perl plugin could
> > certainly do bad things with them, but the ability of a plugin to do
> > bad things is hardly a vulnerability.
> > -D
> my reply at the time was:
> We received a report of these potential problems yesterday. We have
> investigated them and found none to be remotely exploitable. A
> couple of them could be exploited if you load a malicious plugin
> into gaim, but we consider this very low risk because the same care
> should be exercised in choosing plugins as goes into deciding what
> software to run, a plugin does not need for such weak points to
> exist to do all sorts of potentially malicious things.
> That being said, we have checked in fixes to these issues for the
> 2.0.0 beta6 release, which should be this month, unfortunately I do
> not have exact timing on this release at this time.
That's a fantastic response. For the vendor statement thing, I dunno, you can
stress that this isn't really a security problem and that users should not use
perl scripts that they don't trust. It seems kinda dumb to me that they would
even announce this...
More information about the Cabal