Dear all,
thanks for reporting these issues. I was completely unaware of them
until today. I will fix all things in the next days and let you know.
Best regards,
Stefan
Recai Oktaş wrote:
First of all thanks for the detailed analysis! I haven't been able to work
on elog much, due to heavy work load these days.
* Florian Weimer [2006-01-23 16:42:16+0100]
Package: elog
Version: 2.6.0beta2+r1716-1
Tags: security upstream fixed-upstream
Severity: grave
First a little version cross-reference, based on the src/elog{,d}.c
files.
Debian CVS (elogd.c) Subversion
2.6.0beta2+r1716-1 1.717* r1445
2.5.7+r1558-3 1.558 + 1.648 r1202 + r1347
* Part of the upstream are contained in the .diff.gz file, so the
embedded version number is not quite correct.
The following issues are unfixed upstream:
- CVE-2005-4439: buffer overflow through long URL parameters
<http://marc.theaimsgroup.com/?m=113498708213563>
- If host names are resolved, no forward lookup is performed to
verify the PTR RR. (This does not affect the sarge version
because it unconditionally uses addresses, not host names.)
- There are still some format string issues when things are written
to the logfile.
Apparently, upstream is not aware of those three issues.
The following potential security issues have been fixed upstream, but
not in the sid version (there are some more issues apparently, but
those bugs were introduced past the sid version AFAICS):
I'm going to prepare an urgent sid upload for those bugs.
------------------------------------------------------------------------
r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line
Changed paths:
M /trunk/src/elogd.c
Fixed bug with fprintf and buffer containing "%"
------------------------------------------------------------------------
r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines
Changed paths:
M /trunk/src/elog.c
M /trunk/src/elogd.c
Do not distinguish between invalid user name and invalid password for security
reasons
On top of that, the following issues affect the sarge version only:
------------------------------------------------------------------------
r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Applied patch from Emiliano to fix possible buffer overflow
------------------------------------------------------------------------
r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Fixed crashes with very long (revisions) attributes
I've back-ported all four issues to the sarge version, but they
haven't received any testing yet. If anybody has got a sarge elog
installation, please speak up.
Thanks for the backport, unfortunately I don't have a Sarge box at the
moment, but will try to find one. Could you please supply the url of
backported patch so that I can also work on it?
I'm going to ask upstream about the following issue:
------------------------------------------------------------------------
r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines
Changed paths:
M /trunk/src/elogd.c
Fixed infinite redirection with ?fail=1
CCing to Stefan.
[Stefan: Please keep the discussion CCed to the bug report]
Regards,
--
Dr. Stefan Ritt Phone: +41 56 310 3728
Paul Scherrer Institute FAX: +41 56 310 2199
OLGA/021 mailto:[EMAIL PROTECTED]
CH-5232 Villigen PSI http://midas.psi.ch/~stefan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
