Potentially insecure format string handling in PAM support
Aaron Hopkins
aaron at die.net
Sat Jul 8 08:05:48 EST 2000
-----BEGIN PGP SIGNED MESSAGE-----
With the recent remote root Wu-ftpd exploit based upon incorrect format
string handling (processing user-supplied data as format strings), I've
taken to scanning any code with elevated permissions for similar problems.
I found one in the portable version of OpenSSH. Its only outputting
messages passed back by PAM, I think, so I don't think its exploitable. But
the format string processing isn't needed here, so it should be painless to
remove.
Here's the patch.
-- Aaron
- --- auth-pam.c~ Thu Jun 22 04:44:54 2000
+++ auth-pam.c Fri Jul 7 14:57:16 2000
@@ -277,7 +277,7 @@
void print_pam_messages(void)
{
if (pam_msg != NULL)
- - fprintf(stderr, pam_msg);
+ fputs(pam_msg, stderr);
}
/* Append a message to the PAM message buffer */
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQCVAwUBOWZUP0fJWHAEvsjBAQErLQQAq9VEEOS5sjBKC07XT7zy9J2Gm+ebgSJ1
RvHBHGY6O9hoKUUHg1lVQzUwIj2n/5XB4acKj+M7GsSE4Csx0efqV5RpespZKyld
0pn24jWJc7ud0iqBkg2U82mXQGhcrkBWZ665rpysw0TDbeNmF1eXMkkoFvuaN6Pr
CeSJuksVjnI=
=SXbz
-----END PGP SIGNATURE-----
More information about the openssh-unix-dev
mailing list