Generation of Error Message Containing Sensitive Information in clasp-developers/clasp

Valid

Reported on

Feb 6th 2022

Description

Clasp uses printf() to log errors and useful information, in one instance of this logging - the printf() call specifies format operators but lacks the appropriate arguments - leading to unrelated bytes being included in the output.

Impact

This vulnerability is capable of allowing an attacker to receive bytes from the memory of the clang process. It should be noted that printf() only logs to the local console so exploiting this would require a very unlikely configuration.

Occurrences

printf("%s:%d:%s Handle allocation in MPS\n");
We are processing your report and will contact the clasp-developers/clasp team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
Неточка Незванова validated this vulnerability a year ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
Неточка
a year ago

Maintainer

added the arguments in https://github.com/clasp-developers/clasp/commit/fceb6827725e538fe15fab83bfc4fd26a6eb69d7

Michael Rowley
a year ago

Researcher

That's great, thanks for fixing this so quickly!

We have sent a fix follow up to the clasp-developers/clasp team. We will try again in 7 days. a year ago
Неточка Незванова marked this as fixed in main branch with commit fceb68 a year ago
Неточка Незванова has been awarded the fix bounty
This vulnerability will not receive a CVE
gcalloc.h#L1217 has been validated
to join this conversation