[VIM] Re: Iron Bars SHell format string - two, not one

security curmudgeon jericho at attrition.org
Wed May 25 01:20:58 EDT 2005

: What happens when the mistake-finders make their own mistakes?
: While there is a fix in log_attempt() in misc.c that's relevant to 
: format strings and syslog, there's only one usage of log_attempt, with a 
: username that's obtained from the password file, so there's no real 
: vulnerable code path.

So two format string issues. One is not used anywhere? The other is used 
in a single place but offers no way for a user to inject their own 
content, as it comes from the password file?

If so, those are programming bugs but not vulnerabilities it sounds like..

More information about the VIM mailing list