Security patch for 1.17.0

Denys Vlasenko vda.linux at googlemail.com
Fri Jul 9 22:51:49 UTC 2010


On Friday 09 July 2010 21:12, Amr Ali wrote:
> I've noticed that there is an abundance of format string vulnerabilities all
> across busybox 1.17.0 source code. I understand that most of them are not
> practically exploitable or very hard to exploit, but I also noticed a couple of
> format string vulnerabilities that can be directly exploited.
> 
> Attached is a patch to fix the found bugs.

+               char *res;
                char line_old[80];
                char line_new[80];
@@ -136,5 +137,5 @@
                fp = fopen(argv[2], "r");
                if (fp) {
-                       fgets(line_old, sizeof(line_old), fp);
+                       res = fgets(line_old, sizeof(line_old), fp);

What exactly do you fix here? gcc will even generate the same code
with and without this patch. Yes, I did check that.

-               printf(usage_array[i].aname);
+               /*
+                * Vulnerable to arbitrary format strings.
+                * printf(usage_array[i].aname);
+                */
+               printf("%s", usage_array[i].aname);

But applet names are not arbitrary format strings. They never contain
percent character.


In all, I see only two remotely-possible places in the whole patch
where it _might_ be a bug.

-- 
vda


More information about the busybox mailing list