Bug#349528: various unfixed security bugs
* Recai Oktaş: I'm not sure if it is worth the effort, until we have all other issues sorted out. Agreed. I would be glad if you add yourself in Uploaders field. You're totally free to make any upload. Uhm, I don't use elog myself and have zero interest in that package beyond that there are several unfixed high-severity security bugs in it.
Bug#349528: various unfixed security bugs
Package: elog Version: 2.6.0beta2+r1716-1 Tags: security upstream fixed-upstream Severity: grave First a little version cross-reference, based on the src/elog{,d}.c files. Debian CVS (elogd.c)Subversion 2.6.0beta2+r1716-1 1.717* r1445 2.5.7+r1558-3 1.558 + 1.648r1202 + r1347 * Part of the upstream are contained in the .diff.gz file, so the embedded version number is not quite correct. The following issues are unfixed upstream: - CVE-2005-4439: buffer overflow through long URL parameters http://marc.theaimsgroup.com/?m=113498708213563 - If host names are resolved, no forward lookup is performed to verify the PTR RR. (This does not affect the sarge version because it unconditionally uses addresses, not host names.) - There are still some format string issues when things are written to the logfile. Apparently, upstream is not aware of those three issues. The following potential security issues have been fixed upstream, but not in the sid version (there are some more issues apparently, but those bugs were introduced past the sid version AFAICS): r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line Changed paths: M /trunk/src/elogd.c Fixed bug with fprintf and buffer containing % r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines Changed paths: M /trunk/src/elog.c M /trunk/src/elogd.c Do not distinguish between invalid user name and invalid password for security reasons On top of that, the following issues affect the sarge version only: r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines Changed paths: M /trunk/src/elogd.c Applied patch from Emiliano to fix possible buffer overflow r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines Changed paths: M /trunk/src/elogd.c Fixed crashes with very long (revisions) attributes I've back-ported all four issues to the sarge version, but they haven't received any testing yet. If anybody has got a sarge elog installation, please speak up. I'm going to ask upstream about the following issue: r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines Changed paths: M /trunk/src/elogd.c Fixed infinite redirection with ?fail=1 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#349528: various unfixed security bugs
First of all thanks for the detailed analysis! I haven't been able to work on elog much, due to heavy work load these days. * Florian Weimer [2006-01-23 16:42:16+0100] Package: elog Version: 2.6.0beta2+r1716-1 Tags: security upstream fixed-upstream Severity: grave First a little version cross-reference, based on the src/elog{,d}.c files. Debian CVS (elogd.c)Subversion 2.6.0beta2+r1716-1 1.717* r1445 2.5.7+r1558-3 1.558 + 1.648r1202 + r1347 * Part of the upstream are contained in the .diff.gz file, so the embedded version number is not quite correct. The following issues are unfixed upstream: - CVE-2005-4439: buffer overflow through long URL parameters http://marc.theaimsgroup.com/?m=113498708213563 - If host names are resolved, no forward lookup is performed to verify the PTR RR. (This does not affect the sarge version because it unconditionally uses addresses, not host names.) - There are still some format string issues when things are written to the logfile. Apparently, upstream is not aware of those three issues. The following potential security issues have been fixed upstream, but not in the sid version (there are some more issues apparently, but those bugs were introduced past the sid version AFAICS): I'm going to prepare an urgent sid upload for those bugs. r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line Changed paths: M /trunk/src/elogd.c Fixed bug with fprintf and buffer containing % r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines Changed paths: M /trunk/src/elog.c M /trunk/src/elogd.c Do not distinguish between invalid user name and invalid password for security reasons On top of that, the following issues affect the sarge version only: r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines Changed paths: M /trunk/src/elogd.c Applied patch from Emiliano to fix possible buffer overflow r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines Changed paths: M /trunk/src/elogd.c Fixed crashes with very long (revisions) attributes I've back-ported all four issues to the sarge version, but they haven't received any testing yet. If anybody has got a sarge elog installation, please speak up. Thanks for the backport, unfortunately I don't have a Sarge box at the moment, but will try to find one. Could you please supply the url of backported patch so that I can also work on it? I'm going to ask upstream about the following issue: r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines Changed paths: M /trunk/src/elogd.c Fixed infinite redirection with ?fail=1 CCing to Stefan. [Stefan: Please keep the discussion CCed to the bug report] Regards, -- roktas signature.asc Description: Digital signature
Bug#349528: various unfixed security bugs
* Recai Oktaş: Thanks for the backport, unfortunately I don't have a Sarge box at the moment, but will try to find one. A sarge chroot is probably good enough for this kind of package. The following potential security issues have been fixed upstream, but not in the sid version (there are some more issues apparently, but those bugs were introduced past the sid version AFAICS): I'm going to prepare an urgent sid upload for those bugs. I'm not sure if it is worth the effort, until we have all other issues sorted out. Thanks for the backport, unfortunately I don't have a Sarge box at the moment, but will try to find one. Could you please supply the url of backported patch so that I can also work on it? Okay, the four patches for sarge I've got so far are included below. Patch five and six address a few issues I spotted while backporting. Everything is completely untested. Subject: [PATCH] r1333: Fixed crashes with very long (revisions) attributes --- debian/changelog |8 + src/elogd.c | 85 ++ 2 files changed, 56 insertions(+), 37 deletions(-) 6bb233bc624fcb196935dc069238777f06a90cca diff --git a/debian/changelog b/debian/changelog index 6f8e6a7..9f49646 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +elog (2.5.7+r1558-4+sarge1) unstable; urgency=low + + * Security update + * Backport r1333 from upstream's Subversion repository: +Fixed crashes with very long (revisions) attributes + + -- Florian Weimer [EMAIL PROTECTED] Mon, 23 Jan 2006 15:56:37 +0100 + elog (2.5.7+r1558-3) testing-proposed-updates; urgency=high * Security update. Backport the fix (r1.648) for a buffer overflow: diff --git a/src/elogd.c b/src/elogd.c index 5a5da40..802e1dd 100755 --- a/src/elogd.c +++ b/src/elogd.c @@ -1648,17 +1648,19 @@ size_t strlcat(char *dst, const char *sr /*---*/ -void strsubst(char *string, char name[][NAME_LENGTH], char value[][NAME_LENGTH], int n) - /* subsitute $name with value corresponding to name */ +void strsubst(char *string, int size, char name[][NAME_LENGTH], char value[][NAME_LENGTH], int n) +/* subsitute $name with value corresponding to name */ { int i, j; - char tmp[1000], str[NAME_LENGTH], uattr[NAME_LENGTH], *ps, *pt, *p; + char tmp[2*NAME_LENGTH], str[2*NAME_LENGTH], uattr[2*NAME_LENGTH], *ps, *pt, *p; pt = tmp; ps = string; for (p = strchr(ps, '$'); p != NULL; p = strchr(ps, '$')) { /* copy leading characters */ j = (int) (p - ps); + if (j = sizeof(tmp)) + return; memcpy(pt, ps, j); pt += j; p++; @@ -1680,7 +1682,7 @@ void strsubst(char *string, char name[][ /* copy value */ if (i n) { - strcpy(pt, value[i]); + strlcpy(pt, value[i], sizeof(tmp)-((int)pt-(int)tmp)); pt += strlen(pt); ps = p + strlen(uattr); } else { @@ -1690,10 +1692,10 @@ void strsubst(char *string, char name[][ } /* copy remainder */ - strcpy(pt, ps); + strlcpy(pt, ps, sizeof(tmp)-((int)pt-(int)tmp)); /* return result */ - strcpy(string, tmp); + strlcpy(string, tmp, size); } /*--*/ @@ -3534,7 +3536,7 @@ void retrieve_email_from(LOGBOOK * lbs, if (attrib) { i = build_subst_list(lbs, slist, svalue, attrib, TRUE); - strsubst(str, slist, svalue, i); + strsubst(str, sizeof(str), slist, svalue, i); /* remove possible 'mailto:' */ if ((p = strstr(str, mailto:;)) != NULL) @@ -7446,7 +7448,7 @@ auto-increment tags */ BOOL is_author(LOGBOOK * lbs, char attrib[MAX_N_ATTR][NAME_LENGTH], char *owner) { - char str[1000], preset[1000]; + char str[NAME_LENGTH], preset[NAME_LENGTH]; int i; /* check if current user is admin */ @@ -7553,7 +7555,7 @@ void show_date_selector(int day, int mon void attrib_from_param(int n_attr, char attrib[MAX_N_ATTR][NAME_LENGTH]) { int i, j, first, year, month, day; - char str[1000], ua[NAME_LENGTH]; + char str[NAME_LENGTH], ua[NAME_LENGTH]; time_t ltime; struct tm ts; @@ -7616,7 +7618,7 @@ void show_edit_form(LOGBOOK * lbs, int m { int i, j, n, index, aindex, size, width, height, fh, length, input_size, input_maxlen, format_flags[MAX_N_ATTR], year, month, day, n_attr, n_disp_attr, attr_index[MAX_N_ATTR]; - char str[1000], preset[1000], *p, *pend, star[80], comment[1], reply_string[256], + char str[2*NAME_LENGTH], preset[2*NAME_LENGTH], *p, *pend, star[80], comment[1], reply_string[256], list[MAX_N_ATTR][NAME_LENGTH], file_name[256], *buffer, format[256], date[80], attrib[MAX_N_ATTR][NAME_LENGTH], *text, orig_tag[80], reply_tag[MAX_REPLY_TO * 10], att[MAX_ATTACHMENTS][256], encoding[80], @@ -7692,7 +7694,7 @@ void
Bug#349528: various unfixed security bugs
Dear all, thanks for reporting these issues. I was completely unaware of them until today. I will fix all things in the next days and let you know. Best regards, Stefan Recai Oktaş wrote: First of all thanks for the detailed analysis! I haven't been able to work on elog much, due to heavy work load these days. * Florian Weimer [2006-01-23 16:42:16+0100] Package: elog Version: 2.6.0beta2+r1716-1 Tags: security upstream fixed-upstream Severity: grave First a little version cross-reference, based on the src/elog{,d}.c files. Debian CVS (elogd.c)Subversion 2.6.0beta2+r1716-1 1.717* r1445 2.5.7+r1558-3 1.558 + 1.648r1202 + r1347 * Part of the upstream are contained in the .diff.gz file, so the embedded version number is not quite correct. The following issues are unfixed upstream: - CVE-2005-4439: buffer overflow through long URL parameters http://marc.theaimsgroup.com/?m=113498708213563 - If host names are resolved, no forward lookup is performed to verify the PTR RR. (This does not affect the sarge version because it unconditionally uses addresses, not host names.) - There are still some format string issues when things are written to the logfile. Apparently, upstream is not aware of those three issues. The following potential security issues have been fixed upstream, but not in the sid version (there are some more issues apparently, but those bugs were introduced past the sid version AFAICS): I'm going to prepare an urgent sid upload for those bugs. r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line Changed paths: M /trunk/src/elogd.c Fixed bug with fprintf and buffer containing % r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines Changed paths: M /trunk/src/elog.c M /trunk/src/elogd.c Do not distinguish between invalid user name and invalid password for security reasons On top of that, the following issues affect the sarge version only: r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines Changed paths: M /trunk/src/elogd.c Applied patch from Emiliano to fix possible buffer overflow r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines Changed paths: M /trunk/src/elogd.c Fixed crashes with very long (revisions) attributes I've back-ported all four issues to the sarge version, but they haven't received any testing yet. If anybody has got a sarge elog installation, please speak up. Thanks for the backport, unfortunately I don't have a Sarge box at the moment, but will try to find one. Could you please supply the url of backported patch so that I can also work on it? I'm going to ask upstream about the following issue: r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines Changed paths: M /trunk/src/elogd.c Fixed infinite redirection with ?fail=1 CCing to Stefan. [Stefan: Please keep the discussion CCed to the bug report] Regards, -- Dr. Stefan Ritt Phone: +41 56 310 3728 Paul Scherrer Institute FAX: +41 56 310 2199 OLGA/021 mailto:[EMAIL PROTECTED] CH-5232 Villigen PSI http://midas.psi.ch/~stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#349528: various unfixed security bugs
Hi, * Florian Weimer [2006-01-24 00:07:35+0100] * Recai Oktaş: I'm going to prepare an urgent sid upload for those bugs. I'm not sure if it is worth the effort, until we have all other issues sorted out. Agreed. I would be glad if you add yourself in Uploaders field. You're totally free to make any upload. -- roktas signature.asc Description: Digital signature