Vulnerability Development mailing list archives
Re: procmail
From: Timo Sirainen <tss () iki fi>
Date: Sun, 12 Oct 2003 20:16:40 +0300
On Sun, 2003-10-12 at 01:41, aaa aaa wrote:
Here is simple advisory
if(rename(name,buf2)) /* try and move it out of the way */
{ syslog(LOG_ALERT,renfbogus,name,buf2); /* danger! danger! */
return 1;
}
syslog(LOG_CRIT,renbogus,name,buf2);
return 0;
And we probably don't have control with buf ;( but we have in theory all control to do format string bug with use function rnmbogus(). Meybe it is bug?
No. The format parameters are renfbogus and renbogus, not name. They are both static strings. No bugs there.
Btw. Procmail have realy FUCKED UP source ;(
Yea, it really is. Once it took me half an hour just to figure out code execution path to certain location of the code.
