tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 37322] New: - format bug: sprintf() twice on top of each other
Date Tue, 01 Nov 2005 16:51:01 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37322>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37322

           Summary: format bug: sprintf() twice on top of each other
           Product: Tomcat 5
           Version: 5.5.9
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P4
         Component: Native:JK
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: Joerg-Cyril.Hoehle@t-systems.com


Hi,

mod_jk, more precisely
jakarta-tomcat-connectors-1.2.14.1-src/jk/native/apache-2.0/mod_jk.c
jakarta-tomcat-5.5.9-src/jakarta-tomcat-connectors/jk/native/apache-2.0/mod_jk.c
contain the following format security bug.

The good news is that it currently cannot be easily misused, because
the function involved is so far only used with the format string
"Memory Error" -- not a single "%" therein.
However it's just sitting there, waiting to be put to other uses.

jk_error_exit() calls apr_pvsprintf() to create a formatted string
(possibly using varargs) that is itself passed to ap_log_error().
Sadly, the latter function again uses sprintf-style formatting, so
that if a %-sign were obtained as a result of the first round of
formatting (e.g. as part of the output of some %s directive),
undefined behaviour could occur in the second pass.

Proposed solution:
"inline" the jk_error_code(), i.e. turn
  jk_error_exit(APLOG_MARK, APLOG_EMERG, s, p, "Memory error");
into:
 // use ap_log_[p/r/c]error(...) depending on availability of
 // either p (pool), s (server_rec *) or r (conn_rec *) at the call site.
 {
   ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, p, "Memory error");
   exit(1);
 }

I found this bug while performing a code inspection on behalf of BSI,
the german Federal Office for Information Security.
 -- Bundesamt für Sicherheit in der Informationstechnik.
http://www.bsi.de

BSI endorses the use of Open Source Software. A report of our
activities covering installation, code and penetration tests of Tomcat
will be published by BSI in the internet at the end of our review
project.

Regards,
 Jörg Höhle.
T-Systems International, Solution Center Testing & Security
http://www.t-systems.com

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message