Vulnerability Update [VU#825121]
Daniel Atallah
daniel.atallah at gmail.com
Wed Feb 28 17:37:47 EST 2007
On 2/28/07, Luke Schierer <lschiere at pidgin.im> wrote:
> - --- Begin report - Not for public distribution ----------
>
> There is a function whose prototype is :
>
> void gaim_debug(GaimDebugLevel level, const char *category, const
> char *format, ...);
>
> declared in my /usr/include/gaim/debug.h header.
>
> Now, if you look at the source file in <somepath>/gaim-1.5.0/
> plugins/perl/common/Gaim.c
>
> you'll find this function missused in 3 places :
>
> line 204: gaim_debug(level, category, string);
> line 220:Â gaim_debug(GAIM_DEBUG_MISC, category, string);
> line 237:Â gaim_debug(GAIM_DEBUG_INFO, category, string);
>
> In those 3 places, the "string" variable can allow an attacker to
> inject its own format string, and therefore,
> read or write anywhere in the process's memory, potentially allowing
> arbitrary execution.
>
> - --- End Report - Not for public distribution -----------
Has anyone actually verified that this is actually exploitable remotely?
These are just in the Perl bindings - a malicious perl plugin could
certainly do bad things with them, but the ability of a plugin to do
bad things is hardly a vulnerability.
-D
More information about the Cabal
mailing list