Bug#633637: NMU patch
Hi, Attached is the NMU patch. Cheers, Steffen diff -u libapache2-mod-authnz-external-3.2.4/debian/changelog libapache2-mod-authnz-external-3.2.4/debian/changelog --- libapache2-mod-authnz-external-3.2.4/debian/changelog +++ libapache2-mod-authnz-external-3.2.4/debian/changelog @@ -1,3 +1,11 @@ +libapache2-mod-authnz-external (3.2.4-2.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix SQL injection via the $user paramter (Closes: #633637) +Fixes: CVE-2011-2688 + + -- Steffen Joeris wh...@debian.org Mon, 18 Jul 2011 10:26:11 +1000 + libapache2-mod-authnz-external (3.2.4-2) unstable; urgency=low * libapache2-mod-authnz-external does not install the .load file only in patch2: unchanged: --- libapache2-mod-authnz-external-3.2.4.orig/mysql/mysql-auth.pl +++ libapache2-mod-authnz-external-3.2.4/mysql/mysql-auth.pl @@ -62,7 +62,8 @@ exit 1; } -my $dbq = $dbh-prepare(select username as username, password as password from users where username=\'$user\';); +my $dbq = $dbh-prepare(select username as username, password as password from users where username=?;); +$dbq-bind_param(1, $user); $dbq-execute; my $row = $dbq-fetchrow_hashref(); signature.asc Description: This is a digitally signed message part.
Bug#633637: reopen bug
Hi Amaya, Steffen Joeris wrote: I had a quick look and didn't see that code included in debian as far as I can see the package has the same version in all suites or am I missing anything? Oh, $DEITY, you are absolutely right, I looked at a locally patched version and confused it with the debian provided one. I had too little coffee yesterday :) Yes, this bug should be reopened, and fixed. No worries, if you have time, feel free to upload an NMU and a fixed version for squeeze to stable-security. Cheers, Steffen signature.asc Description: This is a digitally signed message part.
Bug#628448: several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160
Package: libav Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for libav. CVE-2011-2162[0]: | Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as | used in MPlayer 1.0 and other products, in Mandriva Linux 2009.0, | 2010.0, and 2010.1; Corporate Server 4.0 (aka CS4.0); and Mandriva | Enterprise Server 5 (aka MES5) have unknown impact and attack vectors, | related to issues originally discovered by Google Chrome developers. CVE-2011-2161[1]: | The ape_read_header function in ape.c in libavformat in FFmpeg before | 0.5.4, as used in MPlayer, VideoLAN VLC media player, and other | products, allows remote attackers to cause a denial of service | (application crash) via an APE (aka Monkey's Audio) file that contains | a header but no frames. CVE-2011-2160[2]: | The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in | MPlayer and other products, does not properly restrict read | operations, which allows remote attackers to have an unspecified | impact via a crafted VC-1 file, a related issue to CVE-2011-0723. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. Cheers, Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2162 http://security-tracker.debian.org/tracker/CVE-2011-2162 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2161 http://security-tracker.debian.org/tracker/CVE-2011-2161 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2160 http://security-tracker.debian.org/tracker/CVE-2011-2160 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3hvCAACgkQ62zWxYk/rQd1aACfZBs5SZcStYwaRi/5LB5zttpL VPEAn2gZK2qTTba9yMf2XwQKsBrqKGMr =2kvn -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628449: CVE-2011-2147: missing restrictions
Package: openswan Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for openswan. CVE-2011-2147[0]: | Openswan 2.2.x does not properly restrict permissions for (1) | /var/run/starter.pid, related to starter.c in the IPsec starter, and | (2) /var/lock/subsys/ipsec, which allows local users to kill arbitrary | processes by writing a PID to a file, or possibly bypass disk quotas | by writing arbitrary data to a file, as demonstrated by files with | 0666 permissions, a different vulnerability than CVE-2011-1784. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers, Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2147 http://security-tracker.debian.org/tracker/CVE-2011-2147 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3hvegACgkQ62zWxYk/rQcMHQCfb3lMZTutIDaU9koXSOcuisCx ImkAn0nU0FH8iwQfjeN0l4hyY0Y2tFdK =DkbD -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628450: CVE-2011-0188: arbitrary code execution
Package: libruby1.9.1 Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for openswan. CVE-2011-0188[0]: | The VpMemAlloc function in bigdecimal.c in the BigDecimal class in | Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 | and other platforms, does not properly allocate memory, which allows | context-dependent attackers to execute arbitrary code or cause a | denial of service (application crash) via vectors involving creation | of a large BigDecimal value within a 64-bit process, related to an | integer truncation issue. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers, Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188 http://security-tracker.debian.org/tracker/CVE-2011-0188 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3hvn8ACgkQ62zWxYk/rQcwRwCgzw5DWA1pXf1s6UEspwZw4tyG 3vgAnjWwBi4Jc1LFmGERLPQsQ3YSlqJk =YL70 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628451: CVE-2011-0188: arbitrary code execution
Package: ruby1.9 Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for openswan. CVE-2011-0188[0]: | The VpMemAlloc function in bigdecimal.c in the BigDecimal class in | Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 | and other platforms, does not properly allocate memory, which allows | context-dependent attackers to execute arbitrary code or cause a | denial of service (application crash) via vectors involving creation | of a large BigDecimal value within a 64-bit process, related to an | integer truncation issue. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers, Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188 http://security-tracker.debian.org/tracker/CVE-2011-0188 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3hvtoACgkQ62zWxYk/rQcLpwCff23GyqO9ChRxot2/jjt2fMCr RzUAn0f6CcyulgL1YuKBrvo7ZGl3By59 =Ffgi -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628452: CVE-2011-0188: arbitrary code execution
Package: ruby1.8 Version: 1.8.7.334-5 Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for openswan. CVE-2011-0188[0]: | The VpMemAlloc function in bigdecimal.c in the BigDecimal class in | Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 | and other platforms, does not properly allocate memory, which allows | context-dependent attackers to execute arbitrary code or cause a | denial of service (application crash) via vectors involving creation | of a large BigDecimal value within a 64-bit process, related to an | integer truncation issue. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers, Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188 http://security-tracker.debian.org/tracker/CVE-2011-0188 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3hvxAACgkQ62zWxYk/rQdzMACgkYd/w/hd/UIKj2y3uddmmQcy JtoAnRtpwM2sNlTPBKJkvvFHhskoqsch =RvTy -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628453: CVE-2011-1521: information disclosure
Package: python3.1 Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for python3.1. CVE-2011-1521[0]: | The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x | before 3.2.1 process Location headers that specify redirection to | file: URLs, which makes it easier for remote attackers to obtain | sensitive information or cause a denial of service (resource | consumption) via a crafted URL, as demonstrated by the | file:///etc/passwd and file:///dev/zero URLs. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers, Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521 http://security-tracker.debian.org/tracker/CVE-2011-1521 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3hwCsACgkQ62zWxYk/rQdRAgCgp95X4txXuLx3yCsB480zqwLE tOAAn2z4xQTbUAi8uJz6XMu6Z1ED+5Uu =i+u7 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628455: CVE-2011-1521: information disclosure
Package: python2.6 Version: 2.6.6-10 Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for python2.6. CVE-2011-1521[0]: | The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x | before 3.2.1 process Location headers that specify redirection to | file: URLs, which makes it easier for remote attackers to obtain | sensitive information or cause a denial of service (resource | consumption) via a crafted URL, as demonstrated by the | file:///etc/passwd and file:///dev/zero URLs. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers, Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521 http://security-tracker.debian.org/tracker/CVE-2011-1521 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3hwLAACgkQ62zWxYk/rQedQwCgmgzdKyhBbg2rBhuHe6gCKbTn 0ewAoLcJiQX1EeYJp/z9K3I9LhuSUUgr =2Nq9 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628456: CVE-2011-0766: cryptographic weakness
Package: erlang Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Please see http://www.kb.cert.org/vuls/id/178990 for all the information. The upstream patch can be reviewed here: https://github.com/erlang/otp/commit/f228601de45c5 Cheers, Steffen -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3hxAMACgkQ62zWxYk/rQefaQCeMKcqbGfOKii58eR6hpSQdRS8 8KgAoM5YkFZYcKluTUQbTR76Qoe40qdI =eN8o -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603749: mahara in sid not affected
severity 603749 normal thx It seems that the vulnerable file was introduced after 1.2.6, which is currently in sid. So as long as a fixed version is uploaded next, everything should be fine. Cheers, Steffen signature.asc Description: This is a digitally signed message part.
Bug#596086: NMU diff
Hi, Please find the NMU diff attached. Cheers, Steffen diff -u squid3-3.1.6/debian/changelog squid3-3.1.6/debian/changelog --- squid3-3.1.6/debian/changelog +++ squid3-3.1.6/debian/changelog @@ -1,3 +1,11 @@ +squid3 (3.1.6-1.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix DoS due to wrong string handling (Closes: #596086) +Fixes: CVE-2010-3072 + + -- Steffen Joeris wh...@debian.org Mon, 13 Sep 2010 17:07:51 +1000 + squid3 (3.1.6-1) unstable; urgency=low * New upstream release diff -u squid3-3.1.6/debian/patches/00list squid3-3.1.6/debian/patches/00list --- squid3-3.1.6/debian/patches/00list +++ squid3-3.1.6/debian/patches/00list @@ -3,0 +4 @@ +16-CVE-2010-3072 only in patch2: unchanged: --- squid3-3.1.6.orig/debian/patches/16-CVE-2010-3072.dpatch +++ squid3-3.1.6/debian/patches/16-CVE-2010-3072.dpatch @@ -0,0 +1,123 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +...@dpatch@ +--- ../old/squid3-3.1.6/src/SquidString.h 2010-08-02 00:01:39.0 +1000 squid3-3.1.6/src/SquidString.h 2010-09-13 17:00:17.0 +1000 +@@ -167,6 +167,8 @@ + void allocBuffer(size_type sz); + void setBuffer(char *buf, size_type sz); + ++_SQUID_INLINE_ bool nilCmp(bool, bool, int ) const; ++ + /* never reference these directly! */ + size_type size_; /* buffer size; 64K limit */ + +--- ../old/squid3-3.1.6/src/String.cci 2010-08-02 00:01:37.0 +1000 squid3-3.1.6/src/String.cci 2010-09-13 17:05:43.0 +1000 +@@ -88,19 +88,31 @@ + } + + +-int +-String::cmp (char const *aString) const ++/// compare NULL and empty strings because str*cmp() may fail on NULL strings ++/// and because we need to return consistent results for strncmp(count == 0). ++bool ++String::nilCmp(const bool thisIsNilOrEmpty, const bool otherIsNilOrEmpty, int result) const + { +-/* strcmp fails on NULLS */ ++if (!thisIsNilOrEmpty !otherIsNilOrEmpty) ++return false; // result does not matter + +-if (size() == 0 (aString == NULL || aString[0] == '\0')) +-return 0; ++if (thisIsNilOrEmpty otherIsNilOrEmpty) ++result = 0; ++else if (thisIsNilOrEmpty) ++result = -1; ++else // otherIsNilOrEmpty ++result = +1; ++ ++return true; ++} + +-if (size() == 0) +-return -1; + +-if (aString == NULL || aString[0] == '\0') +-return 1; ++int ++String::cmp (char const *aString) const ++{ ++int result = 0; ++if (nilCmp(!size(), (!aString || !*aString), result)) ++return result; + + return strcmp(termedBuf(), aString); + } +@@ -108,19 +120,10 @@ + int + String::cmp (char const *aString, String::size_type count) const + { +-/* always the same at length 0 */ +- +-if (count == 0) +-return 0; ++int result = 0; ++if (nilCmp((!size() || !count), (!aString || !*aString || !count), result)) ++return result; + +-if (size() == 0 (aString == NULL || aString[0] == '\0')) +-return 0; +- +-if (size() == 0) +-return -1; +- +-if (aString == NULL || aString[0] == '\0') +-return 1; + + return strncmp(termedBuf(), aString, count); + } +@@ -128,16 +131,10 @@ + int + String::cmp (String const aString) const + { +-/* strcmp fails on NULLS */ +- +-if (size() == 0 aString.size() == 0) +-return 0; +- +-if (size() == 0) +-return -1; ++int result = 0; ++if (nilCmp(!size(), !aString.size(), result)) ++return result; + +-if (aString.size() == 0) +-return 1; + + return strcmp(termedBuf(), aString.termedBuf()); + } +@@ -145,12 +142,22 @@ + int + String::caseCmp(char const *aString) const + { ++int result = 0; ++if (nilCmp(!size(), (!aString || !*aString), result)) ++return result; ++ ++ + return strcasecmp(termedBuf(), aString); + } + + int + String::caseCmp(char const *aString, String::size_type count) const + { ++int result = 0; ++if (nilCmp((!size() || !count), (!aString || !*aString || !count), result)) ++return result; ++ ++ + return strncasecmp(termedBuf(), aString, count); + } + signature.asc Description: This is a digitally signed message part.
Bug#574418: barnowl security update
Hi Sam Could you prepare updated packages for lenny and send a debdiff? We'll need to release a DSA for this issue. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#572417: tidary XSS
Hi Hideki Indeed this should be fixed via a DSA and for unstable as well. I am still having slight problems understanding the XSS issue here. Apparently, to_native() is converting it to another encoding, but shouldn't it do some escaping of certain characters to avoid having the usual html characters in there? I also don't understand the text on tdiary.org, since it is in Japanese, could you maybe provide a translation? I'm sure that I'm just missing something here, so once I understand it better, we can just proceed with DSA/NMU. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#572417: tidary XSS
Hi Hideki Thanks for the information. Have you been able to reproduce the problem with IE and checked the patch? Cheers Steffen On Sun, 7 Mar 2010 19:10:12 +1100 Steffen Joeris steffen.joe...@skolelinux.de wrote: Apparently, to_native() is converting it to another encoding, but shouldn't it do some escaping of certain characters to avoid having the usual html characters in there? I'm not sure that, I'll ask upstream author. IE has a strange behavior with auto-encoding pages without charset, it probably relates that. I also don't understand the text on tdiary.org, since it is in Japanese, could you maybe provide a translation? * Overview XSS vulnerability was found in tDiary, a communication-friendly weblog system. We think it is rare case but please deal with that as soon as possible if you are using such system. - This problem affects * tDiary 2.2.2 or earlier (full set and plugins) And, if you meet _all_ condition below * tb-send.rb plugin is enabled * using Microsoft Internet Explorer 7 (IE7) * update diary via malicious crafted URL We confirmed this problem with update blog by using IE7 (maybe Old Internet Explorer as well but we don't check with that) and it is not showed with Firefox, Opera and Safari. And it exists with tDiary 2.2, not 2.3. * Impact An arbitrary script may be executed on some web browsers when blog owner accesses blog update page via special crafted URL or web site by malicious third-parties. It does not affect people who browse blog since this vulnerability exists in its update page only, and is accessible with administrator of that blog. However, there's a danger publish malicious page by exploiting this vulnerability. * Solutions - disable tb-send.rb plugin - update product to 2.2.3 * Thanks to Project VEX of UBsecure, Inc. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#572417: tdiary XSS
On Mon, 8 Mar 2010 03:01:39 am Hideki Yamane wrote: Hi Steffen, On Sun, 7 Mar 2010 21:47:53 +1100 Steffen Joeris steffen.joe...@skolelinux.de wrote: Thanks for the information. Have you been able to reproduce the problem with IE and checked the patch? with IE6 and IE8, I cannot reproduce its problem. I'll test IE7 tomorrow. Ok, because it would be good if you could reproduce the issue and then test whether the patch really fixes it for you. BTW, I get reply from usptream author for exploitable URI. Where should I send that, to Steffen or someone else? Please send it to me in private. Cheers Steffen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568291: possible buffer overflows
Hi Mirco Hi GMime upstream has released latest 2.4.15 [1] version of the library fixing one security issue. From 2.4.15-changes [2] file: 2010-01-31 Jeffrey Stedfast f...@novell.com * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent possible buffer overflows. The vulnerable code seems to be in gmime/gmime-utils.h, I've attached upstream's patch for your convenience, but I did not have a deeper look at the buffer sizes, so it is unchecked. stable is also affected and would need to be fixed as well I guess. Please contact the secuirty team (t...@security.debian.org), if you've checked the patch and have packages ready for lenny. Upstream contacted me already and said that gmime2.2 is not affected, only gmime2.4 is. I have my doubts about this. Looking at gmime/gmime-utils.h we're having the same declaration for GMIME_UUENCODE_LEN that was declared vulnerable. For gmime2.2, GMIME_UUENCODE_LEN is used by g_mime_filter_set_size() in filter_filter(). The latter is also taking a size_t, so I'd suspect that it should be possible to overflow this as well? Note that I have not dived deeper into the code, but a short talk with RedHat revealed that fedora seems to be pushing updates for gmime2.2. Could you please have a look at it and clarify things? Upstream's patch seems to increase the buffer by 2, I am not sure where their buffer calculation comes from, could you please double check that as well? Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#555233: system copy of prototypejs
Hi Andres I've read your previous comments to the bugreport, but wanted to stress the point that it will not be acceptable for mediabomb to use an internal copy of prototypejs. We do not want a version of the package in squeeze that does not use the system wide protoypejs. I understand that this puts more work on the coordination effort and I am sorry for this. Just wanted to stress this point again as I fear that this problem will be reintroduced with an easy switch in the build system. Cheers Steffen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568291: possible buffer overflows
Package: libgmime-2.0-2a Severity: grave Tags: security patch Hi GMime upstream has released latest 2.4.15 [1] version of the library fixing one security issue. From 2.4.15-changes [2] file: 2010-01-31 Jeffrey Stedfast f...@novell.com * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent possible buffer overflows. The vulnerable code seems to be in gmime/gmime-utils.h, I've attached upstream's patch for your convenience, but I did not have a deeper look at the buffer sizes, so it is unchecked. stable is also affected and would need to be fixed as well I guess. Please contact the secuirty team (t...@security.debian.org), if you've checked the patch and have packages ready for lenny. Thanks in advance. Cheers Steffen References: [1] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/ [2] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.15.changes [3] http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz [4] http://secunia.com/advisories/38459/ diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/ChangeLog gmime-2.4.15/ChangeLog --- gmime-2.4.14/ChangeLog 2010-01-30 17:28:48.0 + +++ gmime-2.4.15/ChangeLog 2010-02-02 13:51:02.0 + @@ -1,3 +1,16 @@ +2010-02-02 Jeffrey Stedfast f...@novell.com + + * README: Bumped version + + * configure.in: Bumped version to 2.4.15 + + * build/vs2008/gmime.vcproj: Bumped version. + +2010-01-31 Jeffrey Stedfast f...@novell.com + + * gmime/gmime-encodings.h (GMIME_UUENCODE_LEN): Fixed to prevent + possible buffer overflows. + 2010-01-30 Jeffrey Stedfast f...@novell.com * README: Bumped version diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/docs/reference/xml/gmime-encodings.xml gmime-2.4.15/docs/reference/xml/gmime-encodings.xml --- gmime-2.4.14/docs/reference/xml/gmime-encodings.xml 2010-01-30 17:30:37.0 + +++ gmime-2.4.15/docs/reference/xml/gmime-encodings.xml 2010-02-02 13:53:42.0 + @@ -488,7 +488,7 @@ /para/refsect2 refsect2 id=GMIME-UUENCODE-LEN--CAPS role=macro titleGMIME_UUENCODE_LEN()/title -indexterm zone=GMIME-UUENCODE-LEN--CAPSprimary sortas=GMIME_UUENCODE_LENGMIME_UUENCODE_LEN/primary/indextermprogramlisting#define GMIME_UUENCODE_LEN(x) ((size_t) (x) + 2) / 45) * 62) + 62)) +indexterm zone=GMIME-UUENCODE-LEN--CAPSprimary sortas=GMIME_UUENCODE_LENGMIME_UUENCODE_LEN/primary/indextermprogramlisting#define GMIME_UUENCODE_LEN(x) ((size_t) (x) + 2) / 45) * 62) + 64)) /programlisting para Calculates the maximum number of bytes needed to uuencode the full diff -Nru -x '*.gmo' -x '*.mo' --speed-large-files --minimal gmime-2.4.14/gmime/gmime-encodings.h gmime-2.4.15/gmime/gmime-encodings.h --- gmime-2.4.14/gmime/gmime-encodings.h 2009-04-24 02:04:47.0 + +++ gmime-2.4.15/gmime/gmime-encodings.h 2010-02-01 13:32:53.0 + @@ -91,7 +91,7 @@ * Returns: the number of output bytes needed to uuencode an input * buffer of size @x. **/ -#define GMIME_UUENCODE_LEN(x) ((size_t) (x) + 2) / 45) * 62) + 62)) +#define GMIME_UUENCODE_LEN(x) ((size_t) (x) + 2) / 45) * 62) + 64)) /**
Bug#559531: reopen
reopen 559531 severity 559531 important thanks Hi MSA-09-0025 and MSA-09-0029 don't seem to be fixed. Both issues are minor security issues, so I am lowering the severity. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#505122: NMU patch
Hi I've uploaded the attached patch to Delayed-5, please let me know if I should cancel it. I only had to include this one header, since the other issues did not occur, neither in my cowbuilder on i386 nor on the porterbox on amd64. Cheers Steffen diff -u audiere-1.9.4/debian/changelog audiere-1.9.4/debian/changelog --- audiere-1.9.4/debian/changelog +++ audiere-1.9.4/debian/changelog @@ -1,3 +1,11 @@ +audiere (1.9.4-3.1) unstable; urgency=low + + * Non-maintainer upload + * Fix FTBFS with GCC 4.4 (Closes: #505122) +Thanks to Martin Michlmayr + + -- Steffen Joeris wh...@debian.org Sat, 30 Jan 2010 18:57:35 +0100 + audiere (1.9.4-3) unstable; urgency=low [ Arthur Loiret ] only in patch2: unchanged: --- audiere-1.9.4.orig/debian/patches/gcc-4.4.diff +++ audiere-1.9.4/debian/patches/gcc-4.4.diff @@ -0,0 +1,10 @@ +--- ../old/audiere-1.9.4/src/utility.cpp 2006-02-14 05:57:01.0 +0100 audiere-1.9.4/src/utility.cpp 2010-01-30 19:01:39.0 +0100 +@@ -3,6 +3,7 @@ + #endif + + ++#include cstdio + #include ctype.h + #include utility.h + #include internal.h signature.asc Description: This is a digitally signed message part.
Bug#564601: CVE id for maildrop issue (CVE-2010-0301)
Hi FYI, This issue has been assigned CVE-2010-0301. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#550389: NMU patch
Hi Please find attached the NMU patch for this issue and an issue with open debconf file descriptors that left the postinst script hanging. Cheers Steffen diff -u hybserv-1.9.2/debian/changelog hybserv-1.9.2/debian/changelog --- hybserv-1.9.2/debian/changelog +++ hybserv-1.9.2/debian/changelog @@ -1,3 +1,14 @@ +hybserv (1.9.2-4.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix DoS via commands with tabs (Closes: #550389) +Fixes: CVE-2010-0303 + * Add db_stop into hybserv.postinst to avoid that the postinst script +hangs due to open debconf file descriptors +Thanks to Julien Cristau + + -- Steffen Joeris wh...@debian.org Fri, 29 Jan 2010 14:30:27 +0100 + hybserv (1.9.2-4) unstable; urgency=low * Update 01_fhs+mkdirfix.dpatch: diff -u hybserv-1.9.2/debian/hybserv.postinst hybserv-1.9.2/debian/hybserv.postinst --- hybserv-1.9.2/debian/hybserv.postinst +++ hybserv-1.9.2/debian/hybserv.postinst @@ -10,2 +10,4 @@ +db_stop + #DEBHELPER# diff -u hybserv-1.9.2/debian/patches/00list hybserv-1.9.2/debian/patches/00list --- hybserv-1.9.2/debian/patches/00list +++ hybserv-1.9.2/debian/patches/00list @@ -2,0 +3 @@ +03_commands_DoS only in patch2: unchanged: --- hybserv-1.9.2.orig/debian/patches/03_commands_DoS.dpatch +++ hybserv-1.9.2/debian/patches/03_commands_DoS.dpatch @@ -0,0 +1,14 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +...@dpatch@ +--- ../old/hybserv-1.9.2/src/mystring.c 2005-11-29 11:40:00.0 + hybserv-1.9.2/src/mystring.c 2010-01-29 09:58:15.0 + +@@ -142,7 +142,7 @@ + else + return x; + +- while (*buf == ' ') ++ while (IsSpace(*buf)) + ++buf; + + if (*buf == '\0') signature.asc Description: This is a digitally signed message part.
Bug#550389: CVE id
Hi For the record, this issue got CVE-2010-0303 assigned. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#567193: include patch from DSA to fix integer underflow
Package: oftc-hybrid Severity: grave Tags: security patch Hi Please include the patch from DSA-1980-1, which fixes an integer underflow (patch attached). Cheers Steffen --- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c +++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c @@ -103,7 +103,9 @@ } else *d++ = *src; -++src, --len; +if (len 0) { + ++src, --len; +} } *d = '\0'; return dest;
Bug#567191: please include patches from DSA
Package: ircd-ratbox Severity: grave Tags: security patch Hi DSA-1980-1 has fixed two issues in ircd-ratbox, patches attached. Please include them in the next upload. Cheers Steffen --- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c +++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c @@ -103,7 +103,9 @@ } else *d++ = *src; -++src, --len; +if (len 0) { + ++src, --len; +} } *d = '\0'; return dest; --- ircd-ratbox/branches/RATBOX_3_0/src/cache.c 2008/12/18 03:49:48 26334 +++ ircd-ratbox/branches/RATBOX_3_0/src/cache.c 2010/01/22 17:26:08 26732 @@ -114,12 +114,25 @@ struct cachefile *cacheptr; struct cacheline *lineptr; char line[BUFSIZE]; + struct stat st; + char *p; if((in = fopen(filename, r)) == NULL) return NULL; - +/* check and make sure we have something that is a file... */ + if(fstat(fileno(in), st) == -1) + { + fclose(in); + return NULL; + } + if(!S_ISREG(st.st_mode)) + { + fclose(in); + return NULL; + } + cacheptr = rb_malloc(sizeof(struct cachefile)); rb_strlcpy(cacheptr-name, shortname, sizeof(cacheptr-name)); @@ -140,7 +153,11 @@ else rb_dlinkAddTailAlloc(emptyline, cacheptr-contents); } - + if(rb_dlink_list_length(cacheptr-contents) == 0) + { + rb_free(cacheptr); + cacheptr = NULL; + } fclose(in); return cacheptr; } @@ -222,6 +239,7 @@ struct stat sb; #endif + /* opers must be done first */ helpfile_dir = opendir(HPATH); @@ -232,7 +250,8 @@ { rb_snprintf(filename, sizeof(filename), %s/%s, HPATH, ldirent-d_name); cacheptr = cache_file(filename, ldirent-d_name, HELP_OPER); - add_to_help_hash(cacheptr-name, cacheptr); + if(cacheptr != NULL) + add_to_help_hash(cacheptr-name, cacheptr); } closedir(helpfile_dir); @@ -265,7 +284,8 @@ #endif cacheptr = cache_file(filename, ldirent-d_name, HELP_USER); - add_to_help_hash(cacheptr-name, cacheptr); + if(cacheptr != NULL) + add_to_help_hash(cacheptr-name, cacheptr); } closedir(helpfile_dir);
Bug#567192: include patches from recent DSA
Package: ircd-hybrid Version: 1:7.2.2.dfsg.2-6.1 Severity: grave Tags: security patch Hi DSA-1980-1 has fixed an issue in ircd-hybrid, patch attached. Please include this patch in your next upload. Cheers Steffen --- ircd-hybrid-7.2.2.dfsg.2.orig/src/irc_string.c +++ ircd-hybrid-7.2.2.dfsg.2/src/irc_string.c @@ -103,7 +103,9 @@ } else *d++ = *src; -++src, --len; +if (len 0) { + ++src, --len; +} } *d = '\0'; return dest;
Bug#563784: bastille NMU
Hi Please find the NMU attached, since bastille-firewall should have the network interfaces, I've added a required-* to $network. Cheers Steffen diff -u bastille-3.0.9/debian/bastille-firewall bastille-3.0.9/debian/bastille-firewall --- bastille-3.0.9/debian/bastille-firewall +++ bastille-3.0.9/debian/bastille-firewall @@ -2,8 +2,8 @@ # ### BEGIN INIT INFO # Provides: bastille-firewall -# Required-Start:$local_fs ifupdown -# Required-Stop: $local_fs ifupdown +# Required-Start:$network +# Required-Stop: $network # Default-Start: S # Default-Stop: 0 6 # Short-Description: Load/unload ipchains rulesets diff -u bastille-3.0.9/debian/changelog bastille-3.0.9/debian/changelog --- bastille-3.0.9/debian/changelog +++ bastille-3.0.9/debian/changelog @@ -1,3 +1,13 @@ +bastille (1:3.0.9-12.1) unstable; urgency=low + + * Non-maintainer upload + * Change dependency in init LSB header to use $network rather than +$local_fs to make sure networking is available during boot and to +make the package installation work again (Closes: #563784) +Thanks to Petter Reinholdtsen + + -- Steffen Joeris wh...@debian.org Sat, 23 Jan 2010 13:08:40 +0100 + bastille (1:3.0.9-12) unstable; urgency=low * Set bin/bastille to be a bash shell since 'set +o privilege' is not
Bug#545651: FTBFS for gcc4.4 patch
Hi Unfortunately, the package still doesn't work, but please find the patch for the initialising error from the newer compiler below. Cheers Steffen --- insight-6.7.1.dfsg.1.orig/gdb/eval.c +++ insight-6.7.1.dfsg.1/gdb/eval.c @@ -1627,6 +1627,8 @@ if (nargs != ndimensions) error (_(Wrong number of subscripts)); + memset(subscript_array, 0, sizeof(subscript_array)); + /* Now that we know we have a legal array subscript expression let us actually find out where this element exists in the array. */ only in patch2: unchanged: signature.asc Description: This is a digitally signed message part.
Bug#557807: proposed argus-server patch
Hi Andrew Following up on this bugreport, if I take the current argus-server package from unstable and try to rebuild it, I'll end up without the argus (or argus_linux) binary in the package[0]. There seems to be a change in the libpcap package's API. Also, you've used the pcap_read() and pcap_offline_read() functions. I found a similar problem in tcptrace[1] and it was suggested to use the public pcap_dispatch() function. Since I am not using angus-server, I have done some preliminary testing and I could at least see that angus could record some wlan traffic and i could read it with ra. I'll try to discuss this bug later with the libpcap maintainer (Torsten Werner) here at the BSP, but your comments would of course be appreciated as well. Cheers Steffen [0]: I think we should actually consider this a bug but let's leave it for now. [1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545595 --- argus-2.0.6.fixes.1.orig/common/argus_filter.c +++ argus-2.0.6.fixes.1/common/argus_filter.c @@ -3628,10 +3628,10 @@ #include stdio.h -extern void bpf_dump(struct bpf_program *, int); +extern void bpf_dump(const struct bpf_program *, int); void -bpf_dump(struct bpf_program *p, int option) +bpf_dump(const struct bpf_program *p, int option) { struct bpf_insn *insn; int i; only in patch2: unchanged: --- argus-2.0.6.fixes.1.orig/include/argus_filter.h +++ argus-2.0.6.fixes.1/include/argus_filter.h @@ -142,7 +142,7 @@ u_int ipaddrtonetmask(u_int); u_int getnetnumber(u_int); -void bpf_dump(struct bpf_program *, int); +void bpf_dump(const struct bpf_program *, int); char *intoa(u_int); static SIGRET nohostname(int); @@ -225,7 +225,7 @@ extern u_int ipaddrtonetmask(u_int); extern u_int getnetnumber(u_int); -extern void bpf_dump(struct bpf_program *, int); +extern void bpf_dump(const struct bpf_program *, int); extern char *intoa(u_int); extern char * getname(u_char *); only in patch2: unchanged: --- argus-2.0.6.fixes.1.orig/server/ArgusSource.h +++ argus-2.0.6.fixes.1/server/ArgusSource.h @@ -324,7 +324,7 @@ int ArgusCreatePktFromFddi(const struct fddi_header *, struct ether_header *, int); -extern char *bpf_image(struct bpf_insn *, int); +extern char *bpf_image(const struct bpf_insn *, int); #else /* defined(ArgusSource) */ only in patch2: unchanged: --- argus-2.0.6.fixes.1.orig/server/ArgusSource.c +++ argus-2.0.6.fixes.1/server/ArgusSource.c @@ -956,7 +956,7 @@ ArgusInterfaceIndex = i; switch (ArgusInterface[i].ArgusInterfaceType) { case ARGUSLIBPPKTFILE: - if ((pcap_read (ArgusPd[i], -1, ArgusCallBack, (u_char *) NULL)) 0) { + if ((pcap_dispatch (ArgusPd[i], -1, ArgusCallBack, (u_char *) NULL)) 0) { #ifdef ARGUSDEBUG ArgusDebug (4, ArgusGetPackets: pcap_read() returned %s, pcap_geterr(ArgusPd[i])); #endif @@ -1022,7 +1022,7 @@ } while (noerror (Nflag != 0) (!(ArgusShutDownStarted))); } else { - pcap_offline_read (ArgusPd[0], -1, ArgusCallBack, (u_char *) NULL); + pcap_dispatch (ArgusPd[0], -1, ArgusCallBack, (u_char *) NULL); } }
Bug#557807: NMU
Hi Since it works and Noah could confirm it, I'll NMU (hit me later :) ). Cheers Steffen diff -u argus-2.0.6.fixes.1/debian/changelog argus-2.0.6.fixes.1/debian/changelog --- argus-2.0.6.fixes.1/debian/changelog +++ argus-2.0.6.fixes.1/debian/changelog @@ -1,3 +1,12 @@ +argus (1:2.0.6.fixes.1-16.1) unstable; urgency=low + + * Non-maintainer upload + * Use pcap_dispatch() rather than the private functions +pcap_offline_read()/pcap_read() and fix a few compilation errors +(Closes: #557807) + + -- Steffen Joeris wh...@debian.org Fri, 22 Jan 2010 15:16:59 +0100 + argus (1:2.0.6.fixes.1-16) unstable; urgency=low * Updated Swedish debconf template translation (closes: #491934) only in patch2: unchanged: --- argus-2.0.6.fixes.1.orig/common/argus_filter.c +++ argus-2.0.6.fixes.1/common/argus_filter.c @@ -3628,10 +3628,10 @@ #include stdio.h -extern void bpf_dump(struct bpf_program *, int); +extern void bpf_dump(const struct bpf_program *, int); void -bpf_dump(struct bpf_program *p, int option) +bpf_dump(const struct bpf_program *p, int option) { struct bpf_insn *insn; int i; only in patch2: unchanged: --- argus-2.0.6.fixes.1.orig/include/argus_filter.h +++ argus-2.0.6.fixes.1/include/argus_filter.h @@ -142,7 +142,7 @@ u_int ipaddrtonetmask(u_int); u_int getnetnumber(u_int); -void bpf_dump(struct bpf_program *, int); +void bpf_dump(const struct bpf_program *, int); char *intoa(u_int); static SIGRET nohostname(int); @@ -225,7 +225,7 @@ extern u_int ipaddrtonetmask(u_int); extern u_int getnetnumber(u_int); -extern void bpf_dump(struct bpf_program *, int); +extern void bpf_dump(const struct bpf_program *, int); extern char *intoa(u_int); extern char * getname(u_char *); only in patch2: unchanged: --- argus-2.0.6.fixes.1.orig/server/ArgusSource.h +++ argus-2.0.6.fixes.1/server/ArgusSource.h @@ -324,7 +324,7 @@ int ArgusCreatePktFromFddi(const struct fddi_header *, struct ether_header *, int); -extern char *bpf_image(struct bpf_insn *, int); +extern char *bpf_image(const struct bpf_insn *, int); #else /* defined(ArgusSource) */ only in patch2: unchanged: --- argus-2.0.6.fixes.1.orig/server/ArgusSource.c +++ argus-2.0.6.fixes.1/server/ArgusSource.c @@ -956,7 +956,7 @@ ArgusInterfaceIndex = i; switch (ArgusInterface[i].ArgusInterfaceType) { case ARGUSLIBPPKTFILE: - if ((pcap_read (ArgusPd[i], -1, ArgusCallBack, (u_char *) NULL)) 0) { + if ((pcap_dispatch (ArgusPd[i], -1, ArgusCallBack, (u_char *) NULL)) 0) { #ifdef ARGUSDEBUG ArgusDebug (4, ArgusGetPackets: pcap_read() returned %s, pcap_geterr(ArgusPd[i])); #endif @@ -1022,7 +1022,7 @@ } while (noerror (Nflag != 0) (!(ArgusShutDownStarted))); } else { - pcap_offline_read (ArgusPd[0], -1, ArgusCallBack, (u_char *) NULL); + pcap_dispatch (ArgusPd[0], -1, ArgusCallBack, (u_char *) NULL); } }
Bug#565287: gwget2 nmu
Hi Please find the NMU attached. Cheers Steffen diff -u gwget2-1.0.4/debian/changelog gwget2-1.0.4/debian/changelog --- gwget2-1.0.4/debian/changelog +++ gwget2-1.0.4/debian/changelog @@ -1,3 +1,11 @@ +gwget2 (1.0.4-1.1) unstable; urgency=low + + * Non-maintainer upload + * Fix FTBFS in gwget2 by adjusting configure.ac and debian/rules +(Closes: #565287) Thanks to Peter Green + + -- Steffen Joeris wh...@debian.org Fri, 22 Jan 2010 21:39:05 +0100 + gwget2 (1.0.4-1) unstable; urgency=low * New upstream release. Closes: #533658, #552715. diff -u gwget2-1.0.4/debian/rules gwget2-1.0.4/debian/rules --- gwget2-1.0.4/debian/rules +++ gwget2-1.0.4/debian/rules @@ -2,12 +2,32 @@ include /usr/share/cdbs/1/rules/debhelper.mk +#run autoreconf to generate configure stuff +makebuilddir:: + aclocal + libtoolize + autoconf + autoheader + automake + + # Workaround which runs ``make distclean'' before unapplying patches cleanbuilddir:: # Invoke distclean -$(DEB_MAKE_INVOKE) -k distclean rm -f data/GNOME_Gwget.server.in data/GNOME_Gwget.server \ data/gwget.schemas + # cleanup generated autoconf files (now we want them regenerated) + rm -f config.h.in + rm -f configure + rm -f libtool + rm -f ltmain.sh + rm -f aclocal.m4 + rm -f data/Makefile.in + rm -f epiphany-extension/Makefile.in + rm -f Makefile.in + rm -f pixmaps/Makefile.in + rm -f src/Makefile.in LDFLAGS := -Wl,--as-needed @@ -21,7 +41,7 @@ DEB_MAKE_CLEAN_TARGET := DEB_CONFIGURE_EXTRA_FLAGS += --enable-epiphany-extension \ - --with-epiphany-version=2.28 --disable-static + --with-epiphany-version=2.29 --disable-static binary-post-install/epiphany-extension-gwget:: rm -f debian/epiphany-extension-gwget/usr/lib/epiphany-*/*/*/*.la diff -u gwget2-1.0.4/debian/control.in gwget2-1.0.4/debian/control.in --- gwget2-1.0.4/debian/control.in +++ gwget2-1.0.4/debian/control.in @@ -18,7 +18,8 @@ epiphany-browser-dev ( 2.30), gnome-pkg-tools, intltool (= 0.35.0), - quilt + quilt, + libtool Homepage: http://gnome.org/projects/gwget/ Vcs-Svn: svn://svn.debian.org/svn/pkg-gnome/packages/unstable/gwget2 Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnome/packages/unstable/gwget2/?op=log diff -u gwget2-1.0.4/debian/control gwget2-1.0.4/debian/control --- gwget2-1.0.4/debian/control +++ gwget2-1.0.4/debian/control @@ -23,7 +23,8 @@ epiphany-browser-dev ( 2.30), gnome-pkg-tools, intltool (= 0.35.0), - quilt + quilt, + libtool Homepage: http://gnome.org/projects/gwget/ Vcs-Svn: svn://svn.debian.org/svn/pkg-gnome/packages/unstable/gwget2 Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnome/packages/unstable/gwget2/?op=log diff -u gwget2-1.0.4/debian/patches/series gwget2-1.0.4/debian/patches/series --- gwget2-1.0.4/debian/patches/series +++ gwget2-1.0.4/debian/patches/series @@ -1,0 +2 @@ +fix_epiphany_2.29.patch only in patch2: unchanged: --- gwget2-1.0.4.orig/debian/patches/fix_epiphany_2.29.patch +++ gwget2-1.0.4/debian/patches/fix_epiphany_2.29.patch @@ -0,0 +1,15 @@ +Index: gwget2-1.0.4/configure.ac +=== +--- gwget2-1.0.4.orig/configure.ac 2010-01-15 23:36:04.0 + gwget2-1.0.4/configure.ac 2010-01-15 23:37:25.0 + +@@ -229,6 +229,10 @@ + EPIPHANY_PKGCONFIG=epiphany-2.28 + EPIPHANY_REQUIRED=2.28 + EPIPHANY_SHORTVER=228 ++elif test x$EPHY_VER = x2.29; then ++ EPIPHANY_PKGCONFIG=epiphany-2.29 ++ EPIPHANY_REQUIRED=2.29 ++ EPIPHANY_SHORTVER=229 + else + AC_MSG_RESULT([no epiphany installed]) + fi
Bug#505626: NMU patch
Hi Please find the NMU patch attached. Cheers Steffen diff -u mm3d-1.3.7/debian/changelog mm3d-1.3.7/debian/changelog --- mm3d-1.3.7/debian/changelog +++ mm3d-1.3.7/debian/changelog @@ -1,3 +1,11 @@ +mm3d (1.3.7-1.2) unstable; urgency=low + + * Non-maintainer upload + * Fix FTBFS due to newer GCC compiler (Closes: #505626) +Thanks to Martin Michlmayr + + -- Steffen Joeris wh...@debian.org Fri, 22 Jan 2010 23:08:35 +0100 + mm3d (1.3.7-1.1) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- mm3d-1.3.7.orig/src/mm3dcore/tool.h +++ mm3d-1.3.7/src/mm3dcore/tool.h @@ -231,7 +231,7 @@ double x, double y, double z ); void makeToolCoordList( Parent * parent, ToolCoordList list, - const list Model::Position positions ); + const std::list Model::Position positions ); }; class ToolSeparator : public Tool only in patch2: unchanged: --- mm3d-1.3.7.orig/src/mm3dcore/texturetest.cc +++ mm3d-1.3.7/src/mm3dcore/texturetest.cc @@ -24,6 +24,8 @@ #include texmgr.h +#include cstdio + void texture_test_compare( const char * f1, const char * f2, unsigned fuzzyValue ) { TextureManager * texmgr = TextureManager::getInstance(); only in patch2: unchanged: --- mm3d-1.3.7.orig/src/mm3dcore/scriptif.cc +++ mm3d-1.3.7/src/mm3dcore/scriptif.cc @@ -43,7 +43,7 @@ static string _getWriteFileName( const char * file ) { string s = file; - char * ext = strrchr( file, '.' ); + const char * ext = strrchr( file, '.' ); if ( ext == NULL ) { only in patch2: unchanged: --- mm3d-1.3.7.orig/src/implui/qttex.cc +++ mm3d-1.3.7/src/implui/qttex.cc @@ -27,6 +27,7 @@ #include mm3dconfig.h #include log.h +#include cstdio #include ctype.h #include QtCore/QBuffer @@ -316,7 +317,7 @@ void QtTextureFilter::getFormatString( char * format, const char * filename ) { - char * ext = strrchr( filename, '.' ); + const char * ext = strrchr( filename, '.' ); if ( ext ) { ext++; // Skip '.' only in patch2: unchanged: --- mm3d-1.3.7.orig/src/implui/keycfg.cc +++ mm3d-1.3.7/src/implui/keycfg.cc @@ -27,6 +27,8 @@ #include QtGui/QApplication +#include cstdio + static void _chomp( char * str ) { int len = 0; only in patch2: unchanged: --- mm3d-1.3.7.orig/src/libmm3d/misc.cc +++ mm3d-1.3.7/src/libmm3d/misc.cc @@ -299,7 +299,7 @@ if ( pathIsAbsolute( path ) ) { string rval; - char * temp = strrchr( path, '/' ); + const char * temp = strrchr( path, '/' ); if ( temp ) { temp++; only in patch2: unchanged: --- mm3d-1.3.7.orig/src/libmm3d/mm3dport.h +++ mm3d-1.3.7/src/libmm3d/mm3dport.h @@ -54,7 +54,7 @@ intPORT_mkdir( const char * pathname, mode_t mode ); intPORT_snprintf( char * dest, size_t len, const char * fmt, ... ); intPORT_vsnprintf( char * dest, size_t len, const char * fmt, va_list args ); -char * PORT_strcasestr( const char * haystack, const char * needle ); +const char * PORT_strcasestr( const char * haystack, const char * needle ); char * PORT_basename( const char * path ); char * PORT_dirname( const char * path ); only in patch2: unchanged: --- mm3d-1.3.7.orig/src/libmm3d/mm3dport.cc +++ mm3d-1.3.7/src/libmm3d/mm3dport.cc @@ -247,7 +247,7 @@ } } #else -char * PORT_strcasestr( const char * haystack, const char * needle ) +const char * PORT_strcasestr( const char * haystack, const char * needle ) { return strcasestr( haystack, needle ); } @@ -258,7 +258,7 @@ static char rval[ PATH_MAX ] = ; if ( path ) { - char * start = strrchr( path, '/' ); + const char * start = strrchr( path, '/' ); if ( !start ) { signature.asc Description: This is a digitally signed message part.
Bug#566002: CVE-2010-0001: integer underflow
Package: gzip Version: 1.3.12-8 Severity: grave Tags: security patch Hi Bdale, Carl Carl, I saw too late that you're a new co-maintainer so I only forwarded the pre-notification to Bdale (who is probably busy at LCA). i the following CVE (Common Vulnerabilities Exposures) id was published for gzip and is still open for unstable/testing. CVE-2010-0001[0] (from the DSA text): Aki Helin discovered an integer underflow when decompressing files that are compressed using the LZW algorithm. This could lead to the execution of arbitrary code when trying to decompress a crafted LZW compressed gzip archive. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. I am available for NMU/sponsoring, in case you're still busy, just drop me a line, please. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001 http://security-tracker.debian.org/tracker/CVE-2010-0001 patch: --- gzip-1.3.12.orig/unlzw.c +++ gzip-1.3.12/unlzw.c @@ -248,7 +248,8 @@ int o; resetbuf: - e = insize-(o = (posbits3)); + o = posbits 3; + e = o = insize ? insize - o : 0; for (i = 0 ; i e ; ++i) { inbuf[i] = inbuf[i+o]; -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#504956: dc-qt: diff for NMU version 0.2.0.alpha-4.1
Hi Christoph I've prepared an NMU for dc-qt (versioned as 0.2.0.alpha-4.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Thanks for your work. I am not really maintaining the package anymore. I guess I should check whether the alternatives are good enough to remove it, if noone else wants to maintainer it. Cheers Steffen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#558685: some more information and patch on rails issues
Hi Adam These issues have been assigned CVE ids, see below: CVE-2009-4214[0]: | Cross-site scripting (XSS) vulnerability in the strip_tags function in | Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote | attackers to inject arbitrary web script or HTML via vectors involving | non-printing ASCII characters, related to HTML::Tokenizer and | actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. CVE-2008-7248[1]: | Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify | tokens for requests with certain content types, which allows remote | attackers to bypass cross-site request forgery (CSRF) protection for | requests to applications that rely on this protection, as demonstrated | using text/plain. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. CVE-2008-7248 does not seem to affect lenny since it does not include 'text' in the @@unverifiable_types. The upstream patch for this issue is here[2] and needs to be included in the sid version. CVE-2009-4214 affects lenny as well and the upstream patch is here[3], please have a deeper look at that change, because I didn't. :) I guess due to CVE-2009-4214 we could fix this via a DSA. When you prepare the updated packages for lenny, please also include a fix for CVE-2009-3086[4]. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214 http://security-tracker.debian.org/tracker/CVE-2009-4214 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248 http://security-tracker.debian.org/tracker/CVE-2008-7248 [2] http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a [3] http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5 [4] http://security-tracker.debian.org/tracker/CVE-2009-3086 Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#562165: CVE-2009-4369, CVE-2009-4370, CVE-2009-4371: Several XSS issues
Package: drupal6 Severity: grave Tags: security patch Hi Luigi, the following CVE (Common Vulnerabilities Exposures) ids were published for drupal6. CVE-2009-4371[0]: | Cross-site scripting (XSS) vulnerability in the Locale module | (modules/locale/locale.module) in Drupal Core 6.14, and possibly other | versions including 6.15, allows remote authenticated users with | administer languages permissions to inject arbitrary web script or | HTML via the (1) Language name in English or (2) Native language name | fields in the Custom language form. CVE-2009-4370[1]: | Cross-site scripting (XSS) vulnerability in the Menu module | (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows | remote authenticated users with permissions to create new menus to | inject arbitrary web script or HTML via a menu description, which is | not properly handled in the menu administration overview. CVE-2009-4369[2]: | Cross-site scripting (XSS) vulnerability in the Contact module | (modules/contact/contact.admin.inc or modules/contact/contact.module) | in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote | authenticated users with administer site-wide contact form | permissions to inject arbitrary web script or HTML via the contact | category name. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For the latter two you can find the upstream patch here[3]. The former issue has the patch here[4]. For lenny, please coordinate with the stable release team and go via stable-proposed-updates as these issues do not seem to warrant a DSA. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4371 http://security-tracker.debian.org/tracker/CVE-2009-4371 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4370 http://security-tracker.debian.org/tracker/CVE-2009-4370 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4369 http://security-tracker.debian.org/tracker/CVE-2009-4369 [3] http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch [4] http://www.madirish.net/?article=442 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#562165: drupal5?
Hi Luigi By the way, drupal5 is also affected by at least one of these issues. Can we remove drupal5 from debian or is there a reason for keeping it? It would be easier foaev it gone, then we'd only have to track one package. Cheers Steffen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560604: NMU patch
Hi Please find attached the NMU I just uploaded to the delayed-10-days queue. If you disagree with the upload, please let me know and I can cancel it. Merry christmas. :) Cheers Steffen diff -u qemulator-0.5/debian/control qemulator-0.5/debian/control --- qemulator-0.5/debian/control +++ qemulator-0.5/debian/control @@ -2,7 +2,7 @@ Section: otherosfs Priority: extra Maintainer: Francesco Namuri france...@namuri.it -Build-Depends: cdbs, debhelper (= 5.0.38), imagemagick, python-central (= 0.5.6), patchutils +Build-Depends: cdbs, debhelper (= 5.0.38), imagemagick, python-central (= 0.5.6), patchutils, libmagickcore2-extra XS-Python-Version: current, = 2.4 Standards-Version: 3.7.2 diff -u qemulator-0.5/debian/changelog qemulator-0.5/debian/changelog --- qemulator-0.5/debian/changelog +++ qemulator-0.5/debian/changelog @@ -1,3 +1,12 @@ +qemulator (0.5-3.1) unstable; urgency=low + + * Non-maintainer upload + * Add libmagickcore2-extra as build-depends since imagemagick has +reorganised the plugin packages (thanks to Stuart Prescott) +(Closes: #560604) + + -- Steffen Joeris wh...@debian.org Wed, 23 Dec 2009 22:19:35 +0100 + qemulator (0.5-3) unstable; urgency=low * debian/patches/fix_python_dir.patch: fixed to avoid patching of signature.asc Description: This is a digitally signed message part.
Bug#561338: CVE-2009-4032: multiple XSS issues
Package: cacti Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for cacti. CVE-2009-4032[0]: | Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e | allow remote attackers to inject arbitrary web script or HTML via | vectors related to (1) graph.php, (2) include/top_graph_header.php, | (3) lib/html_form.php, and (4) lib/timespan_settings.php, as | demonstrated by the (a) graph_end or (b) graph_start parameters to | graph.php; (c) the date1 parameter in a tree action to graph_view.php; | and the (d) page_refresh and (e) default_dual_pane_width parameters to | graph_settings.php. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Uploaded NMU patch attached. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4032 http://security-tracker.debian.org/tracker/CVE-2009-4032 diff -u cacti-0.8.7e/debian/changelog cacti-0.8.7e/debian/changelog --- cacti-0.8.7e/debian/changelog +++ cacti-0.8.7e/debian/changelog @@ -1,3 +1,11 @@ +cacti (0.8.7e-1.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix several cross-site scriptings via different vectors +Fixes: CVE-2009-4032 + + -- Steffen Joeris wh...@debian.org Wed, 16 Dec 2009 12:06:20 +0100 + cacti (0.8.7e-1) unstable; urgency=low * New upstream release (Closes: #541490). diff -u cacti-0.8.7e/debian/patches/series cacti-0.8.7e/debian/patches/series --- cacti-0.8.7e/debian/patches/series +++ cacti-0.8.7e/debian/patches/series @@ -7,0 +8 @@ +08_CVE-2009-4032.patch only in patch2: unchanged: --- cacti-0.8.7e.orig/debian/patches/08_CVE-2009-4032.patch +++ cacti-0.8.7e/debian/patches/08_CVE-2009-4032.patch @@ -0,0 +1,101 @@ +--- cacti-0.8.7e/graph.php 2009-06-28 12:07:11.0 -0400 cacti-0.8.7e/graph.php 2009-11-21 23:10:16.0 -0500 +@@ -35,6 +35,8 @@ + /* = input validation = */ + input_validate_input_regex(get_request_var_request(rra_id), ^([0-9]+|all)$); + input_validate_input_number(get_request_var(local_graph_id)); ++input_validate_input_number(get_request_var(graph_end)); ++input_validate_input_number(get_request_var(graph_start)); + input_validate_input_regex(get_request_var_request(view_type), ^([a-zA-Z0-9]+)$); + /* */ + +--- cacti-0.8.7e/include/top_graph_header.php 2009-06-28 12:07:11.0 -0400 cacti-0.8.7e/include/top_graph_header.php 2009-11-21 23:15:27.0 -0500 +@@ -58,7 +58,7 @@ + if ($_SESSION[custom]) { + print meta http-equiv=refresh content='9'\r\n; + }else{ +- print meta http-equiv=refresh content=' . read_graph_config_option(page_refresh) . '\r\n; ++ print meta http-equiv=refresh content=' . htmlspecialchars(read_graph_config_option(page_refresh),ENT_QUOTES) . '\r\n; + } + } + ? +@@ -113,7 +113,7 @@ + /tr + tr class=noprint + td bgcolor=#efefef colspan=1 height=8 style=background-image: url(images/shadow_gray.gif); background-repeat: repeat-x; border-right: #aa 1px solid; +- img src=images/transparent_line.gif width=?php print read_graph_config_option(default_dual_pane_width);? height=2 border=0br ++ img src=images/transparent_line.gif width=?php print htmlspecialchars(read_graph_config_option(default_dual_pane_width));? height=2 border=0br + /td + td bgcolor=#ff colspan=1 height=8 style=background-image: url(images/shadow.gif); background-repeat: repeat-x; + +@@ -144,7 +144,7 @@ + + tr + ?php if ((read_graph_config_option(default_tree_view_mode) == 2) (($_REQUEST[action] == tree) || ((isset($_REQUEST[view_type]) ? $_REQUEST[view_type] : ) == tree))) { ? +- td valign=top style=padding: 5px; border-right: #aa 1px solid; bgcolor='#efefef' width='?php print read_graph_config_option(default_dual_pane_width);?' class='noprint' ++ td valign=top style=padding: 5px; border-right: #aa 1px solid; bgcolor='#efefef' width='?php print htmlspecialchars(read_graph_config_option(default_dual_pane_width));?' class='noprint' + table border=0 cellpadding=0 cellspacing=0trtdfont size=-2a style=font-size:7pt;text-decoration:none;color:silver href=http://www.treemenu.net/; target=_blank/a/font/td/tr/table + ?php grow_dhtml_trees(); ? + script type=text/javascriptinitializeDocument();/script +--- cacti-0.8.7e/lib/timespan_settings.php 2009-06-28 12:07:11.0 -0400 cacti-0.8.7e/include/html/inc_timespan_settings.php 2009-11-21 23:15:49.0 -0500 +@@ -125,9 +125,9 @@ + if (isset($_POST[date1])) { + /* the dates have changed, therefore, I am now custom */ + if (($_SESSION[sess_current_date1] != $_POST[date1]) || ($_SESSION[sess_current_date2] != $_POST[date2])) { +- $timespan[current_value_date1] = $_POST[date1]; ++ $timespan[current_value_date1] = sanitize_search_string($_POST[date1]); + $timespan[begin_now] =strtotime($timespan
Bug#561339: CVE-2009-4112: arbitrary command execution
Package: cacti Severity: grave Tags: security Hi Sean the following CVE (Common Vulnerabilities Exposures) id was published for cacti. CVE-2009-4112[0]: | Cacti 0.8.7e and earlier allows remote authenticated administrators to | gain privileges by modifying the Data Input Method for the Linux - | Get Memory Usage setting to contain arbitrary commands. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. As discussed with upstream, please make sure that there is a whitelist policy in place for squeeze. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4112 http://security-tracker.debian.org/tracker/CVE-2009-4112 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555666: CVE-2009-2820: XSS issues
Package: cups Version: 1.4.1-5 Severity: grave Tags: security patch Hi Martin The recent DSA (DSA-1933-1) fixed a few cross-site scripting issues. Please include the patch in the unstable/testing distribution. Cheers Steffen diff -u cupsys-1.2.2/debian/changelog cupsys-1.2.2/debian/changelog --- cupsys-1.2.2/debian/changelog +++ cupsys-1.2.2/debian/changelog @@ -1,3 +1,15 @@ +cupsys (1.2.2-0ubuntu0.6.06.15) dapper-security; urgency=low + + * SECURITY UPDATE: XSS and CRLF injection in headers +- debian/patches/83_CVE-2009-2820.dpatch: Introduce cgiClearVariables() + in cgi-bin/{var.c,cgi.h}. Clear out variables in + cgi-bin/{classes,help,ipp-var,jobs,printers}.c. Encode URL string and + clear out variables in cgi-bin/admin.c. Filter more characters in + cgi-bin/template.c. +- CVE-2009-2820 + + -- Marc Deslauriers marc.deslauri...@ubuntu.com Fri, 30 Oct 2009 21:40:07 -0400 + cupsys (1.2.2-0ubuntu0.6.06.14) dapper-security; urgency=low * SECURITY UPDATE: Remote denial-of-service via IPP_TAG_UNSUPPORTED tags. diff -u cupsys-1.2.2/debian/patches/00list cupsys-1.2.2/debian/patches/00list --- cupsys-1.2.2/debian/patches/00list +++ cupsys-1.2.2/debian/patches/00list @@ -39,0 +40 @@ +83_CVE-2009-2820 only in patch2: unchanged: --- cupsys-1.2.2.orig/debian/patches/83_CVE-2009-2820.dpatch +++ cupsys-1.2.2/debian/patches/83_CVE-2009-2820.dpatch @@ -0,0 +1,409 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 83_CVE-2009-2820.dpatch by Marc Deslauriers marc.deslauri...@ubuntu.com +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Description: fix XSS and CRLF injection in headers +## DP: Patch: backported from Aaron Sigel's patch + +...@dpatch@ +diff -urNad cupsys-1.2.2~/cgi-bin/admin.c cupsys-1.2.2/cgi-bin/admin.c +--- cupsys-1.2.2~/cgi-bin/admin.c 2006-05-22 14:47:09.0 -0400 cupsys-1.2.2/cgi-bin/admin.c 2009-10-30 21:39:59.0 -0400 +@@ -107,6 +107,7 @@ + */ + + cgiSetVariable(SECTION, admin); ++ cgiSetVariable(REFRESH_PAGE, ); + + /* + * See if we have form data... +@@ -137,16 +138,61 @@ + + + if (getenv(HTTPS)) +-snprintf(prefix, sizeof(prefix), https://%s:%s;, +- getenv(SERVER_NAME), getenv(SERVER_PORT)); ++ snprintf(prefix, sizeof(prefix), https://%s:%s;, ++ getenv(SERVER_NAME), getenv(SERVER_PORT)); + else +-snprintf(prefix, sizeof(prefix), http://%s:%s;, +- getenv(SERVER_NAME), getenv(SERVER_PORT)); ++ snprintf(prefix, sizeof(prefix), http://%s:%s;, ++ getenv(SERVER_NAME), getenv(SERVER_PORT)); ++ ++ fprintf(stderr, DEBUG: redirecting with prefix %s!\n, prefix); + + if ((url = cgiGetVariable(URL)) != NULL) +-printf(Location: %s%s\n\n, prefix, url); ++ { ++ char encoded[1024], /* Encoded URL string */ ++ *ptr; /* Pointer into encoded string */ ++ ++ ++ ptr = encoded; ++ if (*url != '/') ++ *ptr++ = '/'; ++ ++ for (; *url ptr (encoded + sizeof(encoded) - 4); url ++) ++ { ++ if (strchr(%@+ #=, *url) || *url ' ' || *url 128) ++ { ++ /* ++ * Percent-encode this character; safe because we have at least 4 ++ * bytes left in the array... ++ */ ++ ++ sprintf(ptr, %%%02X, *url 255); ++ ptr += 3; ++ } ++ else ++ *ptr++ = *url; ++ } ++ ++ *ptr = '\0'; ++ ++ if (*url) ++ { ++ /* ++ * URL was too long, just redirect to the admin page... ++ */ ++ ++ printf(Location: %s/admin\n\n, prefix); ++ } ++ else ++ { ++ /* ++ * URL is OK, redirect there... ++ */ ++ ++ printf(Location: %s%s\n\n, prefix, encoded); ++ } ++ } + else +-printf(Location: %s/admin\n\n, prefix); ++ printf(Location: %s/admin\n\n, prefix); + } + else if (!strcmp(op, start-printer)) + do_printer_op(http, IPP_RESUME_PRINTER, cgiText(_(Start Printer))); +@@ -238,6 +284,7 @@ + ipp_attribute_t *attr; /* member-uris attribute */ + char uri[HTTP_MAX_URI]; /* Device or printer URI */ + const char *name, /* Pointer to class name */ ++ *op, /* Operation name */ + *ptr; /* Pointer to CGI variable */ + const char *title; /* Title of page */ + static const char * const pattrs[] = /* Requested printer attributes */ +@@ -249,6 +296,7 @@ + + + title = cgiText(modify ? _(Modify Class) : _(Add Class)); ++ op= cgiGetVariable(OP); + name = cgiGetVariable(PRINTER_NAME); + + if (cgiGetVariable(PRINTER_LOCATION) == NULL) +@@ -271,6 +319,12 @@ + * Do the request and get back a response... + */ + ++cgiClearVariables(); ++if (op) ++ cgiSetVariable(OP, op); ++if (name) ++ cgiSetVariable(PRINTER_NAME, name); ++ + if ((response = cupsDoRequest(http, request, /)) != NULL) + { + /* +diff -urNad cupsys-1.2.2~/cgi-bin/cgi.h cupsys-1.2.2/cgi-bin/cgi.h +--- cupsys-1.2.2~/cgi-bin/cgi.h 2006-01-14 15:37:40.0 -0500 cupsys-1.2.2/cgi-bin/cgi.h 2009-10-30 21:39:46.0 -0400 +@@ -63,6 +63,7 @@ + extern void cgiAbort(const char *title, const
Bug#550440: advi: CVE-2009-2295 arbitrary code execution
On Sun, 11 Oct 2009 07:38:01 am Mehdi Dogguy wrote: Michael S Gilbert a écrit : Package: advi Version: 1.6.0-12 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for camlimages. advi statically links to camlimages, so any issues in that package are also applicable to advi. There were already updates to camlimages for etch an lenny, so advi just needs to be relinked using those new versions. Please coordinate these updates with the security team. During last July, Thijs Kinkhorst had some problems to build correctly build advi on etch because of the LaTeX bomb :) I've no idea how to fix that issue but, at that time, Moritz Muehlenhoff mentioned that the problem was fixed in oldstable-proposed and suggested to use it as a workaround. Has someone tried to build advi again on etch? Current problem is not to rebuild advi, but that camlimages' tiffread.c seems to be vulnerable as well. This should be fixed first in a follow-up DSA first. Upstream doesn't seem reachable and the fedora guys don't seem to have time either. Maybe you guys want to look into it? Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#548198: CVE-2009-2905: buffer overflow
Package: newt Severity: grave Tags: security patch Hi There is a buffer overflow in textbox.c. This issue is CVE-2009-2905. In textbox.c the following patch has been applied. - result = malloc(strlen(text) + (strlen(text) / width) + 2); + result = malloc(strlen(text) + (strlen(text) / (width - 1)) + 2); Cheers Steffen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#545779: XSS and illegal characters while printing name-value pairs
Package: viewvc Severity: grave Tags: security patch Hi According to upstream: Version 1.1.2 (released 11-Aug-2009) * security fix: validate the 'view' parameter to avoid XSS attack * security fix: avoid printing illegal parameter names and values http://viewvc.tigris.org/source/browse/*checkout*/viewvc/tags/1.1.2/CHANGES The two upstream patches appear to be: http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2214r2=2213pathrev=2214 http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/lib/viewvc.py?r1=2219r2=2218pathrev=2219 Could you test the patches and prepare updated packages for unstable/stable? A CVE id has been requested and we'll forward it to this bugreport once it's allocated. Cheers Steffen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540146: gentoo's patch and debdiff
Hi I'd suggest going with gentoo's approach of using a separate oversized.h file. Any objections? I've tried building this, but the debdiff between the -dev binary packages was quite huge, so I am not uploading anything. Cheers Steffen [0]: https://bugs.gentoo.org/attachment.cgi?id=199108action=view diff -u camlimages-3.0.1/debian/changelog camlimages-3.0.1/debian/changelog --- camlimages-3.0.1/debian/changelog +++ camlimages-3.0.1/debian/changelog @@ -1,3 +1,12 @@ +camlimages (1:3.0.1-2.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Expand security patch for integer overflows to also cover other +image types (Closes: #540146) +Fixes: CVE-2009-2660 + + -- Steffen Joeris wh...@debian.org Sat, 08 Aug 2009 07:05:38 + + camlimages (1:3.0.1-2) unstable; urgency=low [ Mehdi Dogguy ] diff -u camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch --- camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch +++ camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch @@ -8,82 +8,155 @@ -diff -urNad camlimages~/src/pngread.c camlimages/src/pngread.c camlimages~/src/pngread.c 2009-06-23 11:22:20.0 +0200 -+++ camlimages/src/pngread.c 2009-07-03 17:51:31.0 +0200 -@@ -15,6 +15,8 @@ - #include config.h - #endif - -+#include limits.h +Index: src/gifread.c +=== +--- src/gifread.c.orig camlimages-3.0.1/src/gifread.c +@@ -20,6 +20,8 @@ + #include caml/memory.h + #include caml/fail.h + ++#include oversized.h ++ + #include stdio.h + #include string.h + +@@ -191,6 +193,9 @@ value dGifGetLine( value hdl ) + + GifFileType *GifFile = (GifFileType*) hdl; + ++ if( oversized( GifFile-Image.Width, sizeof(GifPixelType) ) ){ ++failwith_oversized(gif); ++ } + buf = alloc_string( GifFile-Image.Width * sizeof(GifPixelType) ); + + if( DGifGetLine(GifFile, String_val(buf), GifFile-Image.Width ) +Index: src/jpegread.c +=== +--- src/jpegread.c.orig camlimages-3.0.1/src/jpegread.c +@@ -20,6 +20,8 @@ + #include caml/memory.h + #include caml/fail.h + ++#include oversized.h ++ + #include stdio.h + #include string.h + +@@ -156,6 +158,12 @@ read_JPEG_file (value name) +*/ + /* JSAMPLEs per row in output buffer */ + ++ if( oversized(cinfo.output_width, cinfo.output_components) ){ ++jpeg_destroy_decompress(cinfo); ++fclose(infile); ++failwith_oversized(jpeg); ++ } ++ + row_stride = cinfo.output_width * cinfo.output_components; + + /* Make a one-row-high sample array that will go away when done with image */ +@@ -177,6 +185,12 @@ read_JPEG_file (value name) + jpeg_read_scanlines(cinfo, buffer + cinfo.output_scanline, 1); + } + ++ if( oversized(row_stride, cinfo.output_height) ){ ++jpeg_destroy_decompress(cinfo); ++fclose(infile); ++failwith_oversized(jpeg); ++ } + - #include png.h - - #include caml/mlvalues.h -@@ -26,6 +28,12 @@ - #define PNG_TAG_INDEX16 2 - #define PNG_TAG_INDEX4 3 - + { + CAMLlocalN(r,3); + r[0] = Val_int(cinfo.output_width); +@@ -352,6 +366,7 @@ value open_jpeg_file_for_read_start( jpe + + { + CAMLlocalN(r,3); ++// CR jfuruse: integer overflow + r[0] = Val_int(cinfop-output_width); + r[1] = Val_int(cinfop-output_height); + r[2] = alloc_tuple(3); +Index: src/oversized.h +=== +--- /dev/null camlimages-3.0.1/src/oversized.h +@@ -0,0 +1,9 @@ ++#include limits.h +/* Test if x or y are negative, or if multiplying x * y would cause an + * arithmetic overflow. + */ +#define oversized(x, y) \ + ((x) 0 || (y) 0 || ((y) != 0 (x) INT_MAX / (y))) + - value read_png_file_as_rgb24( name ) - value name; - { -@@ -81,6 +89,9 @@ ++#define failwith_oversized(lib) \ ++ failwith(#lib error: image contains oversized or bogus width and height); +Index: src/pngread.c +=== +--- src/pngread.c.orig camlimages-3.0.1/src/pngread.c +@@ -17,6 +17,8 @@ + + #include png.h + ++#include oversized.h ++ + #include caml/mlvalues.h + #include caml/alloc.h + #include caml/memory.h +@@ -81,6 +83,9 @@ value read_png_file_as_rgb24( name ) png_get_IHDR(png_ptr, info_ptr, width, height, bit_depth, color_type, interlace_type, NULL, NULL); + if (oversized (width, height)) -+failwith (png error: image contains oversized or bogus width and height); ++failwith_oversized(png); + if ( color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { png_set_gray_to_rgb(png_ptr); -@@ -102,10 +113,16 @@ +@@ -102,10 +107,16 @@ value read_png_file_as_rgb24( name ) rowbytes = png_get_rowbytes(png_ptr, info_ptr); + if (oversized (rowbytes, height)) -+failwith
Bug#539492: CVE-2009-1892: DoS
Package: dhcp3-server Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for dhcp3. CVE-2009-1892[0]: | dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and | hardware ethernet configuration settings are both used, allows remote | attackers to cause a denial of service (daemon crash) via unspecified | requests. The patch that was used for the DSA is attached. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892 http://security-tracker.debian.net/tracker/CVE-2009-1892 #! /bin/sh /usr/share/dpatch/dpatch-run ## server-clientid-crash.dpatch by Christoh Biedl debian.packages.h...@manchmal.in-ulm.de ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Server assert involving client IDs (CVE-2009-1892) @DPATCH@ diff -urNad git~/server/dhcp.c git/server/dhcp.c --- git~/server/dhcp.c 2009-07-12 22:03:17.0 +0200 +++ git/server/dhcp.c 2009-07-12 22:04:42.0 +0200 @@ -1747,6 +1747,8 @@ host_reference (host, h, MDL); } if (!host) { + if (hp) +host_dereference (hp, MDL); find_hosts_by_haddr (hp, packet - raw - htype, packet - raw - chaddr,
Bug#533386: new evolution-data-server packages
Hi So I had another look at the issue. Indeed, set_nss_error was undefined, so I used a different function. Also, I think there was another regression with displaying signed and encrypted S/MIME messages. Could you please test these updated packages[0] in your environments and tell me, whether they fix the regressions you encountered? Sorry for all the delay with this, I was waiting for a reply from another user, but never got it and then this issue kind of slipped through. :( Cheers Steffen [0]: http://www-master.debian.org/~white/evolution-data-server/ signature.asc Description: This is a digitally signed message part.
Bug#536554: nmu patch
Hi Attached is the full nmu patch. Cheers Steffen diff -u sork-passwd-h3-3.1/debian/changelog sork-passwd-h3-3.1/debian/changelog --- sork-passwd-h3-3.1/debian/changelog +++ sork-passwd-h3-3.1/debian/changelog @@ -1,3 +1,11 @@ +sork-passwd-h3 (3.1-1.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix XSS via the backend parameter (Closes: #536554) +Fixes: CVE-2009-2360 + + -- Steffen Joeris wh...@debian.org Sat, 11 Jul 2009 06:02:56 + + sork-passwd-h3 (3.1-1) unstable; urgency=low * New upstream release. only in patch2: unchanged: --- sork-passwd-h3-3.1.orig/debian/patches/0002-CVE-2009-2360.patch +++ sork-passwd-h3-3.1/debian/patches/0002-CVE-2009-2360.patch @@ -0,0 +1,54 @@ +--- ../old/sork-passwd-h3-3.1/main.php 2009-01-06 15:25:15.0 + sork-passwd-h3-3.1/main.php 2009-07-11 06:00:57.0 + +@@ -15,8 +15,20 @@ + require_once PASSWD_BASE . '/lib/base.php'; + require PASSWD_BASE . '/config/backends.php'; + ++// Get the backend details. ++$backend_key = Horde_Util::getFormData('backend', false); ++if (!isset($backends[$backend_key])) { ++$backend_key = null; ++} ++ ++ ++ + // Use a do-while to allow easy breaking if an error is found. + do { ++if (!$backend_key) { ++break; ++} ++ + // Has the user submitted the form yet? + $submit = Util::getFormData('submit', false); + if (!$submit) { +@@ -24,8 +36,6 @@ + break; + } + +-// Get the backend details. +-$backend_key = Util::getFormData('backend', false); + $driver = $backends[$backend_key]['driver']; + $params = $backends[$backend_key]['params']; + $password_policy = isset($backends[$backend_key]['password policy']) +@@ -242,8 +252,8 @@ + + foreach ($backends as $key = $current_backend) { + $sel = ($key == $backend_key) ? ' selected=selected' : ''; +-$backends_list .= option value=\$key\$sel; +-$backends_list .= $current_backend['name'] . '/option'; ++$backends_list .= 'option value=' . htmlspecialchars($key) . '' . $sel . '' . ++htmlspecialchars($current_backend['name']) . '/option'; + } + } + +--- ../old/sork-passwd-h3-3.1/templates/main/main.inc 2008-10-09 17:12:25.0 + sork-passwd-h3-3.1/templates/main/main.inc 2009-07-11 06:02:03.0 + +@@ -53,7 +53,7 @@ + form method=post action=?php echo Horde::url('main.php', false, -1, true) ? name=passwd + ?php echo Util::formInput() ? + ?php if ($conf['backend']['backend_list'] == 'hidden'): ? +-input type=hidden name=backend value=?php echo $backend_key ? / ++input type=hidden name=backend value=?php echo htmlspecialchars($backend_key) ? / + ?php endif; if ($conf['user']['change'] !== true): ? + input type=hidden name=userid value=?php echo htmlspecialchars($userid) ? / + ?php endif; ? signature.asc Description: This is a digitally signed message part.
Bug#536554: CVE-2009-2360: Cross-site scripting vulnerability
Package: sork-passwd-h3 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for sork-passwd-h3. CVE-2009-2360[0]: | Cross-site scripting (XSS) vulnerability in passwd/main.php in the | Passwd module before 3.1.1 for Horde allows remote attackers to inject | arbitrary web script or HTML via the backend parameter. The upstream patch can be found here[1]. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2360 http://security-tracker.debian.net/tracker/CVE-2009-2360 [1] http://bugs.horde.org/ticket/8398 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#530271: NMU patch
Hi Please find the NMU patch attached. Cheers Steffen diff -u ipplan-4.91a/debian/changelog ipplan-4.91a/debian/changelog --- ipplan-4.91a/debian/changelog +++ ipplan-4.91a/debian/changelog @@ -1,3 +1,13 @@ +ipplan (4.91a-1.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix cross-site scripting vulnerability, which can be exploited via +the userid, userdescrip, useremail, grp and grpdescrip parameters +(Closes: #530271) +Fixes: CVE-2009-1732 + + -- Steffen Joeris wh...@debian.org Mon, 06 Jul 2009 08:09:24 + + ipplan (4.91a-1) unstable; urgency=low * new upstream release diff -u ipplan-4.91a/debian/patches/00list ipplan-4.91a/debian/patches/00list --- ipplan-4.91a/debian/patches/00list +++ ipplan-4.91a/debian/patches/00list @@ -1,0 +2 @@ +CVE-2009-1732-xss.dpatch only in patch2: unchanged: --- ipplan-4.91a.orig/debian/patches/CVE-2009-1732-xss.dpatch +++ ipplan-4.91a/debian/patches/CVE-2009-1732-xss.dpatch @@ -0,0 +1,36 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +...@dpatch@ +--- admin/usermanager.php 2009-03-19 07:44:03.0 +1100 ipplan-4.91a/admin/usermanager.php 2009-05-30 16:34:08.0 +1000 +@@ -301,9 +301,13 @@ + // First off we insert the user information and delete button. + insert($w, $t=table(array(cols=2,border=0,cellspacing=2,width=100%))); + insert($t, $c=cell()); +-insert($c ,block(b.my_(Editing User: $userid)./bbr)); +-insert($c, block(i.my_(Real Name: ).$row[userdescrip]./ibr)); +-insert($c, block(my_(e-mail: ).$row[useremail])); ++insert($c ,block(b)); ++insert($c ,text(my_(Editing User: $userid))); ++insert($c ,block(/bbr)); ++insert($c, block(i)); ++insert($c, text(my_(Real Name: ).$row[userdescrip])); ++insert($c, block(/ibr)); ++insert($c, text(my_(e-mail: ).$row[useremail])); + insert($t, $c=cell(array(align=right))); + insert($c, $f = form(array(method=post,action=$_SERVER[PHP_SELF]))); + insert($f,hidden(array(name=action,value=deleteuser))); +@@ -407,8 +411,11 @@ + $resaddr =$row[resaddr]; + insert($w, $t=table(array(width=100%,cols=2,border=0,cellspacing=0,valign=middle))); + insert($t, $c = cell()); +-insert($c, block(b.my_(Editing Group:). $grp/bbr)); +-insert($c, block(i.my_( Description: )./i.$grpdescrip)); ++insert($c, block(b)); ++insert($c, text(my_(Editing Group:). $grp)); ++insert($c, block(/bbr)); ++insert($c, block(i.my_( Description: )./i)); ++insert($c, text($grpdescrip)); + insert($w,generic(br)); + insert($t,$c = cell (array(align=right))); + insert($c, $f = form(array(method=post,action=$_SERVER[PHP_SELF]))); signature.asc Description: This is a digitally signed message part.
Bug#530271: xss patch
On Wed, 24 Jun 2009 07:46:01 am Richard Ellerbrock wrote: The existing patch is correct - using htmlspecialchars will have the effect of placing escaped stings in the database. It will also have the effect of double escaping each time you edit a field. My patch replaces the display template method block() which does not escape with the text() method which uses htmlspecialchars internally. See /ipplan/layout/class.layout You are right, thanks for pointing this out. As for the length check. This was a potential, unrelated database overflow I discovered during investigation of the xss issue - totally unrelated. Could you elaborate on this? Could this cause any issues security wise? Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#530271: xss patch
Hi Richard I am not sure about your patch. Setting a maximum length does not fix a potential xss issue. Why not using htmlspecialchars() to take care of escaping? I have attached a potential patch for that. Of course, it would be good to check the rest of the code as well and see whether it is prone to xss issues. Also, as far as I understand it, the CSRF issue is very constructed and doesn't offer an attack vendor without having admin rights already, correct? I have to admit that I don't understand that part of your patch there. Cheers Steffen --- ../old/ipplan-4.91a/admin/usermanager.php 2009-03-18 20:44:03.0 + +++ ipplan-4.91a/admin/usermanager.php 2009-06-23 06:16:08.0 + @@ -676,7 +676,9 @@ $formerror=; $userid=trim($userid); +$userid=htmlspecialchars($userid); $userdescrip=trim($userdescrip); +$userdescrip=htmlspecialchars($userdescrip); $useremail=trim($useremail); $search=trim($search); if (AUTH_INTERNAL) { @@ -746,7 +748,9 @@ list($grp, $grpdescrip, $createcust, $grpview, $resaddr) = myRegister(S:grp S:grpdescrip S:createcust S:grpview I:resaddr); $grp=trim($grp); +$grp=htmlspecialchars($grp); $grpdescrip=trim($grpdescrip); +$grpdescrip=htmlspecialchars($grpdescrip); $formerror=; if (strlen($grp) 2) { signature.asc Description: This is a digitally signed message part.
Bug#525943: CVE-2009-0662: privilege escalation
Package: plone3 Severity: grave Tags: security, patch Hi, the following CVE (Common Vulnerabilities Exposures) id was published for plone3. CVE-2009-0662[0]: | The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product | for Plone, does not properly handle the login form, which allows | remote authenticated users to acquire the identity of an arbitrary | user via unspecified vectors. The description states PlonePAS, but as you confirmed in the mail that plone3 uses it, I am writing the bugreport now for reference. The upstream patch can be found here[1]. As already discussed via mail, please also prepare updated packages for lenny incorporating this fix and some of the other CVEs, which are fixed by upstream already. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0662 http://security-tracker.debian.net/tracker/CVE-2009-0662 [1] http://klecker.debian.org/~white/plone3/CVE-2009-0662.patch -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#521949: CVE-2009-0790: DoS
Hi Rene Unfortunately, this doesn't apply as dpd code seems to have moved out of demux.c (I didn't find any of the patch context). Have you had contact with openswan upstream concerning this bug? Isn't the vulnerable code in programs/pluto/ikev1.c? Cheers Steffen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#521823: SQL injection
Package: auth2db Version: 0.2.5-2+dfsg-1 Severity: grave Tags: security Hi auth2db uses addslashes, which doesn't protect against SQL injections, when used with multibyte character encodings. As discussed via private mails, the NMU patch is attached. Cheers Steffen diff -u auth2db-0.2.5-2+dfsg/debian/changelog auth2db-0.2.5-2+dfsg/debian/changelog --- auth2db-0.2.5-2+dfsg/debian/changelog +++ auth2db-0.2.5-2+dfsg/debian/changelog @@ -1,3 +1,11 @@ +auth2db (0.2.5-2+dfsg-1.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix possible SQL injection vulnerability when used with multibyte +encodings by using mysql_real_escape_string() + + -- Steffen Joeris wh...@debian.org Mon, 30 Mar 2009 11:21:06 +0200 + auth2db (0.2.5-2+dfsg-1) unstable; urgency=medium * New debian-specific+upstream release (Closes: #493132): diff -u auth2db-0.2.5-2+dfsg/debian/patches/series auth2db-0.2.5-2+dfsg/debian/patches/series --- auth2db-0.2.5-2+dfsg/debian/patches/series +++ auth2db-0.2.5-2+dfsg/debian/patches/series @@ -6,0 +7 @@ +auth2db-sql-injection.patch only in patch2: unchanged: --- auth2db-0.2.5-2+dfsg.orig/debian/patches/auth2db-sql-injection.patch +++ auth2db-0.2.5-2+dfsg/debian/patches/auth2db-sql-injection.patch @@ -0,0 +1,19 @@ +--- ../old/auth2db-0.2.5-2+dfsg/www/security.php 2008-07-30 22:39:36.0 + auth2db-0.2.5-2+dfsg/www/security.php 2009-03-30 09:18:57.0 + +@@ -15,12 +15,10 @@ + # [Agrega escape de caracteres especiales SQL - \' ] + function sec_addESC($var) { + +-if (!get_magic_quotes_gpc()){ +- $var = addslashes($var); +-} +- ++$var = mysql_real_escape_string($var); ++ + return $var; + + } + +-? +\ No newline at end of file ++?
Bug#521949: CVE-2009-0790: DoS
Package: openswan Severity: grave Tags: security Hi From the DSA: CVE-2009-0790 Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone to a denial of service attack via a malicious packet. I've attached the patch from stable-security, please consider including it for unstable/testing. Cheers Steffen diff -u openswan-2.4.12+dfsg/debian/changelog openswan-2.4.12+dfsg/debian/changelog --- openswan-2.4.12+dfsg/debian/changelog +++ openswan-2.4.12+dfsg/debian/changelog @@ -1,3 +1,11 @@ +openswan (1:2.4.12+dfsg-1.3+lenny1) stable-security; urgency=high + + * Non-maintainer upload by the security team + * Fix DoS issue via malicious Dead Peer Detection packet +Fixes: CVE-2009-0790 + + -- Steffen Joeris wh...@debian.org Tue, 24 Mar 2009 13:20:43 + + openswan (1:2.4.12+dfsg-1.3) unstable; urgency=high * Non-maintainer upload. diff -u openswan-2.4.12+dfsg/debian/patches/00list openswan-2.4.12+dfsg/debian/patches/00list --- openswan-2.4.12+dfsg/debian/patches/00list +++ openswan-2.4.12+dfsg/debian/patches/00list @@ -3,0 +4 @@ +03-CVE-2009-0790.dpatch only in patch2: unchanged: --- openswan-2.4.12+dfsg.orig/debian/patches/03-CVE-2009-0790.dpatch +++ openswan-2.4.12+dfsg/debian/patches/03-CVE-2009-0790.dpatch @@ -0,0 +1,30 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +...@dpatch@ +Index: demux.c +=== +RCS file: /projects/xelerance/master/openswan-2/programs/pluto/demux.c,v +retrieving revision 1.210.2.16 +diff -c -r1.210.2.16 demux.c +*** openswan-2.x.x/programs/pluto/demux.c.old 16 Jun 2008 01:03:04 - 1.210.2.16 +--- openswan-2.4.12+dfsg/programs/pluto/demux.c 22 Mar 2009 20:11:13 - +*** +*** 1068,1076 +--- 1068,1084 + switch (n-isan_type) + { + case R_U_THERE: ++ if(st==NULL) { ++ loglog(RC_LOG_SERIOUS, received bogus R_U_THERE informational message); ++ return STF_IGNORE; ++ } + return dpd_inI_outR(st, n, n_pbs); + + case R_U_THERE_ACK: ++ if(st==NULL) { ++ loglog(RC_LOG_SERIOUS, received bogus R_U_THERE informational message); ++ return STF_IGNORE; ++ } + return dpd_inR(st, n, n_pbs); + + case PAYLOAD_MALFORMED:
Bug#521950: CVE-2009-0790: DoS
Package: strongswan Severity: grave Tags: security, patch Hi From the DSA: Gerd v. Egidy discovered that the Pluto IKE daemon in strongswan, an IPSec implementation for linux, is prone to a denial of service attack via a malicious packet. Please consider including the patch, I've attached the debdiff for stable. Cheers Steffen diff -u strongswan-4.2.4/debian/changelog strongswan-4.2.4/debian/changelog --- strongswan-4.2.4/debian/changelog +++ strongswan-4.2.4/debian/changelog @@ -1,3 +1,11 @@ +strongswan (4.2.4-5+lenny1) stable-security; urgency=high + + * Non-maintainer upload by the security team + * Fix DoS issue via malicious Dead Peer Detection packet +Fixes: CVE-2009-0790 + + -- Steffen Joeris wh...@debian.org Tue, 24 Mar 2009 12:31:39 + + strongswan (4.2.4-5) unstable; urgency=high Reason for urgency high: this is potentially security relevant. diff -u strongswan-4.2.4/debian/patches/00list strongswan-4.2.4/debian/patches/00list --- strongswan-4.2.4/debian/patches/00list +++ strongswan-4.2.4/debian/patches/00list @@ -1,0 +2 @@ +02-CVE-2009-0790.dpatch only in patch2: unchanged: --- strongswan-4.2.4.orig/debian/patches/02-CVE-2009-0790.dpatch +++ strongswan-4.2.4/debian/patches/02-CVE-2009-0790.dpatch @@ -0,0 +1,31 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +...@dpatch@ +diff -urN strongswan-4.2.13/src/pluto/ipsec_doi.c strongswan-4.2.13-patched/src/pluto/ipsec_doi.c +--- strongswan-4.2.13/src/pluto/ipsec_doi.c 2009-03-21 09:41:49.0 +0100 strongswan-4.2.4/src/pluto/ipsec_doi.c 2009-03-21 09:50:06.0 +0100 +@@ -5446,9 +5446,9 @@ +time_t tm = now(); + u_int32_t seqno; + +-if (!IS_ISAKMP_SA_ESTABLISHED(st-st_state)) ++if (!st || !IS_ISAKMP_SA_ESTABLISHED(st-st_state)) + { +-loglog(RC_LOG_SERIOUS, DPD: Received R_U_THERE for unestablished ISKAMP SA); ++loglog(RC_LOG_SERIOUS, DPD: Received R_U_THERE for unestablished ISAKMP SA); + return STF_IGNORE; + } + if (n-isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) COOKIE_SIZE * 2) +@@ -5516,10 +5516,10 @@ + { + u_int32_t seqno; + +-if (!IS_ISAKMP_SA_ESTABLISHED(st-st_state)) ++if (!st || !IS_ISAKMP_SA_ESTABLISHED(st-st_state)) + { + loglog(RC_LOG_SERIOUS +- , DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA); ++ , DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA); + return STF_FAIL; + } +
Bug#517792: CVE-2009-0698: integer overflow
Package: xine-lib Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for xine-lib. CVE-2009-0698[0]: | Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib | 1.1.16.1 allows remote attackers to cause a denial of service (crash) | and possibly execute arbitrary code via a 4X movie file with a large | current_track value, a similar issue to CVE-2009-0385. The upstream bug is here[1]. I guess this should be fixed in stable as well, do you concur? Also it would be nice to get a security round for oldstable-security, as there are quite a few open xine-lib issues. Do you concur? If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0698 http://security-tracker.debian.net/tracker/CVE-2009-0698 [1] http://bugs.xine-project.org/show_bug.cgi?id=205 [2] http://security-tracker.debian.net/tracker/status/release/oldstable -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#516388: proftpd: Several SQL injection vulnerabilities
Package: proftpd Severity: grave Tags: security Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for proftpd. CVE-2009-0543[0]: | ProFTPD Server 1.3.1, with NLS support enabled, allows remote | attackers to bypass SQL injection protection mechanisms via invalid, | encoded multibyte characters, which are not properly handled in (1) | mod_sql_mysql and (2) mod_sql_postgres. CVE-2009-0542[1]: | SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 | allows remote attackers to execute arbitrary SQL commands via a % | (percent) character in the username, which introduces a ' (single | quote) character during variable substitution by mod_sql. The postgresql part should still be vulnerable as discussed via previous mail. The second issue seems to be still unaddressed. It needs to be investigated, whether upstream's fix is complete, since it doesn't seem to use the usual escaping functions. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0543 http://security-tracker.debian.net/tracker/CVE-2009-0543 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0542 http://security-tracker.debian.net/tracker/CVE-2009-0542 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#514142: NMU patch
Hi Attached you'll find the NMU patch that has just been uploaded. Cheers Steffen diff -u squid-2.7.STABLE3/debian/changelog squid-2.7.STABLE3/debian/changelog --- squid-2.7.STABLE3/debian/changelog +++ squid-2.7.STABLE3/debian/changelog @@ -1,3 +1,11 @@ +squid (2.7.STABLE3-4.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Include upstream patch to fix DoS via error in request processing +code (Closes: #514142) + + -- Steffen Joeris wh...@debian.org Thu, 05 Feb 2009 18:28:57 + + squid (2.7.STABLE3-4) unstable; urgency=low * debian/rules diff -u squid-2.7.STABLE3/debian/patches/00list squid-2.7.STABLE3/debian/patches/00list --- squid-2.7.STABLE3/debian/patches/00list +++ squid-2.7.STABLE3/debian/patches/00list @@ -9,0 +10 @@ +70-DoS-request-processing.patch only in patch2: unchanged: --- squid-2.7.STABLE3.orig/debian/patches/70-DoS-request-processing.patch +++ squid-2.7.STABLE3/debian/patches/70-DoS-request-processing.patch @@ -0,0 +1,68 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## + +...@dpatch@ +--- ../old/squid-2.7.STABLE3/src/HttpMsg.c 2007-12-13 01:20:48.0 + squid-2.7.STABLE3/src/HttpMsg.c 2009-02-04 17:48:30.0 + +@@ -256,11 +256,11 @@ + + /* next should be 1 or more digits */ + maj = 0; +- for (; i hmsg-req_end (xisdigit(hmsg-buf[i])); i++) { ++ for (; i hmsg-req_end (xisdigit(hmsg-buf[i])) maj 65536; i++) { + maj = maj * 10; + maj = maj + (hmsg-buf[i]) - '0'; + } +- if (i = hmsg-req_end) { ++if (i = hmsg-req_end || maj = 65536) { + retcode = -1; + goto finish; + } +@@ -276,11 +276,16 @@ + /* next should be one or more digits */ + i++; + min = 0; +- for (; i hmsg-req_end (xisdigit(hmsg-buf[i])); i++) { ++ for (; i hmsg-req_end (xisdigit(hmsg-buf[i])) min 65536; i++) { + min = min * 10; + min = min + (hmsg-buf[i]) - '0'; + } + ++ if (min = 65536) { ++ retcode = -1; ++ goto finish; ++ } ++ + /* Find whitespace, end of version */ + hmsg-v_end = i; + hmsg-v_len = hmsg-v_end - hmsg-v_start + 1; +--- ../old/squid-2.7.STABLE3/src/HttpStatusLine.c 2007-12-13 01:20:48.0 + squid-2.7.STABLE3/src/HttpStatusLine.c 2009-02-04 17:47:49.0 + +@@ -97,11 +97,11 @@ + /* Format: HTTP/x.x space status code space reason-phrase CRLF */ + s = start; + maj = 0; +-for (s = start; s end xisdigit(*s); s++) { ++for (s = start; s end xisdigit(*s) maj 65536; s++) { + maj = maj * 10; + maj = maj + *s - '0'; + } +-if (s = end) { ++if (s = end || maj = 65536) { + debug(57, 7) (httpStatusLineParse: Invalid HTTP reply status major.\n); + return 0; + } +@@ -113,11 +113,11 @@ + s++; + /* next should be minor number */ + min = 0; +-for (; s end xisdigit(*s); s++) { ++for (; s end xisdigit(*s) min 65536; s++) { + min = min * 10; + min = min + *s - '0'; + } +-if (s = end) { ++if (s = end || min = 65536) { + debug(57, 7) (httpStatusLineParse: Invalid HTTP reply status version minor.\n); + return 0; + } signature.asc Description: This is a digitally signed message part.
Bug#514138: audacity: buffer overflow
Package: audacity Version: 1.3.5-2 Severity: grave Tags: security Justification: user security hole There is a buffer overflow in audacity apparently affecting the etch and lenny version. You can find a reproducer here[0]. However, I just took a random .gro file and when importing it under Projects with import midi (I tested under etch), it produced a buffer overflow. More information can be found here[1] or in the gentoo bugreport[2]. I'll post the CVE id here, once it has been assigned. Please check with upstream, whether they are aware of the issue and working on a patch. Cheers Steffen [0]: http://www.milw0rm.com/exploits/7634 [1]: http://secunia.com/advisories/33356/ [2]: https://bugs.gentoo.org/show_bug.cgi?id=253493 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#514142: squid: denial of service via crafted request
Package: squid Severity: grave Tags: security Justification: user security hole Hi A DoS issue has been reported[0] for squid. So far I cannot see the vulnerable code in the stable release, but it would be nice, if you could check that as well. Lenny seems to be affected and needs fixing. I've just build updated packages for testing-security with the upstream patch[1]. On a first glance, the patch looked ok. I'll need to test the packages and do some further checking, but would appreciate some comments. Cheers Steffen [0]: http://www.squid-cache.org/Advisories/SQUID-2009_1.txt [1]: http://klecker.debian.org/~white/squid/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#514138: audacity: buffer overflow
fixed 514138 1.3.6-1 thanks Hi Benjamin On Wed, 4 Feb 2009 04:29:05 pm Benjamin Drung wrote: The upcoming audacity 1.3.7-1 does not crash if I open the generated file from [0]. According to the Gentoo bug tracker [1] audacity 1.3.6 does not have this bug any more. You can find String_parse::get_nonspace_quoted in version 1.3.7 in lib-src/portsmf/strparse.cpp: Thanks for your explanation, I think I should have been more precise. I somehow missed to set the fixed tag in the pseudo header, because this bugreport was meant for lenny/etch. Either way, from what I can see lenny is still vulnerable and should be fixed before the release, if possible. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#514177: gstreamer0.10-plugins-good: Several security issues: CVE-2009-0386 CVE-2009-0387 CVE-2009-0397 CVE-2009-0398
Package: gstreamer0.10-plugins-good Version: 0.10.8-4.1 Severity: grave Tags: security Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for gst-plugins-good0.10. CVE-2009-0386[0]: | Heap-based buffer overflow in the qtdemux_parse_samples function in | gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka | gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers | to execute arbitrary code via crafted Composition Time To Sample | (ctts) atom data in a malformed QuickTime media .mov file. CVE-2009-0387[1]: | Array index error in the qtdemux_parse_samples function in | gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka | gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to | cause a denial of service (application crash) and possibly execute | arbitrary code via crafted Sync Sample (aka stss) atom data in a | malformed QuickTime media .mov file, related to mark keyframes. CVE-2009-0397[2]: | Heap-based buffer overflow in the qtdemux_parse_samples function in | gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka | gst-plugins-good) 0.10.9 through 0.10.11, and GStreamer Plug-ins (aka | gstreamer-plugins) 0.8.5, might allow remote attackers to execute | arbitrary code via crafted Time-to-sample (aka stts) atom data in a | malformed QuickTime media .mov file. CVE-2009-0398[3]: | Array index error in the gst_qtp_trak_handler function in | gst/qtdemux/qtdemux.c in GStreamer Plug-ins (aka gstreamer-plugins) | 0.6.0 allows remote attackers to have an unknown impact via a crafted | QuickTime media file. There is also a redhat bugreport[4] and a mail[5] on the public security list with more information. The upstream patch[6] seems to fix all, but CVE-2009-0398 according to upstream. These issues should be fixed for lenny. It would also be good, if you as the maintainer could prepare an update for etch and contact the security team, if you have something ready. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. Thanks in advance for your work. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0386 http://security-tracker.debian.net/tracker/CVE-2009-0386 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0387 http://security-tracker.debian.net/tracker/CVE-2009-0387 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0397 http://security-tracker.debian.net/tracker/CVE-2009-0397 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0398 http://security-tracker.debian.net/tracker/CVE-2009-0398 [4] https://bugzilla.redhat.com/show_bug.cgi?id=481267 [5] http://www.openwall.com/lists/oss-security/2009/01/29/3 [6] http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#513517: phpicalendar: Several vulnarbilities
Package: phpicalendar Severity: grave Tags: security Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for phpicalendar. CVE-2008-5840[0]: | PHP iCalendar 2.24 and earlier allows remote attackers to bypass | authentication by setting the phpicalendar and phpicalendar_login | cookies to 1. CVE-2008-5967[1]: | admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not | require administrative authentication for an addupdate action, which | allows remote attackers to upload a calendar (aka .ics) file with | arbitrary content to the calendars/ directory outside the web root. CVE-2008-5968[2]: | Directory traversal vulnerability in print.php in PHP iCalendar 2.24 | and earlier allows remote attackers to include and execute arbitrary | local files via a .. (dot dot) in the cookie_language parameter in a | phpicalendar_* cookie, a different vector than CVE-2006-1292. These issues read like common issues in php apps and I am wondering, whether phpicalendar is ready for a stable debian release. I think it should receive an audit first. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5840 http://security-tracker.debian.net/tracker/CVE-2008-5840 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5967 http://security-tracker.debian.net/tracker/CVE-2008-5967 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5968 http://security-tracker.debian.net/tracker/CVE-2008-5968 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#507587: another CVE id about buffer overflows
retitle 507587 CVE-2008-5282,CVE-2008-6005,CVE-2009-0323: multiple buffer overflows thanks Hi There is an additional CVE about buffer overflows. CVE-2009-0323[0]: | Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 | and 11.0 allow remote attackers to execute arbitrary code via (1) a | long type parameter in an input tag, which is not properly handled by | the EndOfXmlAttributeValue function; (2) an HTML GI in a start tag, | which is not properly handled by the ProcessStartGI function; and | unspecified vectors in (3) html2thot.c and (4) xml2thot.c, related to | the msgBuffer variable. NOTE: these are different vectors than | CVE-2008-6005. There are some more information available here[1]. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0323 http://security-tracker.debian.net/tracker/CVE-2009-0323 [1] http://www.coresecurity.com/content/amaya-buffer-overflows signature.asc Description: This is a digitally signed message part.
Bug#513531: CVE-2008-4770: Arbitrary code execution via crafted RFB protocol data
Package: xvnc4viewer Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for vnc4. CVE-2008-4770[0]: | The CMsgReader::readRect function in the VNC Viewer component in | RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0 | through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote | VNC servers to execute arbitrary code via crafted RFB protocol data, | related to encoding type. The upstream patch[1] can be found in the redhat bugreport[2]. For lenny, this could be fixed via migration from unstable. Please CC secure-testing-t...@lists.alioth.debian.org when you email the release team and ask for the unblock, so we are kept in the loop. I guess the issue is also severe enough to warrant a DSA update. I haven't tried to exploit it yet though. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4770 http://security-tracker.debian.net/tracker/CVE-2008-4770 [1] https://bugzilla.redhat.com/attachment.cgi?id=329323 [2] https://bugzilla.redhat.com/show_bug.cgi?id=480590 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#513158: CVE-2009-0260: Multiple cross-site scripting vulnerabilities
Package: python-moinmoin Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for moin. CVE-2009-0260[0]: | Multiple cross-site scripting (XSS) vulnerabilities in | action/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers | to inject arbitrary web script or HTML via an AttachFile action to the | WikiSandBox component with (1) the rename parameter or (2) the drawing | parameter (aka the basename variable). The upstream patch can be found here[1]. Please note that despite the CVE description, version 1.8.1 in sid is still vulnerable. Also, I haven't looked at the attack vector yet, but if we end up fixing this for stable as well, we should adjust the wikiutil.escape function to also take care of single quotes '. However, the patch should be trivial as well. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0260 http://security-tracker.debian.net/tracker/CVE-2009-0260 [1] http://hg.moinmo.in/moin/1.8/rev/8cb4d34ccbc1 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#511493: CVE-2008-5557: buffer overflow
Package: php5 Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for php5. CVE-2008-5557[0]: | Heap-based buffer overflow in | ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring | extension in PHP 4.3.0 through 5.2.6 allows context-dependent | attackers to execute arbitrary code via a crafted string containing an | HTML entity, which is not properly handled during Unicode conversion, | related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) | mb_convert_variables, and (4) mb_parse_str functions. There are some more information available in the php bugreport[1], including the PoC which seems to work. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557 http://security-tracker.debian.net/tracker/CVE-2008-5557 [1] http://bugs.php.net/bug.php?id=45722 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510918: CVE-2008-5514: Off-by-one error
Package: uw-imap Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for uw-imap. CVE-2008-5514[0]: | Off-by-one error in the rfc822_output_char function in the | RFC822BUFFER routines in the University of Washington (UW) c-client | library, as used by the UW IMAP toolkit before imap-2007e and other | applications, allows context-dependent attackers to cause a denial of | service (crash) via an e-mail message that triggers a buffer overflow. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. The issue has been fixed in lenny already via the latest DTSA. The patch just needs to be applied for sid. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5514 http://security-tracker.debian.net/tracker/CVE-2008-5514 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#509024: php-xajax: XSS issue (incomplete patch for CVE-2007-2739)
Package: php-xajax Severity: grave Justification: user security hole Tags: security Hi The patch for CVE-2007-2739 seems to be incomplete as already discussed via private mail. Just using htmlspecialchars(), instead of the replace calls should do the trick. I've requested a new CVE id for this and will paste it here as soon as I get it. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#509024: php-xajax: XSS issue (incomplete patch for CVE-2007-2739)
severity 509024 normal thanks On Wed, 17 Dec 2008 06:03:45 pm Nico Golde wrote: Hi, * Steffen Joeris steffen.joe...@skolelinux.de [2008-12-17 17:53]: The patch for CVE-2007-2739 seems to be incomplete as already discussed via private mail. Just using htmlspecialchars(), instead of the replace calls should do the trick. I've requested a new CVE id for this and will paste it here as soon as I get it. Why do you think it is incomplete? You can't do an XSS just with and without the other characters that are escaped. Just because the patch doesn't escape anything htmlspecialchars does doesn't mean it's incomplete. I suggest you downgrade this bug to normal as there is no reason to fix this with some selfmade hack. Could develop into a potential CSRF, don't have an exploit here. Should be properly fixed. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#508940: CVE-2008-5379: Symlink attack
Package: netdisco-mibs-installer Severity: grave Tags: security Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for netdisco-mibs-installer. CVE-2008-5379[0]: | netdisco-mibs-installer 1.0 allows local users to overwrite arbitrary | files via a symlink attack on the /tmp/netdisco-mibs-0.6.tar.gz | temporary file, related to the (1) netdisco-mibs-install and (2) | netdisco-mibs-download scripts. The best way is to use mktemp in shell scripts, which should work for this package too. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5379 http://security-tracker.debian.net/tracker/CVE-2008-5379 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#506741: wireshark: DoS caused by sending a SMTP request with large content
On Wed, 3 Dec 2008 07:55:42 pm Joost Yervante Damad wrote: On Wednesday 03 December 2008 15:10:12 Frederic Peters wrote: Mark Purcell wrote: On Monday 24 November 2008 22:58:38 Steffen Joeris wrote: Packages for lenny and sid build fine with the patch, I haven't tested them though. Could you get back to me wrt fixes for lenny? Frederic, Joost, This RC bug, with patch, has been filed against your package for over a week without a comment from you. Are you in a position to comment on the bug/ patch and/or upload a fixed package to address this RC bug? Sorry I haven't been responsive; I am currently away from home without access to my gpg key, or a build environment actually. I don't know Joost situation; but I believe wireshark could be maintained by a bigger team… Hi all, I'll upload a new version to testing-security (based on last upload by Steffen) tonight, if thats okay for you, Steffen? Please go ahead. Next time a debdiff would be nice, but I do not have a problem to filter it out of the upload for testing-security. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#507587: CVE-2008-5282: multiple buffer overflows
Package: amaya Severity: grave Tags: security Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for amaya. CVE-2008-5282[0]: | Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1 | allow remote attackers to execute arbitrary code via (1) a link with a | long HREF attribute, and (2) a DIV tag with a long id attribute. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5282 http://security-tracker.debian.net/tracker/CVE-2008-5282 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#507183: cups: integer overflow via validation code in of the image size
Package: cups Version: 1.3.8-1lenny3 Severity: grave Tags: security, patch Justification: user security hole Hi Martin Cups upstream just fixed another integer overflow[0], which was introduced due to an incomplete fix for CVE-2008-1722. The upstream commit can be found here[1]. A CVE id has been requested and I'll post it as soon as it is available. Cheers Steffen [0]: http://www.cups.org/str.php?L2974 [1]: http://www.cups.org/strfiles/2974/str2974.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#507185: moodle: Several code copies
Package: moodle Severity: serious Justification: Unknown Hi The moodle package embeds several code copies. At the moment the list includes: libphp-phpmailer tinymce libphp-adodb libphp-snoopy kses domxml-php4-to-php5.php libmarkdown-php There are a few others that are simply not yet packaged for debian: ipatlas htmlArea bennu The second list is not a bug atm, but once they are included in debian moodle should use them, instead of using copies. I do understand that you want moodle in lenny. However, it would be much appreciated, if you could check whether just depending on the debian package is sufficient. Otherwise it creates more work for the security team when issuing updates. Cheers Steffen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#506942: Buffer overflow exploit in versions until 2.1.8
Hi Martin I just received the attached message from No-IP.com. This affects stable and testing. I might be tired, but where does this differ from #506179, which is fixed in unstable? Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#506741: wireshark: DoS caused by sending a SMTP request with large content
Package: wireshark Severity: grave Tags: security, patch Justification: user security hole Hi the following remotely exploitable vulnerability in Wireshark's SMTP dissector has been reported: References: http://packetstormsecurity.org/0811-advisories/wireshark104-dos.txt http://bugs.gentoo.org/show_bug.cgi?id=248425 https://bugzilla.redhat.com/show_bug.cgi?id=472737 http://www.nabble.com/-SVRT-04-08--Vulnerability-in-WireShark-1.0.4-for-DoS-Attack-td20640164.html http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2008-11/msg00166.html Proposed upstream patches: http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24989r2=24988pathrev=24989view=patch http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24994r2=24993pathrev=24994view=patch A CVE id has been requested and I'll forward it to the bugreport once it is available. Packages for lenny and sid build fine with the patch, I haven't tested them though. Could you get back to me wrt fixes for lenny? Cheers Steffen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504894: another SA issue
Hi Please also see this advisory[0] as an additional issue. Description: A vulnerability has been reported in Nagios, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to perform unspecified actions e.g. when a logged-in user visits a malicious web site. The vulnerability is reported in versions prior to 3.0.5. Cheers Steffen [0]: http://secunia.com/Advisories/32543/ signature.asc Description: This is a digitally signed message part.
Bug#504977: ffmpeg-debian: Several security issues
Package: ffmpeg-debian Version: 0.svn20080206-14 Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for ffmpeg. CVE-2008-4869[0]: | FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers | to cause a denial of service (memory consumption) via unknown vectors, | aka a Tcp/udp memory leak. CVE-2008-4868[1]: | Unspecified vulnerability in the avcodec_close function in | libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer, | has unknown impact and attack vectors, related to a free on random | pointers. CVE-2008-4867[2]: | Buffer overflow in libavcodec/dca.c in FFmpeg 0.4.9 before r14917, as | used by MPlayer, allows context-dependent attackers to have an unknown | impact via vectors related to an incorrect DCA_MAX_FRAME_SIZE value. CVE-2008-4866[3]: | Multiple buffer overflows in libavformat/utils.c in FFmpeg 0.4.9 | before r14715, as used by MPlayer, allow context-dependent attackers | to have an unknown impact via vectors related to execution of DTS | generation code with a delay greater than MAX_REORDER_DELAY. The last three issues are fixed in experimental. I lack information about the first one, so I am not sure. Do you have any further information? Also etch shouldn't be affected by the last three issues. We should address them in lenny though. The upstream patches are here[4][5][6][7]. It would be great, if you could upload to unstable with high urgency and ask the release team for an unblock. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4869 http://security-tracker.debian.net/tracker/CVE-2008-4869 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4868 http://security-tracker.debian.net/tracker/CVE-2008-4868 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4867 http://security-tracker.debian.net/tracker/CVE-2008-4867 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4866 http://security-tracker.debian.net/tracker/CVE-2008-4866 [4] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016011.html [5] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016012.html [6] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016352.html [7] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016136.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504977: ffmpeg-debian: Several security issues
Hi CVE-2008-4868[1]: | Unspecified vulnerability in the avcodec_close function in | libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer, | has unknown impact and attack vectors, related to a free on random | pointers. Forget about this one, it seems to be fixed in our versions. [7] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016136.html This is the corresponding commit. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#504283: CVE-2007-3215: phpmailer issue (embedded code-copy)
Package: phpgroupware Severity: grave Tags: security, patch Justification: user security hole Hi Peter, the following CVE (Common Vulnerabilities Exposures) id was published for egroupware-core. CVE-2007-3215[0]: | PHPMailer 1.7, when configured to use sendmail, allows remote | attackers to execute arbitrary shell commands via shell metacharacters | in the SendmailSend function in class.phpmailer.php. You'll find a patch for the issue here[1]. However, it would be nice, if you could depend against the libphp-phpmailer package, instead of shipping a copy of the code. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 http://security-tracker.debian.net/tracker/CVE-2007-3215 [1] http://klecker.debian.org/~white/libphp-phpmailer/class.phpmailer.php.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504255: CVE-2007-3215: remote shell command execution in
On Sun, 2 Nov 2008 09:49:32 pm Olivier Berger wrote: Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit : Thanks for spotting this problem. The referred [2] patch is actually not exactly apllicable to the version of class.phpmailer.php shipped in phpgroupware 0.9.11, and the correct one is attached. I'll try and work on preparing a patched package later today. Best regards, Here's a proposed change for the source package, that should solve this problem. $ interdiff -z phpgroupware_0.9.16.011-2.2.diff.gz phpgroupware_0.9.16.011-2.3.diff.gz diff -u phpgroupware-0.9.16.011/debian/changelog phpgroupware-0.9.16.011/debian/changelog --- phpgroupware-0.9.16.011/debian/changelog +++ phpgroupware-0.9.16.011/debian/changelog @@ -1,3 +1,11 @@ +phpgroupware (0.9.16.011-2.3) stable-security; urgency=high + + * Non-maintainer upload. + * Fix remote shell command execution in class.phpmailer.php : +CVE-2007-3215 (Closes: #504255). + + -- Olivier Berger [EMAIL PROTECTED] Sun, 02 Nov 2008 11:36:15 +0100 + phpgroupware (0.9.16.011-2.2) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- phpgroupware-0.9.16.011.orig/felamimail/inc/class.phpmailer.inc.php +++ phpgroupware-0.9.16.011/felamimail/inc/class.phpmailer.inc.php @@ -591,9 +591,9 @@ */ function sendmail_send($header, $body) { if ($this-Sender != ) -$sendmail = sprintf(%s -oi -f %s -t, $this-Sendmail, $this-Sender); + $sendmail = sprintf(%s -oi -f %s -t, escapeshellcmd($this-Sendmail), escapeshellarg($this-Sender)); else -$sendmail = sprintf(%s -oi -t, $this-Sendmail); + $sendmail = sprintf(%s -oi -t, escapeshellcmd($this-Sendmail)); if([EMAIL PROTECTED] = popen($sendmail, w)) { - Note that I haven't tested phpgroupware-felamimail to see if this patch is valid. I'm not so sure about the changelog format also... and in any case, I can't upload it. Can someone from the security team take care of review and the upload ? The patch looks good. I'll sponsor the upload. Thanks for your work. Cheers Steffen P.S. If you want to use phpmailer stuff again, please use a dependency against libphp-phpmailer ;) signature.asc Description: This is a digitally signed message part.
Bug#504255: CVE-2007-3215: remote shell command execution in
On Sun, 2 Nov 2008 11:34:28 pm Steffen Joeris wrote: On Sun, 2 Nov 2008 09:49:32 pm Olivier Berger wrote: Le dimanche 02 novembre 2008 à 11:13 +0100, Olivier Berger a écrit : Thanks for spotting this problem. The referred [2] patch is actually not exactly apllicable to the version of class.phpmailer.php shipped in phpgroupware 0.9.11, and the correct one is attached. I'll try and work on preparing a patched package later today. Best regards, Here's a proposed change for the source package, that should solve this problem. $ interdiff -z phpgroupware_0.9.16.011-2.2.diff.gz phpgroupware_0.9.16.011-2.3.diff.gz diff -u phpgroupware-0.9.16.011/debian/changelog phpgroupware-0.9.16.011/debian/changelog --- phpgroupware-0.9.16.011/debian/changelog +++ phpgroupware-0.9.16.011/debian/changelog @@ -1,3 +1,11 @@ +phpgroupware (0.9.16.011-2.3) stable-security; urgency=high + + * Non-maintainer upload. + * Fix remote shell command execution in class.phpmailer.php : +CVE-2007-3215 (Closes: #504255). + + -- Olivier Berger [EMAIL PROTECTED] Sun, 02 Nov 2008 11:36:15 +0100 + phpgroupware (0.9.16.011-2.2) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- phpgroupware-0.9.16.011.orig/felamimail/inc/class.phpmailer.inc.php +++ phpgroupware-0.9.16.011/felamimail/inc/class.phpmailer.inc.php @@ -591,9 +591,9 @@ */ function sendmail_send($header, $body) { if ($this-Sender != ) -$sendmail = sprintf(%s -oi -f %s -t, $this-Sendmail, $this-Sender); + $sendmail = sprintf(%s -oi -f %s -t, escapeshellcmd($this-Sendmail), escapeshellarg($this-Sender)); else -$sendmail = sprintf(%s -oi -t, $this-Sendmail); + $sendmail = sprintf(%s -oi -t, escapeshellcmd($this-Sendmail)); if([EMAIL PROTECTED] = popen($sendmail, w)) { - Note that I haven't tested phpgroupware-felamimail to see if this patch is valid. I'm not so sure about the changelog format also... and in any case, I can't upload it. Can someone from the security team take care of review and the upload ? The patch looks good. I'll sponsor the upload. Thanks for your work. Cheers Steffen P.S. If you want to use phpmailer stuff again, please use a dependency against libphp-phpmailer ;) One more thing, the package uses a patch system, so I'll add the patch there, instead of applying it directly. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#504150: snmpd: DoS in getbulk handling code in net-snmp
Package: snmpd Severity: grave Tags: security, patch Justification: user security hole Hi The following announcement has been released by net-snmp upstream: SECURITY ISSUE: A bug in the getbulk handling code could let anyone with even minimal access crash the agent. If you have open access to your snmp agents (bad bad bad; stop doing that!) or if you don't trust everyone that does have access to your agents you should updated immediately to prevent potential denial of service attacks. You can find the upstream patch here[0], which applies fine to the sid version. Once we get a CVE id for this issue, I'll forward it to this bugreport. For lenny, I guess an upload to sid with high urgency should be sufficient. I'll email you soon about the stable situation. Cheers Steffen [0]: http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/tags/Ext-5-4-2-1/net-snmp/agent/snmp_agent.c?view=patchr1=17272r2=17271pathrev=17272 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504168: CVE-2008-4796: missing input sanitising
Package: libphp-snoopy Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for libphp-snoopy. CVE-2008-4796[0]: | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 | and earlier allows remote attackers to execute arbitrary commands via | shell metacharacters in https URLs. NOTE: some of these details are | obtained from third party information. You can find the extracted upstream patch here[1]. Please include it as soon as possible, upload with high urgency and ask the release team for an unblock, so it can go into lenny. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 http://security-tracker.debian.net/tracker/CVE-2008-4796 [1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504169: CVE-2008-4796: missing input sanitising in Snoopy.class.php
Package: ampache Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for ampache. CVE-2008-4796[0]: | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 | and earlier allows remote attackers to execute arbitrary commands via | shell metacharacters in https URLs. NOTE: some of these details are | obtained from third party information. The extracted patch for Snoopy.class.php can be found here[1]. However it would be much appreciated (and it is a release goal anyway), if you could just depend on libphp-snoopy, instead of duplicating the code. (Maybe you need to change some includes, I didn't check that). That would make life much easier for the security team. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 http://security-tracker.debian.net/tracker/CVE-2008-4796 [1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504170: CVE-2008-4796: missing input sanitising in Snoopy.class.php
Package: mahara Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for mahara. CVE-2008-4796[0]: | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 | and earlier allows remote attackers to execute arbitrary commands via | shell metacharacters in https URLs. NOTE: some of these details are | obtained from third party information. The extracted patch for Snoopy.class.php can be found here[1]. However it would be much appreciated (and it is a release goal anyway), if you could just depend on libphp-snoopy, instead of duplicating the code. (Maybe you need to change some includes, I didn't check that). That would make life much easier for the security team. From what I can see you have two small patches in your copy of Snoopy.class.php. However, if I am not mistaken, both could probably go into the libphp-snoopy package, so please talk to the maintainer, if you really depend on them. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 http://security-tracker.debian.net/tracker/CVE-2008-4796 [1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504171: CVE-2008-4796: missing input sanitising
Package: pixelpost Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for pixelpost. CVE-2008-4796[0]: | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 | and earlier allows remote attackers to execute arbitrary commands via | shell metacharacters in https URLs. NOTE: some of these details are | obtained from third party information. The extracted patch for Snoopy.class.php can be found here[1]. However it would be much appreciated (and it is a release goal anyway), if you could just depend on libphp-snoopy, instead of duplicating the code. (Maybe you need to change some includes, I didn't check that). That would make life much easier for the security team. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 http://security-tracker.debian.net/tracker/CVE-2008-4796 [1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504172: CVE-2008-4796: missing input sanitising in Snoopy.class.php
Package: mediamate Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for mediamate. CVE-2008-4796[0]: | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 | and earlier allows remote attackers to execute arbitrary commands via | shell metacharacters in https URLs. NOTE: some of these details are | obtained from third party information. The extracted patch for Snoopy.class.php can be found here[1]. However it would be much appreciated (and it is a release goal anyway), if you could just depend on libphp-snoopy, instead of duplicating the code. (Maybe you need to change some includes, I didn't check that). That would make life much easier for the security team. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. From what I can see there might be one or two patches in your Snoopy.class.php file, which you might want to forward to the libphp-snoopy maintainer. (For example I was looking at the proxy stuff). Also, since the package is in stable (etch), I'd like to know in which way the php library is invoked and how vulnerable to attacks the stable version is. If it is severe enough, we should prepare a DSA, otherwise an update could go through s-p-u. Thanks for your work on mediamate. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 http://security-tracker.debian.net/tracker/CVE-2008-4796 [1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504173: CVE-2008-4796: missing input sanitising in Snoopy.class.php
Package: opendb Severity: grave Tags: security, patch Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for opendb. CVE-2008-4796[0]: | The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 | and earlier allows remote attackers to execute arbitrary commands via | shell metacharacters in https URLs. NOTE: some of these details are | obtained from third party information. The extracted patch for Snoopy.class.php can be found here[1]. However it would be much appreciated (and it is a release goal anyway), if you could just depend on libphp-snoopy, instead of duplicating the code. (Maybe you need to change some includes, I didn't check that). That would make life much easier for the security team. The libphp-snoopy package even ships a newer version of Snoopy.class.php. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Also, since the package is in stable (etch), I'd like to know in which way the php library is invoked and how vulnerable to attacks the stable version is. If it is severe enough, we should prepare a DSA, otherwise an update could go through s-p-u. Thanks for your work on opendb Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796 http://security-tracker.debian.net/tracker/CVE-2008-4796 [1] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504169: CVE-2008-4796: missing input sanitising in Snoopy.class.php
Hi Charlie Thanks for the bug report. I have addressed this issue in ampache-3.4.3-1 which is currently on m.d.n [1] awaiting sponsoring. With Lenny so close to release I am contacting my usual sponsor for guidance on which would be the best solution for this bug: a. use supplied patch, or b. upload ampache-3.4.3-1 Best Regards Charlie [1] http://mentors.debian.net/debian/pool/main/a/ampache This version won't help. First of all, I strongly doubt that the release team would accept such intrusive changes for lenny. Second, the file should just be removed and a dependency added against libphp-snoopy. Of course you will have to check that it still works correctly. Keep in mind that avoiding code duplication is a release goal and thus it is an RC bug to duplicate certain code. Especially, if it is already provided and could be used via a dependency. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#449497: foo2zjs dispute
reassgin 449497 tech-ctte,foo2zjs thanks Dear Technical Committee Members Currently, there is a dispute about a certain part of the foo2zjs package. Unfortunately, we do not seem to be able to solve it and thus require your assistance. We have tried to get a paragraph together to state the problem, but it seems we ended up with two different paragraphs. The first one is from the maintainer (myself) and the second one belongs to the bug submitter (Michael Gilbert). Could you please pass your judgement on this case? You will find further information in the bugreport and I am sure that the submitter as well as the maintainers are happy to answer any follow-up questions. At the moment, the bug is marked as RC, which might have an impact for the lenny release. Thanks in advance for your time and judgement. Cheers Steffen Maintainer: -- The problem is as follows. The submitter sees the inclusion of the getweb script as a violation of the DFSG. The script is provided by upstream to download non-free firmware from his upstream webpage. The package includes documentation in README.Debian and a GUI interface (hannah-foo2zjs) around the getweb script for the user's convenience. Some printers need this non-free firmware to run, others don't. More information can be found in the bugreport. Could we please ask you to settle this dispute? Submitter: -- The submitter sees the getweb script's dependencies on external data/files as potentially dangerous. Once the package enters stable, upstream changes (moving/modifying files, etc.) can break functionality -- leading to a package that can no longer be considered stable. External dependencies also potentially leave users vulnerable to security risks (the upstream site could be spoofed or hijacked and malicious files hosted instead of the legitimate firmware files). Also, the submitter views external dependencies as a possible violation of the spirit of the debian policy, which currently is not explicitly clear on the issue. Section 2.2.1 says ... the packages in main must not require a package outside of main for compilation or execution (thus, the package must not declare a 'Depends', 'Recommends', or 'Build-Depends' relationship on a non-main package). This makes the policy clear about packages, but it does not address dependencies on other external non-packaged non-free files. It is the submitter's belief that Debian's policy should be reworded for clarity on situations such as this. signature.asc Description: This is a digitally signed message part.
Bug#449497: TC proposal for dispute (was: Re: foo2zjs: application depends on non-free firmware)
Hi I am upset that you again raised the severity without consulting anyone. The package as it stands is DFSG free and the getweb script is there for the convenience of the users as well as the documentation. Your arguments haven't changed my opinion. However, it doesn't look like we are finding an agreement on this issue. I have pinged the release team on IRC for a statement, but maybe this issue deserves some attention from another body of debian. Therefore, I suggest we write up a paragraph for the TC following their guidelines[0]. My proposal would be: Dear TC members Bug #449497 has reported against foo2zjs. The maintainers and the submitter do not seem to reach an agreement. The problem is as follows. The submitter sees the inclusion of the getweb script as a violation of the DFSG. The script is provided by upstream to download non-free firmware from his upstream webpage. The package includes documentation in README.Debian and a GUI interface (hannah-foo2zjs) around the getweb script for the user's convenience. Some printers need this non-free firmware to run, others don't. More information can be found in the bugreport. Could we please ask you to settle this dispute? Do you concur with this paragraph or would you like to add any adjustments? Please keep them as technical as possible. Once we can agree on such a paragraph, I am happy to send it to the committee, CC you and keep a copy in the BTS. Cheers Steffen [0]: http://www.debian.org/devel/tech-ctte signature.asc Description: This is a digitally signed message part.
Bug#449497: foo2zjs: application depends on non-free firmware
Hi I understand your sentiment, and it is indeed a grey area situation. If I take policy literary, I think this package is fine in main, but it is not as simple... In order to get this bug rolling (and lenny released ;-) ), can you all live with me splitting up the package in two packages: 1) foo2zjs: this contains everything, and lives in mains, which Suggests: 2) foo2zjs-contrib: this contains getweb I know a package with just a script is not nice, but it is more in the spirit of the debian policy indeed. I would like to hear Michael's word on it, since he was the more active one during the last uploads. In fact, I am happy to give up maintainership, as this package (and the tiresome discussion around it) is really no fun. Maybe Michael would like to step in and help out maintaining the package? Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#449497: foo2zjs: application depends on non-free firmware
Hi Sorry for the confusing statement here. I understand your sentiment, and it is indeed a grey area situation. If I take policy literary, I think this package is fine in main, but it is not as simple... In order to get this bug rolling (and lenny released ;-) ), can you all live with me splitting up the package in two packages: 1) foo2zjs: this contains everything, and lives in mains, which Suggests: 2) foo2zjs-contrib: this contains getweb I know a package with just a script is not nice, but it is more in the spirit of the debian policy indeed. I would like to hear Michael's word on it, since he was the more active one during the last uploads. In fact, I am happy to give up maintainership, as this package (and the tiresome discussion around it) is really no fun. This refers to Michael Koch (also maintainer of the package). Maybe Michael would like to step in and help out maintaining the package? Here I mean the submitter :) That would be great. It is indeed not my intention at all to step on your toes, I'm just your friendly lenny pusher ;) I know, it's just a big frustration to deal with this package :/ Thanks for your work on the release and caring about RC bugs. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#449497: foo2zjs: application depends on non-free firmware
On Sun, 26 Oct 2008 10:12:49 pm Luca Capello wrote: Hi there! On Sun, 26 Oct 2008 08:03:46 +0100, Steffen Joeris wrote: On Sun, 26 Oct 2008 07:38:51 +0100. Joost Yervante Damad wrote: I understand your sentiment, and it is indeed a grey area situation. If I take policy literary, I think this package is fine in main, but it is not as simple... In order to get this bug rolling (and lenny released ;-) ), can you all live with me splitting up the package in two packages: 1) foo2zjs: this contains everything, and lives in mains, which Suggests: 2) foo2zjs-contrib: this contains getweb I strongly object to a single-script package. Quickly speaking, I think the situation is similar to the kernel firwmare issue ATM discussed on d-d (started at [1]): foo2zjs, the software, seems to be perfectly fine for main, not only because as Steffen already pointed out some printers can work without the non-free firmware [2][3]. And despite upstream opinion [4], all the non-free files have already been stripped out from the package [5]. The only problem remaining for foo2zjs in main is then the getweb script: this can be broken because upstream changes his website layout, but this is nothing different than any other simple bug. If this happened, then we'll fix it, full stop. I know a package with just a script is not nice, but it is more in the spirit of the debian policy indeed. I would like to hear Michael's word on it, since he was the more active one during the last uploads. In fact, I am happy to give up maintainership, as this package (and the tiresome discussion around it) is really no fun. Maybe Michael would like to step in and help out maintaining the package? Since I needed this package and it was broken/not-updated in lenny, I spent some time on it and already offered to take over maintenance [6], but no one replied yet. Again, I volunteer to become part of the Debian maintainer team. Please send me your alioth login and I'll add you to the foo2zjs project on alioth. I do understand that it is problematic to just download some files from some upstream homepage. There should be a warning added to the download gui and it should then list all the files that where download. This way, the admin is at least informed. Nonetheless, the package in main at the moment is not non-free. Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#449497: foo2zjs: application depends on non-free firmware
severity 449497 important thanks On Sun, 26 Oct 2008 11:40:34 pm Joost Yervante Damad wrote: Hi Luca, [3] not that I checked with such printers, I'm only in touch with one that needs a non-free firmware http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466758#15 So you don't think that your usage of the package is more contrib then main? Personally I find it a rather grey unclear situation. It seems the package can be used without any external files, yet in practice, for a lot of people it is only usable with external files.. Since the package is currently lives in main, I personally can live with how it is currently... the bug submitter seems to think differently though... Bottom line is, that dependant on the hardware ,the package as it lives in main is usable or NOT. Yet I think that it fits within the current practice in Debian. I don't think the purpose of this bug is to change the interpretation of Debian policy... as Luca pointed out, people are doing that already heavily enough in Debian-Devel ;-) Maybe we should mark the bug lenny-ignore ;) I guess it would be up to the release team to set this tag. Anyway, I am still not convinced that it is RC. The package works fine for certain printers without any firmware. However, some need it, which is clearly stated in the README.Debian file. Furthermore, we are offering a GUI program and the upstream script to download the firmware for the user's convenience. IMHO this does not justify the move to contrib or non-free. Now I am lowering the severity of the bug to important (althought I'd rather see it as wishlist). If people still disagree, please bring it to the attention of the technical committee, which can overrule my decision at any time. Cheers Steffen signature.asc Description: This is a digitally signed message part.