On 20/03/2025 07:42, Alex PWN wrote:
Hi, my name is Alex Feklin (PwnToday). In coreutils I found interesting vulnerability in who.c" err = asprintf (&buf, "%-8s" "%s" " %-12s" " %-*s" "%s" "%s" " %-8s" "%s" , user ? user : " .", include_mesg ? mesg : "", line, time_format_width, time_str, x_idle, x_pid, comment, x_exitstr ); " The "comment" argument is taken from user input and passed unsafely to asprintf, which opens the possibility of a format string attack. Use the safe option: quote(comment) Write back Thanks
Sorry I don't see the vulnerability, as "comment" is interpreted with "%-8s". What am I missing? Did a tool flag this? thank you, Pádraig
