Bug 5338 - rpcclient command has format string bug.
rpcclient command has format string bug.
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools
3.0.28a
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-19 05:00 UTC by Yuya Katayama
Modified: 2008-03-19 09:09 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yuya Katayama 2008-03-19 05:00:46 UTC
rpcclient command has format string bug.

$ grep % /etc/hosts                     127.0.0.1       test%n%n%n%n
$ rpcclient -c "printercmp a b" "test%n%n%n%n"
Password:
Segmentation fault

In cmd_spoolss_printercmp()
rpcclient/cmd_spoolss.c:2619
         fstr_sprintf( servername1, cli->cli->desthost );

Should use fstrcpy().

I think this is not security issue. This command is not setuid.
Comment 1 Volker Lendecke 2008-03-19 09:09:18 UTC
Pushed, thanks!

Volker