Generation of Error Message Containing Sensitive Information in clasp-developers/clasp


Reported on

Feb 6th 2022


Clasp uses printf() to log errors and useful information, in one instance of this logging - the printf() call specifies format operators but lacks the appropriate arguments - leading to unrelated bytes being included in the output.


This vulnerability is capable of allowing an attacker to receive bytes from the memory of the clang process. It should be noted that printf() only logs to the local console so exploiting this would require a very unlikely configuration.


printf("%s:%d:%s Handle allocation in MPS\n");
We are processing your report and will contact the clasp-developers/clasp team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
Неточка Незванова validated this vulnerability a year ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs

added the arguments in

Michael Rowley
a year ago


That's great, thanks for fixing this so quickly!

We have sent a fix follow up to the clasp-developers/clasp team. We will try again in 7 days. a year ago
Неточка Незванова marked this as fixed in main branch with commit fceb68 a year ago
Неточка Незванова has been awarded the fix bounty
This vulnerability will not receive a CVE
gcalloc.h#L1217 has been validated
to join this conversation