Format string bug in startinnfeed

Russ Allbery rra at stanford.edu
Mon Feb 12 22:55:40 UTC 2001 

I love the notification that you gave to the INN developers about this
problem (namely, absolutely none at all).  If you'd mailed us first, I
could have pointed out to you that innfeed does no argument parsing of its
own and just execs innfeed with the passed arguments, which at the least
would have made your notice more accurate.

So far as I can tell, all of the below:

Paul Starzetz <paul at STARZETZ.DE> writes:

> paul at ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed  -a
> "%x%x%n%n%n%n%n%n%n"
> segmentation fault
> paul at ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed  -b
> "%x%x%n%n%n%n%n%n%n"
> Mon Feb 12 15:37:01 2001 innfeed: Not a directory: %x%x%n%n%n%n%n%n%n

> segmentation fault
> paul at ps:/usr/home/paul > /usr/lib/news/bin/startinnfeed  -c
> "%x%x%n%n%n%n%n%n%n"
> segmentation fault

are actually segfaults in innfeed itself.  While that's definitely sloppy
code, it doesn't pose a security risk that I can see; innfeed runs as the
news user and only the news user should be capable of running startinnfeed
in the first place.  (If this is not the case, please report this to your
distribution packager as a packaging error; startinnfeed should be owned
by root:news, mode 4550, and the only member of the news group should be
the news user.)

If you see a security vulnerability here, I would very much appreciate
enlightenment.  It's always possible that I've missed something.

> The vulnerable package is
>
> Name        : inn
> Version     : 2.2.2

INN 2.2.2 is no longer supported (the current release is INN 2.3.1, which
has among other things a rewrite of startinnfeed), but after reviewing the
code in startinnfeed in INN 2.2.2 after seeing your message I don't see
anywhere where that version is passing user data to syslog as a format
string.  There is only one occurance of *printf in startinnfeed.c in INN
2.2.2 and it uses inn.conf data and a compile-time constant.

If I've overlooked something, I'd quite certainly welcome a more complete
bug report.

Note that the sole utility of startinnfeed is to increase system file
descriptor and data limits for innfeed.  If you've already taken care of
this via other means, you can safely change newsfeeds to run innfeed
directly and remove startinnfeed from your system.  If startinnfeed makes
you nervous for whatever reason, removing the setuid bit is completely
harmless for most configurations (probably all small or hobby servers).

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the inn-workers mailing list