COMMAND

	libsafe protection against format string overflows can be bypassed

SYSTEMS AFFECTED

	libsafe up to 2.0-11

PROBLEM

	In Wojciech Purczyński  <cliph@isec.pl>  of  iSEC  Security  Research
	[http://isec.pl/] report :
	

	1.

	

	Libsafe  protection  against  format  string  exploits  may  be   easily
	bypassed using flag characters that are implemented  in  glibc  but  are
	not implemented in libsafe.
	

	These flags definied in SUSv2 are not defined  in  C  standard  (quoting
	from printf(3) manpage):
	

	       \'      For decimal conversion (i, d, u, f, F,  g,  G)  the

	              output  is  to  be grouped with thousands\' grouping

	              characters if the locale information indicates any.

	              Note  that  many  versions of gcc cannot parse this

	              option and will issue a warning.   SUSv2  does  not

	              include %\'F.

	

	       I      For decimal integer conversion (i, d, u) the output

	              uses the locale\'s alternative output digits, if any

	              (for example, Arabic digits).  However, it does not

	              include any locale definitions with such  outdigits

	              defined. (glibc 2.2 only)

	

	Example exploit:
	

		printf(\"%\'n\", &target);

		printf(\"%In\", &target);

	

	

	2.

	

	Libsafe *printf function wrappers incorrectly  parse  argument  indexing
	in  format  strings.  They  always  assume  that  the  n-th   conversion
	specification uses n-th  argument  and  does  not  properly  count  real
	number of arguments used.  Thus,  arguments,  whose  index  numbers  are
	above the total number of conversion specifications,  are  not  verified
	at all.
	

	Example exploit:
	

		printf(\"%2$n\", \"unused argument\", &target);

	

	Total number of % format string used: 1 (\"%2$n\")  Number  of  argument
	used: 2

SOLUTION

	On March 18, 2002 new  version  of  libsafe  2.0-12  has  been  released
	fixing above security issue.