File silc-toolkit-1.1.10-security.patch of Package silc-toolkit

Overview Repositories Revisions Requests Users Attributes Meta

File silc-toolkit-1.1.10-security.patch of Package silc-toolkit

commit 25a6a61ecf6561bdb00e289175989e28d0fb26bb
Author: kp@valhallalegends.com <kp@valhallalegends.com>
Date:   Sat May 31 16:37:45 2008 -0500

ASN1: Fix stack variable overwrite when encoding OID.

The call to sscanf specifies a format string of "%lu", a long unsigned
    int.  The pointer argument was cast to unsigned long *, but this is
    wrong for 64 bit systems.  On 64 bit systems, unsigned long is 64 bits,
    but the oid value is a SilcUInt32 on all systems.  As a result, sscanf
    will overwrite a neighboring variable on the stack.  Fix this by
    changing the format string to "%u" and removing the cast.

commit 9c93e2c6df752c32bcb64335b418523aae331715
Author: Pekka Riikonen <priikone@silcnet.org>
Date:   Fri Jul 31 22:32:57 2009 +0300

Fixed string format vulnerability in client entry handling.

Reported and patch provided by William Cummings.

commit a785cba501a940921d215c18bc410a53bf1b12e8
Author: Pekka Riikonen <priikone@silcnet.org>
Date:   Fri Aug 7 14:48:46 2009 +0300

More string format fixes in silcd and client libary

commit f9acb085b819a7d0c6b3e9f40bc78f26bc2d429b
Author: kp@valhallalegends.com <kp@valhallalegends.com>
Date:   Fri Dec 12 21:38:54 2008 -0600

HTTP: fix stack overwrite due to format string error.

On AMD64, %lu refers to a 64-bit unsigned value, but the address passed
    to sscanf points to a 32-bit unsigned value.  This causes an adjoining
    value on the stack to be overwritten with data from the converted
    integer.  Fix the format string to match the size of the supplied value,
    and remove the pointer cast.

================================================================================
--- silc-toolkit-1.1.7/lib/silcasn1/silcasn1_encode.c
+++ silc-toolkit-1.1.7/lib/silcasn1/silcasn1_encode.c
@@ -351,7 +351,7 @@
 	/* Get OID words from the string */
 	cp = strchr(oidstr, '.');
 	while (cp) {
-	  if (sscanf(oidstr, "%lu", (unsigned long *)&oid) != 1) {
+	  if (sscanf(oidstr, "%u", &oid) != 1) {
 	    SILC_LOG_DEBUG(("Malformed OID string"));
 	    goto fail;
 	  }
@@ -362,7 +362,7 @@
 	  cp = strchr(oidstr, '.');
 
 	  if (!cp) {
-	    if (sscanf(oidstr, "%lu", (unsigned long *)&oid) != 1) {
+	    if (sscanf(oidstr, "%u", &oid) != 1) {
 	      SILC_LOG_DEBUG(("Malformed OID string"));
 	      goto fail;
 	    }
--- silc-toolkit-1.1.7/lib/silcclient/client_entry.c
+++ silc-toolkit-1.1.7/lib/silcclient/client_entry.c
@@ -800,10 +800,10 @@
 		      client_entry->server, sizeof(client_entry->server));
   if (nickname && client->internal->params->full_nicknames)
     silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		  nickname);
+		  "%s", nickname);
   else if (nickname)
     silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		  parsed);
+		  "%s", parsed);
 
   silc_parse_userfqdn(username, client_entry->username,
 		      sizeof(client_entry->username),
@@ -890,10 +890,10 @@
 			client_entry->server, sizeof(client_entry->server));
     if (client->internal->params->full_nicknames)
       silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		    nickname);
+		    "%s", nickname);
     else
       silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		    parsed);
+		    "%s", parsed);
 
     /* Normalize nickname */
     nick = silc_identifier_check(parsed, strlen(parsed),
@@ -1186,7 +1186,7 @@
         return NULL;
 
       silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		    cp);
+		    "%s", cp);
       silc_free(cp);
     }
 
--- silc-toolkit-1.1.7/lib/silcclient/command.c
+++ silc-toolkit-1.1.7/lib/silcclient/command.c
@@ -955,7 +955,7 @@
     }
 
     if (client->internal->params->full_channel_names)
-      silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name);
+      silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name);
     else
       silc_snprintf(tmp, sizeof(tmp), "%s%s%s",
 		    conn->current_channel->channel_name,
@@ -2143,7 +2143,7 @@
     }
 
     if (client->internal->params->full_channel_names)
-      silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name);
+      silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name);
     else
       silc_snprintf(tmp, sizeof(tmp), "%s%s%s",
 		    conn->current_channel->channel_name,
@@ -2553,7 +2553,7 @@
     }
 
     if (client->internal->params->full_channel_names)
-      silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name);
+      silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name);
     else
       silc_snprintf(tmp, sizeof(tmp), "%s%s%s",
 		    conn->current_channel->channel_name,
@@ -2620,7 +2620,7 @@
     }
 
     if (conn->client->internal->params->full_channel_names)
-      silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name);
+      silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name);
     else
       silc_snprintf(tmp, sizeof(tmp), "%s%s%s",
 		    conn->current_channel->channel_name,
--- silc-toolkit-1.1.7/lib/silchttp/silchttpserver.c
+++ silc-toolkit-1.1.7/lib/silchttp/silchttpserver.c
@@ -194,7 +194,7 @@
 
     /* Check we have received all data */
     cl = silc_mime_get_field(conn->curheaders, "Content-Length");
-    if (cl && sscanf(cl, "%lu", (unsigned long *)&cll) == 1) {
+    if (cl && sscanf(cl, "%u", &cll) == 1) {
       if (data_len < cll) {
 	/* More data to come */
 	silc_mime_free(conn->curheaders);

Places

File silc-toolkit-1.1.10-security.patch of Package silc-toolkit

Places