Bug#121201: Cease their telephone collection and/or harassment of you.
Being concerned about getting out of debt 24hrs a day can be extremely stressful, both on you and your family so take a few minutes right now and educate yourself about your options. For the rest of the story about destroying debt, visit us here http://bkqr.YYv.globalmallproducts.com/e3/ In the past few years, we've helped many folks, just like you, to lawfully and morally "unload," terminate, "zero-out" and CANCEL millions of dollars in card debts. If you've been looking for a way out of debt, you'll discover valuable facts very few Americans know, knowledge you can use to start canceling your card debt! not for you, then use link above Not that these are such very bad things in themselves, but I'll have none of your magical contrivances. I'll say this, however: if all armies were equipped with Electrical Tubes instead of guns and swords the world would be spared a lot of misery and unnecessary bloodshed Perhaps in time; but that time hasn't arrived yet.
Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
Package: xsok Severity: critical Justification: security hole This orphaned package still contains the local buffer overflow described in http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0074 which leads to privilege escalation (group games). Tom -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.27-grsec2.0.1-vs1.28-localnat Locale: LANG=C, LC_CTYPE=C
Reduces stress
When I hear about a new supplement that can help me look and feel younger, I get excited, but I don't lose my head, I like to hear what medical doctors have to say about it to make sure it's safe. I'm going to imagine you're the same way, so here are some doctors and their amazing stories about a supplement that doctors can't stop praising... Here's why... to improve your quality of life go here http://fyg.B4r.widestorenet.com/a/ I feel worn out, and my skin and muscles are sagging. Please send me a full supply of Axis spray MD which was recommended to me by my friend who looks completely fabulous and is fit and active. If I could have a fraction of her energy and beauty I'll be ecstatic. Sue B., Providence, RI i am busy, no thank you, go above and use link and address is on site We included in our review a small subset of trials that assessed the value of addition of an aminoglycoside in Gram positive infections . It is a trick, and meant to deceive you I did not accuse you, answered the king, sternly.
Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
tags 278777 moreinfo thanks On Fri, Oct 29, 2004 at 12:22:11PM +0200, Thomas Wana wrote: > This orphaned package still contains the local buffer overflow described > in http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0074 which > leads to privilege escalation (group games). Hmm, the patch from the DSA is included in the package... Or do you mean that the patch is flawed? Gruesse, -- Frank Lichtenheld <[EMAIL PROTECTED]> www: http://www.djpig.de/
Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
Frank Lichtenheld wrote:
Hmm, the patch from the DSA is included in the package... Or do you
mean that the patch is flawed?
Do you mean DSA-405-1 (http://lwn.net/Articles/64725/)? That DSA
is refering to CAN-2003-0949, which indeed seems to be fixed, but
CAN-2004-0074 (which this bug is about) is nowhere mentioned anywhere,
and it's indeed unfixed.
How to verify this bug:
---
The bugtraq posting (http://www.securityfocus.com/bid/9341, referenced
from the CAN site) says:
"xsok is prone to a locally exploitable buffer overrun vulnerability due
to insufficient bounds check of data supplied through the LANG
environment variable. This could be exploited to execute arbitrary code
with elevated privileges. The program is typically installed setgid
games."
So we grep for LANG in the code:
[EMAIL PROTECTED]:/usr/src/secure-sarge$ apt-get source xsok
Reading Package Lists... Done
Building Dependency Tree... Done
Need to get 121kB of source archives.
Get:1 http://ftp.at.debian.org sarge/main xsok 1.02-12 (dsc) [596B]
Get:2 http://ftp.at.debian.org sarge/main xsok 1.02-12 (tar) [114kB]
Get:3 http://ftp.at.debian.org sarge/main xsok 1.02-12 (diff) [6170B]
Fetched 121kB in 0s (547kB/s)
dpkg-source: extracting xsok in xsok-1.02
[EMAIL PROTECTED]:/usr/src/secure-sarge$ grep LANG xsok-1.02/src/*
xsok-1.02/src/loadsave.c:if ((s = getenv("LANG"))) {
xsok-1.02/src/messages.c: fprintf(stderr, "Hint: Perhaps
unsetting LANG or making a symbolic"
xsok-1.02/src/xsok.man:.SH NATIONAL LANGUAGE SUPPORT
xsok-1.02/src/xsok.man:environment variable \fBLANG\fP to the desired
value. Currently, no translated
And we have a look in xsok-1.02/src/loadsave.c:
void setlangdir(void) {
const char *s;
char p[100];
if ((s = getenv("LANG"))) {
sprintf(p, "%s/%s", xsokdir, s);
if (!access(p, F_OK)) { /* langdir does exist */
langdir = s;
return;
}
}
langdir = "";
}
This is indeed a buffer overflow.
Tom
Processed: tagging 278777
Processing commands for [EMAIL PROTECTED]: > # Automatically generated email from bts, devscripts version 2.8.4 > tags 278777 moreinfo Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074) There were no tags set. Tags added: moreinfo > End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
On Fri, Oct 29, 2004 at 09:21:09PM +0200, Thomas Wana wrote: > Frank Lichtenheld wrote: > >Hmm, the patch from the DSA is included in the package... Or do you > >mean that the patch is flawed? > > Do you mean DSA-405-1 (http://lwn.net/Articles/64725/)? That DSA > is refering to CAN-2003-0949, which indeed seems to be fixed, but > CAN-2004-0074 (which this bug is about) is nowhere mentioned anywhere, > and it's indeed unfixed. Uupps, I was confused by the CAN numbers... > How to verify this bug: > --- [...] But you too, since that was the wrong part ;) The LANG vuln is fixed in the current package (the patch is in debian/patches and gets applied at build time). I guess the -xsokdir vuln could be not fixed, I will check that. Gruesse, -- Frank Lichtenheld <[EMAIL PROTECTED]> www: http://www.djpig.de/
Bug#278862: libcap2-dev: please include static library (.a) in the package
Package: libcap2-dev Version: 0.cvs.20010529-4 Severity: normal Please include the static library (.a file) in the package libcap2-dev. Thank you, Lennart -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.8 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] Versions of packages libcap2-dev depends on: ii libc6-dev 2.3.2.ds1-18 GNU C Library: Development Librari ii libcap2 0.cvs.20010529-4 Support for POSIX.1e capabilities -- no debconf information
Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
Frank Lichtenheld wrote: But you too, since that was the wrong part ;) The LANG vuln is fixed in the current package (the patch is in debian/patches and gets applied at build time). I guess the -xsokdir vuln could be not fixed, I will check that. oh - oh - fsck :) Yes, I didn't check the patches (I should have done that - shame on me). If that unintentionally uncovered another bug - good If not - sorry for the noise :) Tom Gruesse,
Processed: Re: Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
Processing commands for [EMAIL PROTECTED]: > tags 278777 security Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074) Tags were: moreinfo Tags added: security > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
tags 278777 security thanks On Fri, Oct 29, 2004 at 09:46:00PM +0200, Thomas Wana wrote: > Frank Lichtenheld wrote: > > > >But you too, since that was the wrong part ;) The LANG vuln is fixed in > >the current package (the patch is in debian/patches and gets applied at > >build time). I guess the -xsokdir vuln could be not fixed, I will check > >that. > > oh - oh - fsck :) > Yes, I didn't check the patches (I should have done that - shame on me). > If that unintentionally uncovered another bug - good > If not - sorry for the noise :) Hmm, the exploits given on the bugtraq site all doesn't seem to work. Since there are many dubios statements in the source code, I'm reluctant to simply close the bug, though. Perhaps someone with a little more experience in identifying security problems should take a look, too. I CC'ed debian-security. For the context: CAN-2004-0074 may have been fixed in xsok 1.02-8 (Changelog: "Fixed buffer overflow when reading environment variable LANG.") but I'm not sure. Gruesse, -- Frank Lichtenheld <[EMAIL PROTECTED]> www: http://www.djpig.de/
