forgot to make a patch for the original posting of the exploit. the patch

will keep the functionality, while eliminating exploitation possibilities.

original exploit ref:

http://www.securityfocus.com/archive/1/323821/2003-05-28/2003-06-03/0

bash# tar -zxvf man.src.tgz

bash# patch -p0 <man.fmtbug.patch

--- man.fmtbug.patch --

diff -urP man-1.5l/src/gripes.c man-1.5l/src/gripes.c

--- man-1.5l/src/gripes.c Wed Jul 17 20:17:23 2002

+++ man-1.5l/src/gripes.c Fri Jun 6 14:51:21 2003

@@ -28,0 +28,1 @@

+#include <string.h>

@@ -68,0 +68,2 @@

+ unsigned int i = 0;

+ unsigned short fmt_n = 0;

@@ -78,0 +78,13 @@

+ /* routine to filter format string abuse. will */

+ /* only allow %d, %s, and %o through. no more */

+ /* than two formats needed for any response. */

+ for (i = 0; s[i] != 0x0; i++){

+ if (s[i] == '%' && s[i+1]){

+ if (strchr("dso", s[i+1])) /* %d,%s,%o. */

+ fmt_n++;

+ else

+ fmt_n=3; /* anything else = <limit. */

+ }

+ if (fmt_n > 2) /* failed, default reply. */

+ s = msg[n];

+ }

diff -urP man-1.5l/src/version.h man-1.5l/src/version.h

--- man-1.5l/src/version.h Fri Jun 6 14:36:40 2003

+++ man-1.5l/src/version.h Fri Jun 6 14:51:21 2003

@@ -1,1 +1,1 @@

-static char version[] = "1.5l";

+static char version[] = "1.5l-fmtfix";

[ reply ]