[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security fix for 'm4 -F'
|
From: |
Eric Blake |
|
Subject: |
Re: security fix for 'm4 -F' |
|
Date: |
Thu, 22 Nov 2007 08:06:40 -0700 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071031 Thunderbird/2.0.0.9 Mnenhy/0.7.5.666 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
According to Eric Blake on 11/22/2007 7:39 AM:
> $ m4 -F /nosuch/%x </dev/null
> m4: /nosuch/0: No such file or directory
>
> If that doesn't scare you, consider a file name that contains %n. This
> security hole has been present since M4 1.3.
>
It helps if I save the buffer before attaching the file; sorry about the
empty file in the last mail.
- --
Don't work too hard, make some time for fun as well!
Eric Blake address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHRZsA84KuGfSFAYARAmfzAKCrdgJToAVmQ1XxvH4aXVkmNC2VPQCeIM/L
Qfp/j84K9DQq4q3JWMm6NVk=
=2edr
-----END PGP SIGNATURE-----
>From 031a71a80442ed2ad3c2ee14d5811c786a12c51b Mon Sep 17 00:00:00 2001
From: Eric Blake <address@hidden>
Date: Thu, 22 Nov 2007 07:34:32 -0700
Subject: [PATCH] Security fix: avoid arbitrary code execution with 'm4 -F'.
* src/freeze.c (produce_frozen_state): Never pass raw file name as
printf format.
* NEWS: Document this fix.
Signed-off-by: Eric Blake <address@hidden>
---
ChangeLog | 7 +++++++
NEWS | 5 +++--
src/freeze.c | 2 +-
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 4179e81..4d8ec23 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2007-11-22 Eric Blake <address@hidden>
+
+ Security fix: avoid arbitrary code execution with 'm4 -F'.
+ * src/freeze.c (produce_frozen_state): Never pass raw file name as
+ printf format.
+ * NEWS: Document this fix.
+
2007-11-21 Eric Blake <address@hidden>
Consistently report macro name first in messages.
diff --git a/NEWS b/NEWS
index d988adf..1762571 100644
--- a/NEWS
+++ b/NEWS
@@ -4,8 +4,9 @@ Foundation, Inc.
Version 1.4.11 - ?? ??? 2007, by ???? (git version 1.4.10a-*)
-* Fix core dump in 'm4 -F file -t undefined', present since -F was
- introduced in 1.3.
+* Security fixes for the -F option, for bugs present since -F was
+ introduced in 1.3: Avoid core dump with 'm4 -F file -t undefined', and
+ avoid arbitrary code execution with certain file names.
* Fix regression introduced in 1.4.9b in the `divert' builtin when more
than 512 kibibytes are saved in diversions on platforms like NetBSD where
fopen(name,"a+") seeks to the end of the file.
diff --git a/src/freeze.c b/src/freeze.c
index 2858e64..df68f3a 100644
--- a/src/freeze.c
+++ b/src/freeze.c
@@ -58,7 +58,7 @@ produce_frozen_state (const char *name)
if (file = fopen (name, O_BINARY ? "wb" : "w"), !file)
{
- M4ERROR ((warning_status, errno, name));
+ M4ERROR ((warning_status, errno, "%s", name));
return;
}
--
1.5.3.5