Tcl Source Code

View Ticket
Login
Bounty program for improvements to Tcl and certain Tcl packages.
2021-07-01
06:22 Ticket [bad6cc213d] A format string vulnerability in Tcl nmakehelp.c allows code execution via a crated file. status still Closed with 4 other changes artifact: 686a2ddb91 user: jan.nijtmans
2021-06-22
09:11 Closed ticket [bad6cc213d]. artifact: b905b3d21a user: jan.nijtmans
09:02
Fix [bad6cc213d]: A format string vulnerability in Tcl nmakehelp.c allows code execution via a crate... check-in: 28ef6c0c74 user: jan.nijtmans tags: core-8-5-branch
07:33 New ticket [bad6cc213d] A format string vulnerability in Tcl nmakehelp.c allows code execution via a crated file.. artifact: 813cbff8b7 user: salmonx

Ticket UUID: bad6cc213dfe8280c25b3bfe3e5830e9e2481f91
Title: A format string vulnerability in Tcl nmakehelp.c allows code execution via a crated file.
Type: Bug Version: ALL
Submitter: salmonx Created on: 2021-06-22 07:33:42
Subsystem: 69. Other Assigned To: jan.nijtmans
Priority: 5 Medium Severity: Cosmetic
Status: Closed Last Modified: 2021-07-01 06:22:34
Resolution: Fixed Closed By: jan.nijtmans
    Closed on: 2021-07-01 06:22:34
Description:

Description: The 'printf' in 'SubstituteFile' accepts a format string as an argument, but the format string originates from the argv[3] which is controlled by user.

Fix: printf("%s", szBuffer);


static int
SubstituteFile(
    const char *substitutions,
    const char *filename)
{
    ...

	/*
	 * Run the substitutions over each line of the input
	 */

	while (fgets(szBuffer, cbBuffer, fp) != NULL) {
	    list_item_t *p = NULL;
	    for (p = substPtr; p != NULL; p = p->nextPtr) {
		char *m = strstr(szBuffer, p->key);
		if (m) {
		    char *cp, *op, *sp;
		    cp = szCopy;
		    op = szBuffer;
		    while (op != m) *cp++ = *op++;
		    sp = p->value;
		    while (sp && *sp) *cp++ = *sp++;
		    op += strlen(p->key);
		    while (*op) *cp++ = *op++;
		    *cp = 0;
		    memcpy(szBuffer, szCopy, sizeof(szCopy));
		}
	    }
	    printf(szBuffer); // Bug is here, szBuffer can be controlled
	}

	list_free(&substPtr);
    }
    fclose(fp);
    return 0;
}

User Comments: jan.nijtmans added on 2021-07-01 06:22:34:

This issue has been assigned a CVE number: CVE-2021-35331


jan.nijtmans added on 2021-06-22 09:11:53:

See also https://sqlite.org/forum/forumpost/47c7eb6802. Let's repeat the conclusion here: "This Is Not A Tcl Vulnerability"! Same arguments as DRH wrote in the SQLite forum post.

That said, it's fixed here: [28ef6c0c741408a2]