Multiple Format String Vulnerabilities in yardradius
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| yardradius (Debian) |
Fix Released
|
Unknown
|
|||
| yardradius (Ubuntu) |
Confirmed
|
Medium
|
Unassigned | ||
Bug Description
Hello
Several Format String vulnerabilities was found in the latest `yardradius` version as
explained further below :
src/log.c :
void
log_msg(int priority,char *fmt, va_list args)
{
...
char buffer[1024];
...
vfprintf(msgfd, fmt, args); // !
...
#if defined(
...
...
}
So an attacker can fill fmt by for ex. "%x" and see the addressess.
############
src/version.c :
#define STRVER "%s : YARD Radius Server %s ... $ "
void
version(void)
{
char buffer[1024];
exit(-1);
}
...
void
build_version(char *bp,size_t sizeofbp)
{
..
$ ln -s radiusd %x
$ ./%x -v
./b77c0ff4 : YARD Radius Server 1.1 ...
It seems more of this type vulnerability exists in the source
if i find any other bug i will file them ...
Thank you
Hamid Zamani
CVE References
| Seth Arnold (seth-arnold) wrote | #1 |
| Changed in yardradius (Ubuntu): | |
| status: | New → Incomplete |
| Changed in yardradius (Debian): | |
| status: | Unknown → Incomplete |
| information type: | Private Security → Public Security |
| Changed in yardradius (Debian): | |
| status: | Incomplete → New |
| Changed in yardradius (Debian): | |
| status: | New → Fix Released |
| Changed in yardradius (Ubuntu): | |
| status: | Incomplete → Confirmed |
| importance: | Undecided → Medium |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/