Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
On Fri, Oct 29, 2004 at 10:12:33PM +0200, Frank Lichtenheld wrote:
> Perhaps someone with a little more experience in identifying security
> problems should take a look, too. I CC'ed debian-security.
Here's a quick summery :
To be clear there are three flaws being discussed in xsok:
CAN-2004-0074 - overflow with LANG environmental variable.
- overflow due to long '-xsokdir' parameter.
CAN-2003-0949 - Failure to drop privileges when unzipping.
The second one was discovered by me and closed in DSA-405-1
The first one is in two parts, the environmental variable
overflow is patched already by the package maintainer. The
second appears to be not an issue given this code:
if (strlen(savedir) > MAXSAVEFILELEN-16 ||
strlen(xsokdir) > MAXXSOKDIRLEN || [2]
strlen(p->xpmdir) > MAXXSOKDIRLEN) {
fprintf(stderr, "directory too long\n");
exit(1);
}
The second line [2] seems to test its bounds - unless I missed
an earlier usage. I've got it installed here, but sadly I have
no X available so I cant test it.
Run the following command to test if it's vulnerable:
xsok -xsokdir `perl -e 'print "X"x3000'`
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Bug#468643: gnump3d: should this package be removed?
Your objections are interesting, and mostly valid: > * buggy. I'd maintain that isn't the case .. > * no maintainer. True. I wish somebody would adopt it, rather than having it be maintainerless. > * Upstream has stopped development. True. > * Plenty of other alternatives. Not so true, given the funcionality and bare-bones nature of the software. > * Relatively low popcon. Indeed. Steve -- # Commercial Debian GNU/Linux Support http://www.linux-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#429191: flyspray phpmailer: not relevant for stable
On Sun Jun 17, 2007 at 18:20:01 +0200, Thijs Kinkhorst wrote: > For stable I've checked whether it's > vulnerable and I believe it's not: the vulnerability is in the SendmailSend() > function. That requires for the calling code to actually use the sendmail > method, which Flyspray does not allow in any configuration. > > I suppose the security team does not send advisories for insecure code that > is > not called? Agreed. > As an additional note: sarge is not vulnerable because it doesn't contain a > copy of the phpmailer class at all. :) So we don't need to do anything, perfect! Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#418548: more debbug data
Please try this patch (works for me, amd64 debian sid):
--- apt-spy-3.1/benchmark.c 2007-08-26 03:54:21.0 +0100
+++ benchmark.c 2007-08-26 03:47:22.0 +0100
@@ -23,6 +23,7 @@
printf("\nSERVER:\t%s\n", current->hostname);
+curl_global_init (CURL_GLOBAL_ALL);
/* We use libcurl - here we setup some global options */
curl = curl_easy_init();
@@ -60,12 +61,15 @@
printf("Benchmarking FTP...\n");
get_file(current, curl, file, FTP, &total_bytes);
}
-
- /* Test for an HTTP entry */
- if (strlen(current->path[HTTP]) != 0) {
+/* Test for an HTTP entry */
+ else if (strlen(current->path[HTTP]) != 0) {
printf("Benchmarking HTTP...\n");
get_file(current, curl, file, HTTP, &total_bytes);
}
+else
+ {
+printf("UNKNOWN TYPE\n");
+ }
curl_easy_cleanup(curl);
Steve
--
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#444690: debconf template Italian translation
Hi, Thanks very much for offering to supply a translation of the debconf strings for Italian users of Debian GNU/Linux. Unfortunately you didn't actually attach your translation to the bug report you submitted. If you could mail the file to the bug number I'll ensure it is applied in the near future. Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#398936: libapache2-mod-ifier: The module breaks POST processing
Package: libapache2-mod-ifier Version: 0.8-2 Severity: grave Justification: renders package unusable This module, when installed and enabled, breaks all processing of POST requests. It should be removed from Etch until it can be updated to work correctly. -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-1-486 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Versions of packages libapache2-mod-ifier depends on: ii apache2.2-common 2.2.3-3.1 Next generation, scalable, extenda ii libc62.3.6.ds1-8 GNU C Library: Shared libraries libapache2-mod-ifier recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#226356: Buffer overflow vulnerability (CAN-2003-0850)
On Mon, Jan 05, 2004 at 06:17:07PM -0800, Matt Zimmerman wrote: > Package: libnids > Severity: grave > > "The TCP reassembly functionality in libnids before 1.18 allows remote > attackers to cause "memory corruption" and possibly execute arbitrary code > via "overlarge TCP packets." > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0850 > > An update to version 1.18 should be sufficient to correct the problem. > > I am copying [EMAIL PROTECTED], since that is the only reverse > dependency. This package is orphaned and could be removed if this bug is > not fixed. I maintain dsniff - and will adopt libnids and upload a more recent version shortly. I've retitled #188171 to reflect this, although the cotrol address seems to be a little bit slow today. Steve --
