Your message dated Tue, 18 Jan 2005 04:47:54 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#253079: fixed in tripwire 2.3.1.2.0-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Jul 2004 11:00:50 +0000
>From [EMAIL PROTECTED] Fri Jul 09 04:00:50 2004
Return-path: <[EMAIL PROTECTED]>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1Bit7Z-0008VC-00; Fri, 09 Jul 2004 04:00:50 -0700
Received: (qmail 14511 invoked by uid 1013); 9 Jul 2004 11:00:47 -0000
Date: Fri, 9 Jul 2004 13:00:47 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Tripwire: Format string vulnerability in pipedmailmessage.cpp
(CAN-2004-0536)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040523i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: tripwire
Version: 2.3.1.2-6.1
Severity: normal
Tags: security sarge sid patch
(for the Security Team: tripwire is not present in woody so a DSA is not=20
necessary)
=46rom http://www.securityfocus.com/archive/1/365036:
Paul Herman [0] found a local vulnerability in tripwire. If a local user
were to create a file with a carefully crafted filename on the local system
it may be included in mail reports and might execute arbitrary code with
the rigts of the user running the file check.
The Debian package installs a cron job to daily run tripwire and e-mail=20
changes and the source code matches the vulnerable code, in=20
pipedmailmessage.cpp:
fprintf(mpFile, s.c_str() );
However, the vendor says [1] that it seems that the vulnerability is only
possible if MAILMETHOD is 'sendmail'. The current packages provide a
default configuration which uses as MAILMETHOD 'SMTP'. That's why I'm=20
flagging this bug only as 'normal' and not of higher priority.
Even if the vulnerability does not apply to the default configuration it
should be fixed (I believe that using as MAILMETHOD 'STMP' per default is
not correct, since normal systems do not need to have a local MTA installed
listening in port 25, YMMV)
The patch (from the advisory) to fix this issue is:
Index: src/tripwire/pipedmailmessage.cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- src/tripwire/pipedmailmessage.cpp 21 Jan 2001 00:46:48 -0000 1.1
+++ src/tripwire/pipedmailmessage.cpp 26 May 2004 20:59:15 -0000 1.2
@@ -180,7 +180,7 @@
void cPipedMailMessage::SendString( const TSTRING& s )
{
- if( _ftprintf( mpFile, s.c_str() ) < 0 )
+ if( _ftprintf( mpFile, "%s", s.c_str() ) < 0 )
{
TOSTRINGSTREAM estr;
estr << TSS_GetString( cTripwire,=20
tripwire::STR_ERR2_MAIL_MESSAGE_COMMAND
)
Further information also available in Gentoo's Bugtracking system [2], the=
=20
vulnerability is confirmed by the vendor [3] but it is not yet fixed=20
in CVS upstream. [4]
Regards
Javier
[0] Message-Id: <[EMAIL PROTECTED]>
[1] Message-ID: <[EMAIL PROTECTED]>
[2] http://bugs.gentoo.org/show_bug.cgi?id=3D52945
[3] Message-ID: <[EMAIL PROTECTED]>
[4]=20
http://cvs.sourceforge.net/viewcvs.py/tripwire/tripwire/src/tripwire/pipedm=
ailmessage.cpp
--C7zPtVaVf+AK4Oqc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA7nrei4sehJTrj0oRAiC8AJ98MH9KOZ1Cy9ZCa86Rg5EQR2tmBgCgnMJg
0EI6ZAl+5oIccwsVXZt+W8Y=
=sO/7
-----END PGP SIGNATURE-----
--C7zPtVaVf+AK4Oqc--
---------------------------------------
Received: (at 253079-close) by bugs.debian.org; 18 Jan 2005 09:54:58 +0000
>From [EMAIL PROTECTED] Tue Jan 18 01:54:58 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cqq4g-0002QR-00; Tue, 18 Jan 2005 01:54:58 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Cqpxq-00060l-00; Tue, 18 Jan 2005 04:47:54 -0500
From: Luk Claes <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#253079: fixed in tripwire 2.3.1.2.0-3
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 18 Jan 2005 04:47:54 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 7
Source: tripwire
Source-Version: 2.3.1.2.0-3
We believe that the bug you reported is fixed in the latest version of
tripwire, which is due to be installed in the Debian FTP archive:
tripwire_2.3.1.2.0-3.diff.gz
to pool/main/t/tripwire/tripwire_2.3.1.2.0-3.diff.gz
tripwire_2.3.1.2.0-3.dsc
to pool/main/t/tripwire/tripwire_2.3.1.2.0-3.dsc
tripwire_2.3.1.2.0-3_i386.deb
to pool/main/t/tripwire/tripwire_2.3.1.2.0-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luk Claes <[EMAIL PROTECTED]> (supplier of updated tripwire package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 18 Jan 2005 08:54:40 +0100
Source: tripwire
Binary: tripwire
Architecture: source i386
Version: 2.3.1.2.0-3
Distribution: unstable
Urgency: low
Maintainer: Luk Claes <[EMAIL PROTECTED]>
Changed-By: Luk Claes <[EMAIL PROTECTED]>
Description:
tripwire - file and directory integrity checker
Closes: 230650 240982 244299 249304 251652 253078 253079 255365 258391 267324
279814
Changes:
tripwire (2.3.1.2.0-3) unstable; urgency=low
.
* New maintainer (Closes: #279814)
* Acknowledge NMUs
Closes: #249304, #253079, #258391, #240982, #244299, #230650, #253078
* man/*: Use \- instead of \(hy or - (Closes: #251652)
* debian/control: Depend on exim4 instead of exim (Closes: #255365)
* debian/po/pt_BR.po: Update pt_BR translation of the debconf
templates (Closes: #267324)
* debian/watch: added
Files:
e62754e45ee67516e61335833d7e3747 588 utils optional tripwire_2.3.1.2.0-3.dsc
ba577528645bd27d0a7cca970b01cedb 115192 utils optional
tripwire_2.3.1.2.0-3.diff.gz
8a127fe87d65da4364bf7469fbc51988 1739972 utils optional
tripwire_2.3.1.2.0-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB7NY55UTeB5t8Mo0RAsj+AKCH0six2YBoqZlxtn8b59/aYg78fwCeJPDv
Rt6zpI8JpeMCyU0H3OLggJ4=
=LbvL
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
