Bug 15295 - format string vulnerability in password input
Summary: format string vulnerability in password input
Alias: None
Product: PolicyKit
Classification: Unclassified
Component: daemon (show other bugs)
Version: unspecified
Hardware: Other All
: high critical
Assignee: David Zeuthen (not reading bugmail)
QA Contact: David Zeuthen (not reading bugmail)
Depends on:
Reported: 2008-03-31 16:23 UTC by Kees Cook
Modified: 2008-04-04 00:01 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

fixes for format string vulnerabilities (2.88 KB, patch)
2008-03-31 16:39 UTC, Kees Cook
Details | Splinter Review
Patch for 0.6 (792 bytes, patch)
2008-04-04 00:01 UTC, David Zeuthen (not reading bugmail)
Details | Splinter Review

Description Kees Cook 2008-03-31 16:23:48 UTC
If a user types a carefully crafted series of format strings, they can trick  polkit-grant-helper into thinking the password was successful.


src/polkit-grant/polkit-grant-helper.c line 231:

                /* send to parent */
                fprintf (stdout, buf);

This should be fprintf(stdout, "%s", buf);

I also recommend adding "-Wformat -Wformat-security" to the gcc CFLAGS.
Comment 1 Kees Cook 2008-03-31 16:25:11 UTC
$ grep 'format not a string literal' /scratch/ubuntu/logs/policykit_0.7-2ubuntu6_20080331-1621
polkit-policy-cache.c:150: warning: format not a string literal and no format arguments
polkit-grant-helper.c:231: warning: format not a string literal and no format arguments
polkit-grant-helper.c:242: warning: format not a string literal and no format arguments

There appear to be other cases of this too.
Comment 2 Kees Cook 2008-03-31 16:39:38 UTC
Created attachment 15591 [details] [review]
fixes for format string vulnerabilities
Comment 3 Kees Cook 2008-04-02 11:26:09 UTC
Comment 4 David Zeuthen (not reading bugmail) 2008-04-03 23:30:30 UTC

Thanks for noticing this. I've committed this to HEAD


with one change: the hunk in src/polkit/polkit-policy-cache.c didn't apply and isn't needed anymore.

Comment 5 David Zeuthen (not reading bugmail) 2008-04-04 00:01:39 UTC
Created attachment 15671 [details] [review]
Patch for 0.6

Had to backport this for Fedora 8 so sharing the patch against 0.6.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.