Generation of Error Message Containing Sensitive Information in clasp-developers/clasp

Valid

Reported on

Feb 6th 2022


Description

Clasp uses printf() to log errors and useful information, in one instance of this logging - the printf() call specifies format operators but lacks the appropriate arguments - leading to unrelated bytes being included in the output.

Impact

This vulnerability is capable of allowing an attacker to receive bytes from the memory of the clang process. It should be noted that printf() only logs to the local console so exploiting this would require a very unlikely configuration.

Occurrences

printf("%s:%d:%s Handle allocation in MPS\n");
We are processing your report and will contact the clasp-developers/clasp team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
Неточка Незванова validated this vulnerability 4 months ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
Неточка
4 months ago

Maintainer


added the arguments in https://github.com/clasp-developers/clasp/commit/fceb6827725e538fe15fab83bfc4fd26a6eb69d7

Michael Rowley
4 months ago

Researcher


That's great, thanks for fixing this so quickly!

We have sent a fix follow up to the clasp-developers/clasp team. We will try again in 7 days. 4 months ago
Неточка Незванова confirmed that a fix has been merged on fceb68 4 months ago
Неточка Незванова has been awarded the fix bounty
gcalloc.h#L1217 has been validated
to join this conversation