Bug 5338 - rpcclient command has format string bug.
Summary: rpcclient command has format string bug.
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools (show other bugs)
Version: 3.0.28a
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-19 05:00 UTC by Yuya Katayama
Modified: 2008-03-19 09:09 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yuya Katayama 2008-03-19 05:00:46 UTC 
rpcclient command has format string bug.

$ grep % /etc/hosts                     127.0.0.1       test%n%n%n%n
$ rpcclient -c "printercmp a b" "test%n%n%n%n"
Password:
Segmentation fault

In cmd_spoolss_printercmp()
rpcclient/cmd_spoolss.c:2619
         fstr_sprintf( servername1, cli->cli->desthost );

Should use fstrcpy().

I think this is not security issue. This command is not setuid.
Comment 1 Volker Lendecke 2008-03-19 09:09:18 UTC 
Pushed, thanks!

Volker