Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 06 Apr 2008 19:24:25 -0500
From: "Patrick J. Volkerding" <security@...ckware.com>
To: oss-security@...ts.openwall.com
Subject: Security fixes in m4-1.4.11

Hello all,

GNU m4-1.4.11 was released on 2008-04-02.  While browsing the ChangeLog 
(and then NEWS) I noticed these security related items.  I'm not sure 
how severe the impact is of these issues, but since I have not seen them 
mentioned on any security lists yet a heads-up seemed to be in order.

 From the ChangeLog:

Minor security fix: Quote output of mkstemp.
* src/builtin.c (mkstemp_helper): Produce quoted output.
* doc/m4.texinfo (Mkstemp): Update the documentation and tests.
* NEWS: Document this change.

Security fix: avoid arbitrary code execution with 'm4 -F'.
* src/freeze.c (produce_frozen_state): Never pass raw file name
as printf format.
* NEWS: Document this fix.

 From the NEWS file:

** Security fixes for the -F option, for bugs present since -F was 
introduced in 1.3: Avoid core dump with 'm4 -F file -t undefined', and 
avoid arbitrary code execution with certain file names.

** The output of the `maketemp' and `mkstemp' builtins is now quoted if
a file was created. This is a minor security fix, because it was 
possible (although rather unlikely) that an unquoted string could match 
an existing macro name, such that use of the `mkstemp' output would 
trigger inadvertent macro expansion and operate on the wrong file name.


Cheers,

Pat

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ