* ez-ipupdate format string bug * "ez-ipupdate is a quite complete client for the dynamic DNS service offered by http://www.ez-ip.net/ and many more. Currently supported are: ez-ip [..] , Penguinpowered [..] , DHS [..] , dynDNS [..] , ODS [..] , TZO [..] , EasyDNS [..] , Justlinux [..] , Dyns [..] , HN [..] , ZoneEdit [..] and Hurricane Electric's IPv6 Tunnel Broker [..]. All services using GNUDip are also supported." (from packages.debian.org) I have found a format string bug in ez-ipupdate. It affects at least the versions 3.0.11b8, 3.0.11b7, 3.0.11b6, 3.0.11b5 and 3.0.10. It doesn't affect 2.9.6. The vulnerability has the identifier CAN-2004-0980. The format string bug allows a malicious remote server to execute arbitrary code on the machine running ez-ipupdate, if and only if daemon mode is on (very common) and certain service types are used. I have attached a trivial patch (against 3.0.11b8) that corrects this problem. It proved to be impossible to contact upstream, as all his e-mail addresses bounced. The Linux and *BSD vendors that distribute ez-ipupdate have been contacted, but so far only Mandrakelinux and SUSE Linux have published patched versions. // Ulf Harnhammar http://www.advogato.org/person/metaur/ for the Debian Security Audit Project http://www.debian.org/security/audit/