GNU bug report logs - #77129
Upgrade security in who.c

Previous Next

Package: coreutils;

Reported by: Alex PWN <pwnaleks <at> gmail.com>

Date: Thu, 20 Mar 2025 08:18:01 UTC

Severity: normal

To reply to this bug, email your comments to 77129 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-coreutils <at> gnu.org:
bug#77129; Package coreutils. (Thu, 20 Mar 2025 08:18:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Alex PWN <pwnaleks <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Thu, 20 Mar 2025 08:18:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Alex PWN <pwnaleks <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: Upgrade security in who.c
Date: Thu, 20 Mar 2025 12:42:18 +0500

[Message part 1 (text/plain, inline)]
Hi, my name is Alex Feklin (PwnToday).
In coreutils I found interesting vulnerability in who.c

"
err = asprintf (&buf,
    "%-8s"
    "%s"
    " %-12s"
    " %-*s"
    "%s"
    "%s"
    " %-8s"
    "%s"
    ,
    user ? user : " .",
    include_mesg ? mesg : "",
    line,
    time_format_width,
    time_str,
    x_idle,
    x_pid,
    comment,
    x_exitstr
);
"

The "comment" argument is taken from user input and passed unsafely to
asprintf, which opens the possibility of a format string attack.

Use the safe option: quote(comment)

Write back
Thanks

[Message part 2 (text/html, inline)]
Information forwarded to bug-coreutils <at> gnu.org:
bug#77129; Package coreutils. (Thu, 20 Mar 2025 13:28:01 GMT) Full text and rfc822 format available.

Message #8 received at 77129 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Alex PWN <pwnaleks <at> gmail.com>, 77129 <at> debbugs.gnu.org
Subject: Re: bug#77129: Upgrade security in who.c
Date: Thu, 20 Mar 2025 13:27:14 +0000

On 20/03/2025 07:42, Alex PWN wrote:
> Hi, my name is Alex Feklin (PwnToday).
> In coreutils I found interesting vulnerability in who.c
> 
> "
> err = asprintf (&buf,
>      "%-8s"
>      "%s"
>      " %-12s"
>      " %-*s"
>      "%s"
>      "%s"
>      " %-8s"
>      "%s"
>      ,
>      user ? user : " .",
>      include_mesg ? mesg : "",
>      line,
>      time_format_width,
>      time_str,
>      x_idle,
>      x_pid,
>      comment,
>      x_exitstr
> );
> "
> 
> The "comment" argument is taken from user input and passed unsafely to
> asprintf, which opens the possibility of a format string attack.
> 
> Use the safe option: quote(comment)
> 
> Write back
> Thanks

Sorry I don't see the vulnerability,
as "comment" is interpreted with "%-8s".
What am I missing?
Did a tool flag this?

thank you,
Pádraig
This bug report was last modified 35 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.