Date: 2 Nov 2000 07:08:27 -0000 From: venglin@freebsd.lublin.pl To: FreeBSD-gnats-submit@freebsd.org Subject: bin/22496: [SECURITY] Yet another top(1) format string vulnerability Message-ID: <20001102070827.16162.qmail@riget.scene.pl>
next in thread | raw e-mail | index | archive | help
>Number: 22496
>Category: bin
>Synopsis: [SECURITY] Yet another top(1) format string vulnerability
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Nov 01 23:10:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: FreeBSD 4.1.1-STABLE i386
>Organization:
ISMEDIA
>Environment:
FreeBSD 4.1.1-STABLE as of 2 November 2000.
>Description:
Vulnerability very similar to FreeBSD-SA-00:62, just few lines below
in top.c, but still not fixed.
>How-To-Repeat:
1. Run top
2. Press 'r'
3. Type '20 %n'
4. Segfault
>Fix:
--- top.c.old Thu Nov 2 08:07:29 2000
+++ top.c Thu Nov 2 08:08:17 2000
@@ -826,7 +826,7 @@
{
if ((errmsg = renice_procs(tempbuf2)) != NULL)
{
- new_message(MT_standout, errmsg);
+ new_message(MT_standout, "%s", errmsg);
putchar('\r');
no_command = Yes;
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001102070827.16162.qmail>