[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Patch:Found m4 (GUN) Bug! [was: m4 (GNU) Buffer Overflow, Slackware Conf
|
From: |
Derek Kwan |
|
Subject: |
Patch:Found m4 (GUN) Bug! [was: m4 (GNU) Buffer Overflow, Slackware Confirmed] (fwd) |
|
Date: |
Thu, 8 Feb 2001 23:58:47 -0500 (EST) |
I have include a quick patch to the souce code.... I just changed the call
from error to fprintf (to stderr).
Derek Kwan
\|/ _____ \|/ ***************************************************
"@'/ , . \`@" This e-mail is send with 100% recyclable electrons.
/_| \___/ |__\ ***************************************************
\___U_/ address@hidden
---------- Forwarded message ----------
Date: Thu, 8 Feb 2001 23:04:16 -0500 (EST)
From: Derek Kwan <address@hidden>
To: address@hidden, address@hidden
Subject: Found m4 (GUN) Bug! [was: m4 (GNU) Buffer Overflow,
Slackware Confirmed] (fwd)
More specific.. it is in src/m4.c line 469 when it try to call error
(lib/error.c) line 104 and passed along w/ the %x.
\|/ _____ \|/ ***************************************************
"@'/ , . \`@" This e-mail is send with 100% recyclable electrons.
/_| \___/ |__\ ***************************************************
\___U_/ address@hidden
---------- Forwarded message ----------
Date: Thu, 8 Feb 2001 22:38:04 -0500 (EST)
From: Derek Kwan <address@hidden>
To: Avro Nelson <address@hidden>, address@hidden
Cc: address@hidden
Subject: Found m4 (GUN) Bug! [was: m4 (GNU) Buffer Overflow,
Slackware Confirmed]
hello world,
I just tried to locate the problem of this 'bug'. Well first of all it
may look like is a Buffer Overflow bug. But after I spend some time doing
some debugging on m4 1.4 source code... I found the problem...
It is in the /lib/error.c line 104
What happening is vfprintf get confused. When you use %x, it expacted to
have a arg with some kind of value.. and %x just happens to print out the
HEX value of a undefine variable.
If you try 'm4 %%x' it will "fix" the problem because you have a extra
percentage sign to act as an escape char.
In theory if you try 'm4 %c', 'm4 %s', 'm4 %d' etc... you might also get
some weird results.
Harmful? Humm.... I can't say right now, but correct me if I am worng,
you can't really write stuff (i.e. buffer overflow) into memory w/ this
bug.
\|/ _____ \|/ ***************************************************
"@'/ , . \`@" This e-mail is send with 100% recyclable electrons.
/_| \___/ |__\ ***************************************************
\___U_/ address@hidden
On Wed, 7 Feb 2001, Avro Nelson wrote:
> The problem exists in the Slackware x86 7.1.0 Distro as well.
> >On Fre, Feb 02, 2001 at 09:36:29 +0100, Tomasz Ku?niar wrote:
> >> The same problem in most (all?) distributions is with m4 - GNU macro
> >> processor code, when trying use -G option:
> >>
> >> address@hidden:~$ m4 -G %x%x%x%x
> >> m4: 40012a48380491e00: No such file or directory
> Confirmed for Slackware Linux 7.1.0
> address@hidden:/etc$ m4 -G %x
> m4: 400fe9b4: No such file or directory
> address@hidden:/etc$ m4 -G %qx
> m4: 4000aa70400fe9b4: No such file or directory
> address@hidden:/etc$ m4 %x
> m4: 400fe9b4: No such file or directory
> address@hidden:/# m4 --version
> GNU m4 1.4
>
>
> _________________________
> www.estec.com
> _________________________
>
m4.c.diff
Description: Text document
- Patch:Found m4 (GUN) Bug! [was: m4 (GNU) Buffer Overflow, Slackware Confirmed] (fwd),
Derek Kwan <=