Ticket UUID: | bad6cc213dfe8280c25b3bfe3e5830e9e2481f91 | |||
Title: | A format string vulnerability in Tcl nmakehelp.c allows code execution via a crated file. | |||
Type: | Bug | Version: | ALL | |
Submitter: | salmonx | Created on: | 2021-06-22 07:33:42 | |
Subsystem: | 69. Other | Assigned To: | jan.nijtmans | |
Priority: | 5 Medium | Severity: | Cosmetic | |
Status: | Closed | Last Modified: | 2021-07-01 06:22:34 | |
Resolution: | Fixed | Closed By: | jan.nijtmans | |
Closed on: | 2021-07-01 06:22:34 | |||
Description: |
Description: The 'printf' in 'SubstituteFile' accepts a format string as an argument, but the format string originates from the argv[3] which is controlled by user. Fix: printf("%s", szBuffer); static int SubstituteFile( const char *substitutions, const char *filename) { ... /* * Run the substitutions over each line of the input */ while (fgets(szBuffer, cbBuffer, fp) != NULL) { list_item_t *p = NULL; for (p = substPtr; p != NULL; p = p->nextPtr) { char *m = strstr(szBuffer, p->key); if (m) { char *cp, *op, *sp; cp = szCopy; op = szBuffer; while (op != m) *cp++ = *op++; sp = p->value; while (sp && *sp) *cp++ = *sp++; op += strlen(p->key); while (*op) *cp++ = *op++; *cp = 0; memcpy(szBuffer, szCopy, sizeof(szCopy)); } } printf(szBuffer); // Bug is here, szBuffer can be controlled } list_free(&substPtr); } fclose(fp); return 0; } | |||
User Comments: |
jan.nijtmans added on 2021-07-01 06:22:34:
This issue has been assigned a CVE number: CVE-2021-35331 jan.nijtmans added on 2021-06-22 09:11:53: See also https://sqlite.org/forum/forumpost/47c7eb6802. Let's repeat the conclusion here: "This Is Not A Tcl Vulnerability"! Same arguments as DRH wrote in the SQLite forum post. That said, it's fixed here: [28ef6c0c741408a2] |