Hi, my name is Alex Feklin (PwnToday). In coreutils I found interesting vulnerability in who.c
"
err = asprintf (&buf,
"%-8s"
"%s"
" %-12s"
" %-*s"
"%s"
"%s"
" %-8s"
"%s"
,
user ? user : " .",
include_mesg ? mesg : "",
line,
time_format_width,
time_str,
x_idle,
x_pid,
comment,
x_exitstr
);
"
The "comment" argument is taken from user input and passed unsafely to
asprintf, which opens the possibility of a format string attack.
Use the safe option: quote(comment)
Write back
Thanks
