| Ticket UUID: | bad6cc213dfe8280c25b3bfe3e5830e9e2481f91 | |||
| Title: | A format string vulnerability in Tcl nmakehelp.c allows code execution via a crated file. | |||
| Type: | Bug | Version: | ALL | |
| Submitter: | salmonx | Created on: | 2021-06-22 07:33:42 | |
| Subsystem: | 69. Other | Assigned To: | jan.nijtmans | |
| Priority: | 5 Medium | Severity: | Cosmetic | |
| Status: | Closed | Last Modified: | 2021-07-01 06:22:34 | |
| Resolution: | Fixed | Closed By: | jan.nijtmans | |
| Closed on: | 2021-07-01 06:22:34 | |||
| Description: |
(text/html)
<p>Description: The 'printf' in 'SubstituteFile' accepts a format string as an argument, but the format string originates from the argv[3] which is controlled by user.
</p>
<p>Fix: printf("%s", szBuffer);</p>
<hr>
<pre>
static int
SubstituteFile(
const char *substitutions,
const char *filename)
{
...
/*
* Run the substitutions over each line of the input
*/
while (fgets(szBuffer, cbBuffer, fp) != NULL) {
list_item_t *p = NULL;
for (p = substPtr; p != NULL; p = p->nextPtr) {
char *m = strstr(szBuffer, p->key);
if (m) {
char *cp, *op, *sp;
cp = szCopy;
op = szBuffer;
while (op != m) *cp++ = *op++;
sp = p->value;
while (sp && *sp) *cp++ = *sp++;
op += strlen(p->key);
while (*op) *cp++ = *op++;
*cp = 0;
memcpy(szBuffer, szCopy, sizeof(szCopy));
}
}
printf(szBuffer); // Bug is here, szBuffer can be controlled
}
list_free(&substPtr);
}
fclose(fp);
return 0;
}
</pre>
| |||
| User Comments: |
jan.nijtmans added on 2021-07-01 06:22:34:
(text/x-fossil-wiki)
This issue has been assigned a CVE number: CVE-2021-35331 jan.nijtmans added on 2021-06-22 09:11:53: (text/x-fossil-wiki) See also [https://sqlite.org/forum/forumpost/47c7eb6802]. Let's repeat the conclusion here: "This Is Not A Tcl Vulnerability"! Same arguments as DRH wrote in the SQLite forum post. That said, it's fixed here: [28ef6c0c741408a2] | |||
Home
Timeline
Branches
Tags
Tickets
Download
Wiki