Bug#349528: various unfixed security bugs
* Recai Oktaş: I'm not sure if it is worth the effort, until we have all other issues sorted out. Agreed. I would be glad if you add yourself in Uploaders field. You're totally free to make any upload. Uhm, I don't use elog myself and have zero interest in that package beyond that there are several unfixed high-severity security bugs in it.
Bug#349528: various unfixed security bugs
Package: elog
Version: 2.6.0beta2+r1716-1
Tags: security upstream fixed-upstream
Severity: grave
First a little version cross-reference, based on the src/elog{,d}.c
files.
Debian CVS (elogd.c)Subversion
2.6.0beta2+r1716-1 1.717* r1445
2.5.7+r1558-3 1.558 + 1.648r1202 + r1347
* Part of the upstream are contained in the .diff.gz file, so the
embedded version number is not quite correct.
The following issues are unfixed upstream:
- CVE-2005-4439: buffer overflow through long URL parameters
http://marc.theaimsgroup.com/?m=113498708213563
- If host names are resolved, no forward lookup is performed to
verify the PTR RR. (This does not affect the sarge version
because it unconditionally uses addresses, not host names.)
- There are still some format string issues when things are written
to the logfile.
Apparently, upstream is not aware of those three issues.
The following potential security issues have been fixed upstream, but
not in the sid version (there are some more issues apparently, but
those bugs were introduced past the sid version AFAICS):
r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line
Changed paths:
M /trunk/src/elogd.c
Fixed bug with fprintf and buffer containing %
r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines
Changed paths:
M /trunk/src/elog.c
M /trunk/src/elogd.c
Do not distinguish between invalid user name and invalid password for security
reasons
On top of that, the following issues affect the sarge version only:
r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Applied patch from Emiliano to fix possible buffer overflow
r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Fixed crashes with very long (revisions) attributes
I've back-ported all four issues to the sarge version, but they
haven't received any testing yet. If anybody has got a sarge elog
installation, please speak up.
I'm going to ask upstream about the following issue:
r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Fixed infinite redirection with ?fail=1
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#349528: various unfixed security bugs
First of all thanks for the detailed analysis! I haven't been able to work
on elog much, due to heavy work load these days.
* Florian Weimer [2006-01-23 16:42:16+0100]
Package: elog
Version: 2.6.0beta2+r1716-1
Tags: security upstream fixed-upstream
Severity: grave
First a little version cross-reference, based on the src/elog{,d}.c
files.
Debian CVS (elogd.c)Subversion
2.6.0beta2+r1716-1 1.717* r1445
2.5.7+r1558-3 1.558 + 1.648r1202 + r1347
* Part of the upstream are contained in the .diff.gz file, so the
embedded version number is not quite correct.
The following issues are unfixed upstream:
- CVE-2005-4439: buffer overflow through long URL parameters
http://marc.theaimsgroup.com/?m=113498708213563
- If host names are resolved, no forward lookup is performed to
verify the PTR RR. (This does not affect the sarge version
because it unconditionally uses addresses, not host names.)
- There are still some format string issues when things are written
to the logfile.
Apparently, upstream is not aware of those three issues.
The following potential security issues have been fixed upstream, but
not in the sid version (there are some more issues apparently, but
those bugs were introduced past the sid version AFAICS):
I'm going to prepare an urgent sid upload for those bugs.
r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line
Changed paths:
M /trunk/src/elogd.c
Fixed bug with fprintf and buffer containing %
r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines
Changed paths:
M /trunk/src/elog.c
M /trunk/src/elogd.c
Do not distinguish between invalid user name and invalid password for
security reasons
On top of that, the following issues affect the sarge version only:
r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Applied patch from Emiliano to fix possible buffer overflow
r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Fixed crashes with very long (revisions) attributes
I've back-ported all four issues to the sarge version, but they
haven't received any testing yet. If anybody has got a sarge elog
installation, please speak up.
Thanks for the backport, unfortunately I don't have a Sarge box at the
moment, but will try to find one. Could you please supply the url of
backported patch so that I can also work on it?
I'm going to ask upstream about the following issue:
r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Fixed infinite redirection with ?fail=1
CCing to Stefan.
[Stefan: Please keep the discussion CCed to the bug report]
Regards,
--
roktas
signature.asc
Description: Digital signature
Bug#349528: various unfixed security bugs
* Recai Oktaş:
Thanks for the backport, unfortunately I don't have a Sarge box at the
moment, but will try to find one.
A sarge chroot is probably good enough for this kind of package.
The following potential security issues have been fixed upstream, but
not in the sid version (there are some more issues apparently, but
those bugs were introduced past the sid version AFAICS):
I'm going to prepare an urgent sid upload for those bugs.
I'm not sure if it is worth the effort, until we have all other issues
sorted out.
Thanks for the backport, unfortunately I don't have a Sarge box at the
moment, but will try to find one. Could you please supply the url of
backported patch so that I can also work on it?
Okay, the four patches for sarge I've got so far are included below.
Patch five and six address a few issues I spotted while backporting.
Everything is completely untested.
Subject: [PATCH] r1333: Fixed crashes with very long (revisions) attributes
---
debian/changelog |8 +
src/elogd.c | 85 ++
2 files changed, 56 insertions(+), 37 deletions(-)
6bb233bc624fcb196935dc069238777f06a90cca
diff --git a/debian/changelog b/debian/changelog
index 6f8e6a7..9f49646 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+elog (2.5.7+r1558-4+sarge1) unstable; urgency=low
+
+ * Security update
+ * Backport r1333 from upstream's Subversion repository:
+Fixed crashes with very long (revisions) attributes
+
+ -- Florian Weimer [EMAIL PROTECTED] Mon, 23 Jan 2006 15:56:37 +0100
+
elog (2.5.7+r1558-3) testing-proposed-updates; urgency=high
* Security update. Backport the fix (r1.648) for a buffer overflow:
diff --git a/src/elogd.c b/src/elogd.c
index 5a5da40..802e1dd 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -1648,17 +1648,19 @@ size_t strlcat(char *dst, const char *sr
/*---*/
-void strsubst(char *string, char name[][NAME_LENGTH], char
value[][NAME_LENGTH], int n)
- /* subsitute $name
with value corresponding to name */
+void strsubst(char *string, int size, char name[][NAME_LENGTH], char
value[][NAME_LENGTH], int n)
+/* subsitute $name with value corresponding to name */
{
int i, j;
- char tmp[1000], str[NAME_LENGTH], uattr[NAME_LENGTH], *ps, *pt, *p;
+ char tmp[2*NAME_LENGTH], str[2*NAME_LENGTH], uattr[2*NAME_LENGTH], *ps,
*pt, *p;
pt = tmp;
ps = string;
for (p = strchr(ps, '$'); p != NULL; p = strchr(ps, '$')) {
/* copy leading characters */
j = (int) (p - ps);
+ if (j = sizeof(tmp))
+ return;
memcpy(pt, ps, j);
pt += j;
p++;
@@ -1680,7 +1682,7 @@ void strsubst(char *string, char name[][
/* copy value */
if (i n) {
- strcpy(pt, value[i]);
+ strlcpy(pt, value[i], sizeof(tmp)-((int)pt-(int)tmp));
pt += strlen(pt);
ps = p + strlen(uattr);
} else {
@@ -1690,10 +1692,10 @@ void strsubst(char *string, char name[][
}
/* copy remainder */
- strcpy(pt, ps);
+ strlcpy(pt, ps, sizeof(tmp)-((int)pt-(int)tmp));
/* return result */
- strcpy(string, tmp);
+ strlcpy(string, tmp, size);
}
/*--*/
@@ -3534,7 +3536,7 @@ void retrieve_email_from(LOGBOOK * lbs,
if (attrib) {
i = build_subst_list(lbs, slist, svalue, attrib, TRUE);
- strsubst(str, slist, svalue, i);
+ strsubst(str, sizeof(str), slist, svalue, i);
/* remove possible 'mailto:' */
if ((p = strstr(str, mailto:;)) != NULL)
@@ -7446,7 +7448,7 @@ auto-increment tags */
BOOL is_author(LOGBOOK * lbs, char attrib[MAX_N_ATTR][NAME_LENGTH], char
*owner)
{
- char str[1000], preset[1000];
+ char str[NAME_LENGTH], preset[NAME_LENGTH];
int i;
/* check if current user is admin */
@@ -7553,7 +7555,7 @@ void show_date_selector(int day, int mon
void attrib_from_param(int n_attr, char attrib[MAX_N_ATTR][NAME_LENGTH])
{
int i, j, first, year, month, day;
- char str[1000], ua[NAME_LENGTH];
+ char str[NAME_LENGTH], ua[NAME_LENGTH];
time_t ltime;
struct tm ts;
@@ -7616,7 +7618,7 @@ void show_edit_form(LOGBOOK * lbs, int m
{
int i, j, n, index, aindex, size, width, height, fh, length, input_size,
input_maxlen,
format_flags[MAX_N_ATTR], year, month, day, n_attr, n_disp_attr,
attr_index[MAX_N_ATTR];
- char str[1000], preset[1000], *p, *pend, star[80], comment[1],
reply_string[256],
+ char str[2*NAME_LENGTH], preset[2*NAME_LENGTH], *p, *pend, star[80],
comment[1], reply_string[256],
list[MAX_N_ATTR][NAME_LENGTH], file_name[256], *buffer, format[256],
date[80],
attrib[MAX_N_ATTR][NAME_LENGTH], *text, orig_tag[80],
reply_tag[MAX_REPLY_TO * 10], att[MAX_ATTACHMENTS][256], encoding[80],
@@ -7692,7 +7694,7 @@ void
Bug#349528: various unfixed security bugs
Dear all,
thanks for reporting these issues. I was completely unaware of them
until today. I will fix all things in the next days and let you know.
Best regards,
Stefan
Recai Oktaş wrote:
First of all thanks for the detailed analysis! I haven't been able to work
on elog much, due to heavy work load these days.
* Florian Weimer [2006-01-23 16:42:16+0100]
Package: elog
Version: 2.6.0beta2+r1716-1
Tags: security upstream fixed-upstream
Severity: grave
First a little version cross-reference, based on the src/elog{,d}.c
files.
Debian CVS (elogd.c)Subversion
2.6.0beta2+r1716-1 1.717* r1445
2.5.7+r1558-3 1.558 + 1.648r1202 + r1347
* Part of the upstream are contained in the .diff.gz file, so the
embedded version number is not quite correct.
The following issues are unfixed upstream:
- CVE-2005-4439: buffer overflow through long URL parameters
http://marc.theaimsgroup.com/?m=113498708213563
- If host names are resolved, no forward lookup is performed to
verify the PTR RR. (This does not affect the sarge version
because it unconditionally uses addresses, not host names.)
- There are still some format string issues when things are written
to the logfile.
Apparently, upstream is not aware of those three issues.
The following potential security issues have been fixed upstream, but
not in the sid version (there are some more issues apparently, but
those bugs were introduced past the sid version AFAICS):
I'm going to prepare an urgent sid upload for those bugs.
r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line
Changed paths:
M /trunk/src/elogd.c
Fixed bug with fprintf and buffer containing %
r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines
Changed paths:
M /trunk/src/elog.c
M /trunk/src/elogd.c
Do not distinguish between invalid user name and invalid password for security
reasons
On top of that, the following issues affect the sarge version only:
r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Applied patch from Emiliano to fix possible buffer overflow
r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Fixed crashes with very long (revisions) attributes
I've back-ported all four issues to the sarge version, but they
haven't received any testing yet. If anybody has got a sarge elog
installation, please speak up.
Thanks for the backport, unfortunately I don't have a Sarge box at the
moment, but will try to find one. Could you please supply the url of
backported patch so that I can also work on it?
I'm going to ask upstream about the following issue:
r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Fixed infinite redirection with ?fail=1
CCing to Stefan.
[Stefan: Please keep the discussion CCed to the bug report]
Regards,
--
Dr. Stefan Ritt Phone: +41 56 310 3728
Paul Scherrer Institute FAX: +41 56 310 2199
OLGA/021 mailto:[EMAIL PROTECTED]
CH-5232 Villigen PSI http://midas.psi.ch/~stefan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#349528: various unfixed security bugs
Hi, * Florian Weimer [2006-01-24 00:07:35+0100] * Recai Oktaş: I'm going to prepare an urgent sid upload for those bugs. I'm not sure if it is worth the effort, until we have all other issues sorted out. Agreed. I would be glad if you add yourself in Uploaders field. You're totally free to make any upload. -- roktas signature.asc Description: Digital signature
