On 9/10/2012 12:36 PM, Michael Conrad wrote:
On 9/10/2012 11:46 AM, Michael Tokarev wrote:
On 10.09.2012 19:31, Manuel Zerpies wrote:
Hey guys,
what about this patch? Is there anyone who can have a look at it?
[]
- bb_perror_msg(filename);
+ bb_perror_msg("%s", filename);
Please stop fixing a non-issue. This GCC warning is wrong.
This has been discussed several times, and exactly the same
patch has been proposed several times too.
Actually, that half of his patch *is* legitimate. It's a bug.
$ ./busybox stat -f "%s"
stat: (null): No such file or directory
Furthermore, it could potentially be used in an exploit. Suppose
someone has a CGI script that runs "stat -f" on a requested file, and an
attacker can see the error output.
The attacker can inspect the stack using "%d %d %d %d %d %d..." and then
maybe find a suitable pair of integers in the stack for "%.*s", which
could be used to dump out the memory of the busybox process, either to
prepare a different exploit, or to possibly dump environment variables
containing passwords or configuration settings.
Luckily, it only affects SELINUX platforms.
(oh the irony)
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
