New version(0.22.0) of pen can't be built due to cc option
[-Werror=format-security]: format not a string literal and no format
arguments
Relevant lines:
penctl.c:80
pen.c:2158
Patch:
diff -uN pen-0.22.0.orig/pen.c pen-0.22.0/pen.c
--- pen-0.22.0.orig/pen.c 2014-04-02 16:31:37.190717955 +0800
Sorry the previous one is a mess, fixed with below:
diff -uN pen-0.22.0.orig/pen.c pen-0.22.0/pen.c
--- pen-0.22.0.orig/pen.c 2014-04-02 16:31:37.190717955 +0800
+++ pen-0.22.0/pen.c2014-04-02 17:14:49.591585697 +0800
@@ -2155,7 +2155,7 @@
remove(a);
memset(serv_addr, 0,
Yes, this looks better. :) 0.22.1 with these fixed available at
http://siag.nu/pub/pen/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
I just released 0.22.0, hoping noone will think it is a joke.
This release has one new feature, the Unix domain listening sockets
suggested above.
The hard-coded path for the web stats has been removed, so the status
command now simply fails unless a path has been explicitly specified.
CVE-2014-2387 has been allocated for the two hardcoded/insecure
uses of temporary files.
(/tmp/webfile.html, and /tmp/penctl.cgi.)
Steve
--
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
On 03/12/2014 09:25 PM, Vincent Bernat wrote:
I will add the user and provide a proper init script in the next
upload. However, I don't think that this fixes the core issues
reported. A user can still choose to run pen in another way and should
be protected by such issues.
The core issue
[Apologies for bouncing your mails. Fixed now.]
The core issue being that it is possible to run pen with remote
control from untrusted hosts (or any host), should the administrator so
desire.
Agreed. I did think of limiting the control-socket to 127.0.0.1:XX
but that a) reduces
The control socket and the configuration file use the exact same syntax
by design. If it is impossible or impractical to limit access to the
socket, the same level of control over a running Pen can be accomplished
from localhost by editing the config and an old-fashioned HUP.
A password would
On Thu Mar 13, 2014 at 14:46:37 +0100, Ulric Eriksson wrote:
The control socket and the configuration file use the exact same
syntax by design.
I see that is currently the case, yes..
If it is impossible or impractical to limit
access to the socket, the same level of control over a
Here’s what needs to be done to create a chroot jail for Pen and run it
there as a non-root user. Start/stop script added.
useradd pen
mkdir -p /var/lib/pen/etc /var/lib/pen/tmp
chown pen /var/lib/pen/tmp
grep ^pen: /etc/passwd /var/lib/pen/etc/passwd
cat EOF /var/lib/pen/etc/pen.cfg
acl 0
❦ 12 mars 2014 19:30 CET, Ulric Eriksson ul...@siag.nu :
Here’s what needs to be done to create a chroot jail for Pen and run
it there as a non-root user. Start/stop script added.
I will add the user and provide a proper init script in the next
upload. However, I don't think that this fixes
Package: pen
Version: 0.18.0-1
Severity: minor
Tags: security
There are four issues to report here;
1. Predictable filename in pen itself.
2. Insecure temporary filename in the contributed CGI script.
3. File overwrite / disclosure issues in pen.
4. Information disclosure.
Predictable
12 matches
Mail list logo