Security patch for 1.17.0
Denys Vlasenko
vda.linux at googlemail.com
Fri Jul 9 22:51:49 UTC 2010
On Friday 09 July 2010 21:12, Amr Ali wrote:
> I've noticed that there is an abundance of format string vulnerabilities all
> across busybox 1.17.0 source code. I understand that most of them are not
> practically exploitable or very hard to exploit, but I also noticed a couple of
> format string vulnerabilities that can be directly exploited.
>
> Attached is a patch to fix the found bugs.
+ char *res;
char line_old[80];
char line_new[80];
@@ -136,5 +137,5 @@
fp = fopen(argv[2], "r");
if (fp) {
- fgets(line_old, sizeof(line_old), fp);
+ res = fgets(line_old, sizeof(line_old), fp);
What exactly do you fix here? gcc will even generate the same code
with and without this patch. Yes, I did check that.
- printf(usage_array[i].aname);
+ /*
+ * Vulnerable to arbitrary format strings.
+ * printf(usage_array[i].aname);
+ */
+ printf("%s", usage_array[i].aname);
But applet names are not arbitrary format strings. They never contain
percent character.
In all, I see only two remotely-possible places in the whole patch
where it _might_ be a bug.
--
vda
More information about the busybox
mailing list