From venglin@freebsd.lublin.pl  Tue Jan 30 02:50:58 2001
Return-Path: <venglin@freebsd.lublin.pl>
Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18])
	by hub.freebsd.org (Postfix) with SMTP id 3F98C37B6CB
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 30 Jan 2001 02:50:54 -0800 (PST)
Received: (qmail 38823 invoked from network); 30 Jan 2001 10:52:15 -0000
Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11)
  by 0 with SMTP; 30 Jan 2001 10:52:15 -0000
Received: (qmail 17918 invoked from network); 30 Jan 2001 10:49:53 -0000
Received: from unknown (HELO riget.scene.pl) ()
  by 0 with SMTP; 30 Jan 2001 10:49:53 -0000
Received: (qmail 17914 invoked by uid 1001); 30 Jan 2001 10:49:52 -0000
Message-Id: <20010130104952.17913.qmail@riget.scene.pl>
Date: 30 Jan 2001 10:49:52 -0000
From: venglin@freebsd.lublin.pl
Reply-To: venglin@freebsd.lublin.pl
To: FreeBSD-gnats-submit@freebsd.org
Subject: mars_nwe remote format string vulnerability
X-Send-Pr-Version: 3.2

>Number:         24733
>Category:       ports
>Synopsis:       mars_nwe remote format string vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 30 03:00:01 PST 2001
>Closed-Date:    Tue Jan 30 04:22:01 PST 2001
>Last-Modified:  Tue Jan 30 04:23:50 PST 2001
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
ISMEDIA
>Environment:

	/usr/ports/net/mars_nwe/ as of 30 Jan 2001

>Description:

	mars_nwe contains remote format string vulnerability, allowing
	to gain superuser privileges from DOS/Windows workstation.

	Author of Mars was notified, but didn't released any official
	patches yet.

>How-To-Repeat:

	Fully exploitable, but no working exploits yet.

>Fix:

	Incorporate following patch into ports collection, issue an
	advisory.

--- mars_nwe/tools.c.orig	Fri Jan 26 22:46:34 2001
+++ mars_nwe/tools.c	Fri Jan 26 22:46:59 2001
@@ -189,7 +189,7 @@
         sprintf(identstr, "%s %d %3d", get_debstr(0),
                            act_connection, act_ncpsequence);
         openlog(identstr, LOG_CONS, LOG_DAEMON);
-        syslog(LOG_DEBUG, buf);
+        syslog(LOG_DEBUG, "%s", buf);
         closelog();
       } else {
         int l=strlen(buf);
@@ -249,7 +249,7 @@
     }
     sprintf(identstr, "%s %d %3d", get_debstr(0), act_connection, act_ncpsequence);
     openlog(identstr, LOG_CONS, LOG_DAEMON);
-    syslog(prio, buf);
+    syslog(prio, "%s", buf);
     closelog();
     if (!mode) return;
     lologfile=stderr;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports->bp 
Responsible-Changed-By: jedgar 
Responsible-Changed-When: Tue Jan 30 03:25:43 PST 2001 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=24733 
State-Changed-From-To: open->closed 
State-Changed-By: bp 
State-Changed-When: Tue Jan 30 04:22:01 PST 2001 
State-Changed-Why:  
Thanks! Patch added. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=24733 
>Unformatted:
