Bug 130698 (CVE-2005-2958)

Summary: VUL-0: CVE-2005-2958: libgda2 syslog format string attack
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P1 - Urgent CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-2958: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Patch for 1.9.x and 1.2.x series

Description Ludwig Nussel 2005-10-26 07:43:05 UTC 
We received the following report via vendor-sec.
The issue is public.

Date: Tue, 25 Oct 2005 18:20:47 +0200
From: Martin Schulze <joey@infodrom.org>
To: Free Software Distribution Vendors <vendor-sec@lst.de>
Subject: [vendor-sec] CAN-2005-2958: libgda2 syslog format string attack

Hmm, it seems this issue has never made it to vendor sec.  Sorry
for that.


From Steve Kemp:

libgda2 format string attack
----------------------------

  The gda2 library contains two format string bugs, both involving the
 use of the syslog function.

  The relevent code is contained in the file:

      libgda2-1.2.1/libgda/gda-log.c

  The two functions gda_log_error and gda_log_message both contain
 this code:

      syslog (LOG_USER | LOG_INFO, msg);


Exploitation
------------

  The logging functions are called throughout the code and are
 often passed user controllable input.  For example:

gda-xml-database.c:
 gda_log_error (_("Invalid XML database file '%s'"), uri);

  or

gda-select.c:
 gda_log_error (_("Could not parse SQL string '%s'"), sel->priv->sql);


  Whilst it is not likely that privileges could be gained by the
 libary alone there are several routes for exploitation via other
 applications which link to the code.

  The most obvious is the "gnumeric-plugins-extra" package which
 links to and uses the code.

 

Fix
---

  The following patch fixes this:

--- gda-log.c-orig      2005-09-06 13:49:52.792070192 +0100
+++ gda-log.c   2005-09-06 13:50:25.049166368 +0100
@@ -111,7 +111,7 @@
 #ifdef LIBGDA_WIN32
        g_log ("Gda", G_LOG_LEVEL_INFO, "%s", msg);
 #else
-       syslog (LOG_USER | LOG_INFO, msg);
+       syslog (LOG_USER | LOG_INFO, "%s", msg);
 #endif
        g_free (msg);
 }
@@ -144,7 +144,7 @@
 #ifdef LIBGDA_WIN32
        g_log ("Gda", G_LOG_LEVEL_ERROR, "%s", msg);
 #else
-       syslog (LOG_USER | LOG_ERR, msg);
+       syslog (LOG_USER | LOG_ERR, "%s", msg);
 #endif
        g_free (msg);
 }

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

Regards,

	Joey


-- 
MIME - broken solution for a broken design.  -- Ralf Baechle
Comment 1 JP Rosevear 2005-10-26 12:05:13 UTC 
Security issue, Rodrigo please look at this immediately.
Comment 2 Rodrigo Moya 2005-10-26 13:40:13 UTC 
Created attachment 55526 [details]
Patch for 1.9.x and 1.2.x series
Comment 3 Rodrigo Moya 2005-10-26 13:40:53 UTC 
Andreas, do we need a swamp ID to submit this fix?
Comment 4 Ludwig Nussel 2005-10-26 13:59:12 UTC 
A swampid is needed in general but you don't need it to be able to submit fixed packages.
http://w3d.suse.de/Dev/Components/Packages/PackMan/pm_pr_fixing_bug.html#pm_pr_fb_bt_security_bugs
Comment 5 Ludwig Nussel 2005-10-26 14:03:17 UTC 
Maintenance-Tracker-2681
Comment 6 Rodrigo Moya 2005-10-26 14:11:10 UTC 
So, should I submit the fixed package to all distributions?

I've just submitted it to STABLE and PLUS only.
Comment 7 Ludwig Nussel 2005-10-26 14:21:09 UTC 
Yes, please backport the fix to all affected libgda versions and submit packages.
Comment 8 Rodrigo Moya 2005-10-26 15:15:33 UTC 
Package submitted to :

INFO: libgda present in /work/src/done/9.0/libgda
INFO: libgda present in /work/src/done/9.1/libgda
INFO: libgda present in /work/src/done/9.2/libgda
INFO: libgda present in /work/src/done/9.3/libgda
INFO: libgda present in /work/src/done/10.0/libgda
INFO: libgda present in /work/src/done/PLUS/libgda
INFO: libgda present in /work/src/done/STABLE/libgda
Comment 9 Ludwig Nussel 2005-11-15 11:54:18 UTC 
updates released
Comment 10 Thomas Biege 2009-10-13 21:44:41 UTC 
CVE-2005-2958: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)