OSSP: CVS Repository: Check-in [2349]

Check-in Number:

2349

Date:

2002-Jul-25 12:14:03 (local)
2002-Jul-25 10:14:03 (UTC)

User:

rse

Branch:

Comment:

Fix a big security hole: the l2_spec() is a varargs function which gets a format string and variable arguments. In case only a fixed string is used we have to use "%s" as the format string or else "%x" in the string is treated like a formatter (and hence cause a segfault or whatever else if it tries to fetch args from the stack). This especially also no longer requires the formatters to be written %%X...

Tickets:

Inspections:

Files:

ossp-pkg/fsl/fsl.c	1.21 -> 1.22	2 inserted, 2 deleted
ossp-pkg/fsl/fsl.pod	1.9 -> 1.10	2 inserted, 2 deleted
ossp-pkg/fsl/fsl.sample.cfg	1.1 -> 1.2	12 inserted, 20 deleted

ossp-pkg/fsl/fsl.c 1.21 -> 1.22

--- fsl.c 2002/07/24 15:29:01 1.21 +++ fsl.c 2002/07/25 10:14:03 1.22 @@ -338,7 +338,7 @@ cp = l2_env_strerror(ctx.l2_fslenv, l2rv); fsldebug(L2_LEVEL_ERROR, "logging failed to register errno formatter %s(%d) for fsl\n", cp, l2rv); CU(1); } if ((l2rv = l2_channel_create(&ctx.l2_fslnch, ctx.l2_fslenv, "noop")) != L2_OK) { cp = l2_env_strerror(ctx.l2_fslenv, l2rv); fsldebug(L2_LEVEL_ERROR, "logging failed to create noop channel; %s(%d)\n for fsl", cp, l2rv); CU(1); } - if ((l2rv = l2_spec(&ch, ctx.l2_fslenv, argl2spec)) != L2_OK) { + if ((l2rv = l2_spec(&ch, ctx.l2_fslenv, "%s", argl2spec)) != L2_OK) { cp = l2_env_strerror(ctx.l2_fslenv, l2rv); fsldebug(L2_LEVEL_ERROR, "logging failed to create stream from spec %s(%d) for fsl\n", cp, l2rv); CU(1); } if ((l2rv = l2_channel_link(ctx.l2_fslnch, L2_LINK_CHILD, ch, NULL)) != L2_OK) { cp = l2_env_strerror(ctx.l2_fslenv, l2rv); fsldebug(L2_LEVEL_ERROR, "logging failed to link child channel %s(%d) for fsl\n", cp, l2rv); CU(1); } @@ -510,7 +510,7 @@ fsldebug(L2_LEVEL_DEBUG, "argident=%s, argmatch=%s, argl2spec=%s\n", argident, argmatch, argl2spec); /* create L2 channel throuh spec and link into root channel */ - if ((l2rv = l2_spec(&ch, ctx.l2_env, argl2spec)) != L2_OK) { + if ((l2rv = l2_spec(&ch, ctx.l2_env, "%s", argl2spec)) != L2_OK) { cp = l2_env_strerror(ctx.l2_env, l2rv); fsldebug(L2_LEVEL_ERROR, "logging failed to create stream from spec %s(%d)\n", cp, l2rv); CU(1); } if ((l2rv = l2_channel_link(ctx.l2_nch, L2_LINK_CHILD, ch, NULL)) != L2_OK) { cp = l2_env_strerror(ctx.l2_env, l2rv); fsldebug(L2_LEVEL_ERROR, "logging failed to link child channel %s(%d)\n", cp, l2rv); CU(1); }

ossp-pkg/fsl/fsl.pod 1.9 -> 1.10

--- fsl.pod 2002/07/25 09:42:44 1.9 +++ fsl.pod 2002/07/25 10:14:03 1.10 @@ -284,9 +284,9 @@ ident sendmail/.* { debug: - prefix(prefix="%%b %%d %%H:%%M:%%S <%%L> $1 [%%P]: ", + prefix(prefix="%b %d %H:%M:%S <%L> $1 [%P]: ", timezone=local) - -> file(path="sendmail.debug.log", append=0,perm=432) + -> file(path="sendmail.debug.log", append=0, perm=432) }; =head1 FILES

ossp-pkg/fsl/fsl.sample.cfg 1.1 -> 1.2

--- fsl.sample.cfg 2002/07/24 07:57:04 1.1 +++ fsl.sample.cfg 2002/07/25 10:14:03 1.2 @@ -1,27 +1,19 @@ - - # - # SAMPLE FAKESYSLOG CONFIGURATION FILE - # +# +# SAMPLE FSL CONFIGURATION FILE +# ident (.*)a(.*)/(.*)p q{ - debug: - prefix(prefix="%%b %%d %%H:%%M:%%S <%%L> $1 [%%P]: ", - timezone=local) - -> file(path="sendmail.debug.log", append=0,perm=432) - }; + debug: prefix(prefix="%b %d %H:%M:%S <%L> $1[%P]: ", timezone=local) + -> file(path="sendmail.debug.log", append=0, perm=432) +}; ident mail/.* q{ - error: - prefix(prefix="%%b %%d %%H:%%M:%%S <%%L> $1 [%%P]: ", - timezone=local) - -> file(path="mail.error.log", append=0,perm=432) - }; + error: prefix(prefix="%b %d %H:%M:%S <%L> $1[%P]: ", timezone=local) + -> file(path="mail.error.log", append=0, perm=432) +}; ident news/.* q{ - warning: - prefix(prefix="%%b %%d %%H:%%M:%%S <%%L> $1 [%%P]: ", - timezone=local) - -> file(path="news.warning.log", append=0,perm=432) - }; + warning: prefix(prefix="%b %d %H:%M:%S <%L> $1[%P]: ", timezone=local) + -> file(path="news.warning.log", append=0, perm=432) +}; -# have a nice day

OSSP CVS Repository