0 Replies Latest reply on Sep 12, 2012 10:07 AM by mpatton_ir

    BUG: unterminated string in printf arguments

    mpatton_ir Lurker

      The printf code has a notable bug where it will run off the end of the argument and access whatever memory happens to be behind it if the argument has an escape sequence. This might lead to a stack smash and arbitary code execution. Everything after the first character is not supposed to be there.

       

      printf "%b\n" '\x40'
      @SSH_CLIENT=10.2.3.7 61477 22

       

      printf "%b\n" '\051'

      )SSH_CLIENT=10.2.3.7 61477 22

       

      It also doesn't handle further escape sequences in the argument.