Bugtraq mailing list archives
Re: Format string bug in startinnfeed
From: Russ Allbery <rra () STANFORD EDU>
Date: Mon, 12 Feb 2001 14:55:40 -0800
I love the notification that you gave to the INN developers about this problem (namely, absolutely none at all). If you'd mailed us first, I could have pointed out to you that innfeed does no argument parsing of its own and just execs innfeed with the passed arguments, which at the least would have made your notice more accurate. So far as I can tell, all of the below: Paul Starzetz <paul () STARZETZ DE> writes:
paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed -a "%x%x%n%n%n%n%n%n%n" segmentation fault paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed -b "%x%x%n%n%n%n%n%n%n" Mon Feb 12 15:37:01 2001 innfeed: Not a directory: %x%x%n%n%n%n%n%n%n
segmentation fault paul@ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed -c "%x%x%n%n%n%n%n%n%n" segmentation fault
are actually segfaults in innfeed itself. While that's definitely sloppy code, it doesn't pose a security risk that I can see; innfeed runs as the news user and only the news user should be capable of running startinnfeed in the first place. (If this is not the case, please report this to your distribution packager as a packaging error; startinnfeed should be owned by root:news, mode 4550, and the only member of the news group should be the news user.) If you see a security vulnerability here, I would very much appreciate enlightenment. It's always possible that I've missed something.
The vulnerable package is Name : inn Version : 2.2.2
INN 2.2.2 is no longer supported (the current release is INN 2.3.1, which has among other things a rewrite of startinnfeed), but after reviewing the code in startinnfeed in INN 2.2.2 after seeing your message I don't see anywhere where that version is passing user data to syslog as a format string. There is only one occurance of *printf in startinnfeed.c in INN 2.2.2 and it uses inn.conf data and a compile-time constant. If I've overlooked something, I'd quite certainly welcome a more complete bug report. Note that the sole utility of startinnfeed is to increase system file descriptor and data limits for innfeed. If you've already taken care of this via other means, you can safely change newsfeeds to run innfeed directly and remove startinnfeed from your system. If startinnfeed makes you nervous for whatever reason, removing the setuid bit is completely harmless for most configurations (probably all small or hobby servers). -- Russ Allbery (rra () stanford edu) <http://www.eyrie.org/~eagle/>
Current thread:
- Format string bug in startinnfeed Paul Starzetz (Feb 12)
- Re: Format string bug in startinnfeed Russ Allbery (Feb 12)