tags 457781 + patch thanks Hi, in case you have no time to fix this, attached is a patch for an NMU proposal which contains a fix. It will be also archived on: http://people.debian.org/~nion/nmu-diff/tcpreen-1.4.3-0.1_1.4.3-0.2.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u tcpreen-1.4.3/debian/changelog tcpreen-1.4.3/debian/changelog
--- tcpreen-1.4.3/debian/changelog
+++ tcpreen-1.4.3/debian/changelog
@@ -1,3 +1,13 @@
+tcpreen (1.4.3-0.2) unstable; urgency=high
+
+ * Non-maintainer upload by security team.
+ * This update addresses the following security issue:
+ - remote buffer-overflow vulnerability in bridge.cpp because
+ tcpreen fails to check user supplied data passed to
+ the monitor_bridge function (Closes: #457781).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Tue, 25 Dec 2007 17:32:38 +0100
+
tcpreen (1.4.3-0.1) unstable; urgency=low
* NMU, with permission from maintainer.
--- tcpreen-1.4.3.orig/src/bridge.cpp
+++ tcpreen-1.4.3/src/bridge.cpp
@@ -23,6 +23,7 @@
# include <config.h>
#endif
+#include <errno.h>
#include <string.h> // memmove()
#include <limits.h> // LONG_MAX
#include <sys/types.h>
@@ -115,6 +116,14 @@
long totalcount = 0;
bridge b[2];
+#ifndef WIN32
+ if ((fds[0] >= FD_SETSIZE) || (fds[1] >= FD_SETSIZE))
+ {
+ errno = EINVAL;
+ return -1;
+ }
+#endif
+
b[0].outfd = b[1].infd = fds[0];
b[0].infd = b[1].outfd = fds[1];
b[0].buflen = b[1].buflen = 0;
pgprvGgwBG4sM.pgp
Description: PGP signature
