Date: Fri, 7 Dec 2001 12:56:21 +0300 From: "Sergey A. Osokin" <osa@freebsd.org.ru> To: ports@FreeBSD.org Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: ports/32555: Formatting string bug in cyrus sasl lib Message-ID: <20011207125621.A42962@freebsd.org.ru> In-Reply-To: <200112061800.fB6I04c49839@freefall.freebsd.org>; from hetzels@westbend.net on Thu, Dec 06, 2001 at 10:00:04AM -0800 References: <200112061800.fB6I04c49839@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Dec 06, 2001 at 10:00:04AM -0800, Scot W. Hetzel wrote: > > From: "Alexey Rodin" <alx@cii.sumy.ua> > > A format bug was found in one of the logging functions, that could be > > used by an attacker to gain access to a machine or to acquire higher > > privileges. > > I am working on the upgrade to 1.5.27, but if someone could commit this to > the current cyrus-sasl port as patch-lib::common.c. Please review and commit attached patch for port. Thanks. -- Rgdz, /"\ Sergey Osokin aka oZZ, \ / ASCII RIBBON CAMPAIGN osa@freebsd.org.ru X AGAINST HTML MAIL http://freebsd.org.ru/~osa/ / \ --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch-cyrus-sasl diff -ruN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile --- cyrus-sasl.orig/Makefile Thu Dec 6 18:36:51 2001 +++ cyrus-sasl/Makefile Fri Dec 7 12:53:05 2001 @@ -7,7 +7,7 @@ PORTNAME= cyrus-sasl PORTVERSION= 1.5.24 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= security MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ \ ${MASTER_SITE_LOCAL} \ diff -ruN cyrus-sasl.orig/files/patch-lib::common.c cyrus-sasl/files/patch-lib::common.c --- cyrus-sasl.orig/files/patch-lib::common.c Thu Jan 1 03:00:00 1970 +++ cyrus-sasl/files/patch-lib::common.c Thu Dec 6 18:35:55 2001 @@ -0,0 +1,11 @@ +--- lib/common.c.orig Thu Dec 6 18:34:09 2001 ++++ lib/common.c Thu Dec 6 18:34:24 2001 +@@ -596,7 +596,7 @@ + } + + /* do the syslog call. do not need to call openlog */ +- syslog(syslog_priority | LOG_AUTH, message); ++ syslog(syslog_priority | LOG_AUTH, "%s", message); + + return SASL_OK; + } --OXfL5xGRrasGEqWY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011207125621.A42962>