Generation of Error Message Containing Sensitive Information in clasp-developers/clasp


Reported on

Feb 6th 2022


Clasp uses printf() to log errors and useful information, in one instance of this logging - the printf() call specifies format operators but lacks the appropriate arguments - leading to unrelated bytes being included in the output.


This vulnerability is capable of allowing an attacker to receive bytes from the memory of the clang process. It should be noted that printf() only logs to the local console so exploiting this would require a very unlikely configuration.


printf("%s:%d:%s Handle allocation in MPS\n");
We are processing your report and will contact the clasp-developers/clasp team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a 4 months ago
Неточка Незванова validated this vulnerability 4 months ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
4 months ago


added the arguments in

Michael Rowley
4 months ago


That's great, thanks for fixing this so quickly!

We have sent a fix follow up to the clasp-developers/clasp team. We will try again in 7 days. 4 months ago
Неточка Незванова confirmed that a fix has been merged on fceb68 4 months ago
Неточка Незванова has been awarded the fix bounty
gcalloc.h#L1217 has been validated
to join this conversation