View Issue Details

IDProjectCategoryView StatusLast Update
0004200unrealircdpublic2013-05-19 16:47
Reporterfalconkirtaran Assigned Tonenolod 
PriorityimmediateSeveritytweakReproducibilityN/A
Status resolvedResolutionfixed 
Product Version3.4-alpha1 
Fixed in Version3.4-alpha1 
Summary0004200: Fix possible format string injection in ping code in ircd.c
DescriptionThe REPORT_FAIL_DNS and REPORT_FAIL_ID strings, which are dynamic, are used as format string parameters in ircd.c. They contain no format specifiers. Added a format string wrapper to prevent format string injection.
TagsNo tags attached.
Attached Files
3rd party modules

Relationships

related to 0004188 closed Unreal 3.4 alpha1 blockers 

Activities

nenolod

2013-05-19 12:32

reporter   ~0017595

http://hg.unrealircd.org/hg/unreal/rev/2d06381e6935

syzop

2013-05-19 16:47

administrator   ~0017599

Just for the record, there's no risk of format string injection here (just trace it upstream if you don't believe me). Patch perfectly fine, nonetheless :p.

Issue History

Date Modified Username Field Change
2013-05-19 11:00 falconkirtaran New Issue
2013-05-19 11:00 falconkirtaran File Added: 4200_format_string_vuln.diff
2013-05-19 12:32 nenolod Note Added: 0017595
2013-05-19 12:32 nenolod Status new => resolved
2013-05-19 12:32 nenolod Fixed in Version => 3.4-alpha1
2013-05-19 12:32 nenolod Resolution open => fixed
2013-05-19 12:32 nenolod Assigned To => nenolod
2013-05-19 12:32 nenolod Relationship added related to 0004188
2013-05-19 16:47 syzop Note Added: 0017599
2013-05-19 16:47 syzop Severity major => tweak