Re: m4 and format strings

[Jarno Huuskonen <Jarno.Huuskonen () uku fi>]

On Tue, Jun 26, KF wrote:
> I noticed on NT my m4 binary had format strings issues... 
[cut cut]

> [elguapo@linux elguapo]$ m4 %x,%x,%x,%x,%x,%x,%x
> m4: 0,bffff818,4000d2ce,805df78,8048c56,4002e0bc,4014af2c: No such file
> or directory
>
> can anyone think of a situation where this could cause root 
> to be exploitated... m4 is not suid to my understanding. 

The m4 format string issue did come up a few months ago (either on
vuln-dev or bugtraq...). I think there was some discussion if it can be
exploited. Anyway if somebody is interested here's a patch:

--- m4-1.4/src/m4.c.orig        Sat Feb  3 23:06:37 2001
+++ m4-1.4/src/m4.c     Sat Feb  3 23:07:26 2001
@@ -369,7 +369,7 @@
 
       case 'o':
        if (!debug_set_output (optarg))
-         error (0, errno, optarg);
+         error (0, errno, "%s", optarg);
        break;
 
       case 's':
@@ -466,7 +466,7 @@
            fp = path_search (argv[optind]);
            if (fp == NULL)
              {
-               error (0, errno, argv[optind]);
+               error (0, errno, "%s", argv[optind]);
                continue;
              }
            else

-Jarno

-- 
Jarno Huuskonen <Jarno.Huuskonen () removeme uku fi>