[Ntop-dev] [[email protected]: Bug#335996: ntop: call to fprintf without a format string]

Thu, 27 Oct 2005 11:49:03 -0700 

forwarded 335996 [email protected]
thanks

I got this bugreport.

I think you can determine if this is an error better than I can.

Regards,

// Ola

----- Forwarded message from Nicolas François <[EMAIL PROTECTED]> -----

Envelope-to: [EMAIL PROTECTED]
Delivery-date: Thu, 27 Oct 2005 11:19:45 +0200
Subject: Bug#335996: ntop: call to fprintf without a format string
Reply-To: Nicolas François <[EMAIL PROTECTED]>,
        [EMAIL PROTECTED]
Resent-From: Nicolas François <[EMAIL PROTECTED]>
Resent-To: [email protected]
Resent-CC: Debian Security Team <[EMAIL PROTECTED]>, Ola Lundqvist <[EMAIL 
PROTECTED]>
Resent-Date: Thu, 27 Oct 2005 09:18:04 UTC
Resent-Message-ID: <[EMAIL PROTECTED]>
X-Debian-PR-Message: report 335996
X-Debian-PR-Package: ntop
X-Debian-PR-Keywords: security
From: Nicolas François <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
X-Reportbug-Version: 3.17
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Resent-Sender: Debian BTS <[EMAIL PROTECTED]>
X-Spam-Score: -1.0 (-)
X-Spamcheck-provider: Checked for spam by opalsys.net, [EMAIL PROTECTED]

Package: ntop
Version: 3.2rc1
Severity: normal
Tags: security

Hello,

There is a missing format string in emitter.c:sendEmitterString(fDescr,
theString):

  if(fDescr == NULL)
     sendString(theString);
  else
     fprintf(fDescr, theString);

I don't think it is exploitable (because IMO, this line can't be
called[1]), but I would prefer another pair of eyes to check this. Also
fixing this could avoid future issues[2].

So I recommend to use:
     fprintf(fDescr, "%s", theString);

[1] The emitter.c entry points seems to be the dumpNtop* functions, which
    are all called with a NULL fDescr, and thus the sendString line is
    always used instead of the fprintf line.

[2] initWriteArray calls:
    sendEmitterString(fDescr, "%ntopHash =(\n");
    which contains a format string.

Kind Regards,
-- 
Nekral



----- End forwarded message -----

-- 
 --------------------- Ola Lundqvist ---------------------------
/  [EMAIL PROTECTED]                     Annebergsslingan 37      \
|  [EMAIL PROTECTED]                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev

Reply via email to