[Bug 793694] Re: Format string bug in parselog.pl

[Kees Cook]

This looks like a regular bug to me. I don't think Perl will deal with
the %n in an unsafe way.

** This bug is no longer flagged as a security vulnerability

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/793694

Title:
  Format string bug in parselog.pl

Status in “samba” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: samba-doc

  samba-doc/examples/scripts/eventlog/parselog.pl have format string bug
  .

  test case :
  emanuel at amd64 /tmp>>echo '1 1 1 %n' | perl /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl
  Modification of a read-only value attempted at /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl line 30, <> line 1.
  emanuel at amd64 /tmp>>echo '1 1 1 1 %n' | perl /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl
  Modification of a read-only value attempted at /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl line 30, <> line 1.

  the bug can be found at :
      $outstr = sprintf "TMG: %d\nTMW: %d\nEID: 1000\nETP: INFO\nECT: 0\nRS2: 0\nCRN: 0\nUSL: 0\nSRC: Syslog\nSRN: $cname\nSTR: $ln\nDAT:\n\n",time(),time();

  fix : use %s to $cname and $ln .
  $outstr = sprintf "TMG: %d\nTMW: %d\nEID: 1000\nETP: INFO\nECT: 0\nRS2: 0\nCRN: 0\nUSL: 0\nSRC: Syslog\nSRN: %s\nSTR: %s\nDAT:\n\n",time(),time(),$cname,$ln;

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/793694/+subscriptions