Re: [Cooker] Re: [CHRPM] libgtop2-2.0.2-1mdk

Wed, 04 Jun 2003 23:14:54 -0700 

On 2003-06-04(Wed) 11:30:28 +0200, Frederic Crozat wrote:
> >> Fred, probably you will want to release libgtop 1.0.14 too? 2.0.2 is
> >> released because of security problem, and 1.0.14 is the same.
> > 
> > Well, 1.0.14 has still not been released !!

How come... it has been tagged as 1.0.14 in CVS but no tarball uploaded
to GNOME CVS...


> > Anyway, I'll grab the security fix from our security updates..
> 
> Just checked, all security fixes are already in 1.0.13-4mdk...

I checked again, that particular fix is not in 1.0.13-4mdk. The fix is
applied on May 12th. Attached with this mail.

Abel

> -- 
> Frederic Crozat
> MandrakeSoft
> 
> 

-- 
Abel Cheung
Linux counter #256983   | http://counter.li.org
GPG Key: (0xC67186FF)   | http://deaddog.org/gpg.asc
Key fingerprint: 671C C7AE EFB5 110C D6D1  41EE 4152 E1F1 C671 86FF

diff -ur --exclude=CVS --exclude=po libgtop.0509/ChangeLog libgtop/ChangeLog
--- libgtop.0509/ChangeLog      2002-12-11 21:07:50.000000000 +0800
+++ libgtop/ChangeLog   2003-05-12 06:23:47.000000000 +0800
@@ -1,3 +1,7 @@
+2003-05-11  Andrew Sobala  <[EMAIL PROTECTED]>
+
+       * up version to 1.0.14
+
 2002-12-11  Stanislav Brabec  <[EMAIL PROTECTED]>
 
        * sysdeps/guile/Makefile.am, sysdeps/guile/names/Makefile.am:
diff -ur --exclude=CVS --exclude=po libgtop.0509/LIBGTOP-VERSION 
libgtop/LIBGTOP-VERSION
--- libgtop.0509/LIBGTOP-VERSION        2001-11-27 06:36:18.000000000 +0800
+++ libgtop/LIBGTOP-VERSION     2003-05-12 06:23:47.000000000 +0800
@@ -8,7 +8,7 @@
 #
 LIBGTOP_MAJOR_VERSION=1
 LIBGTOP_MINOR_VERSION=0
-LIBGTOP_MICRO_VERSION=13
+LIBGTOP_MICRO_VERSION=14
 
 LIBGTOP_INTERFACE_AGE=12
 LIBGTOP_BINARY_AGE=12
diff -ur --exclude=CVS --exclude=po libgtop.0509/src/daemon/ChangeLog 
libgtop/src/daemon/ChangeLog
--- libgtop.0509/src/daemon/ChangeLog   2001-11-27 06:12:02.000000000 +0800
+++ libgtop/src/daemon/ChangeLog        2003-05-12 06:23:52.000000000 +0800
@@ -1,3 +1,7 @@
+2003-05-11  Andrew Sobala  <[EMAIL PROTECTED]>
+
+       * gnuserv.c: (permitted): fix buffer overflow vulnerability
+
 2001-11-26  Kevin Vandersloot <[EMAIL PROTECTED]>
 
        * gnuserv.c: Apply patch fixing security issue from
diff -ur --exclude=CVS --exclude=po libgtop.0509/src/daemon/gnuserv.c 
libgtop/src/daemon/gnuserv.c
--- libgtop.0509/src/daemon/gnuserv.c   2001-11-27 06:12:02.000000000 +0800
+++ libgtop/src/daemon/gnuserv.c        2003-05-12 06:23:52.000000000 +0800
@@ -200,6 +200,11 @@
 
        auth_data_len = atoi (buf);
 
+       if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {
+           syslog_message(LOG_WARNING, "Invalid data length supplied by client");
+           return FALSE;
+       }
+
        if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)
            return FALSE;

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to