[Bug 782298] Re: command injections in mysqld_multi
Yes, if some other program (GUI , Server side scripts , etc ...) use a user supplied data as input to mysqld_multi command in vulnerable operations it will be a security issue. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/782298 Title: command injections in mysqld_multi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/782298/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 792637] Re: dialog Segmentation fault
it happened in: Ubuntu 10.04.4 LTS. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/792637 Title: dialog Segmentation fault To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dialog/+bug/792637/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782298] Re: command injections in mysqld_multi
Yes, if some other program (GUI , Server side scripts , etc ...) use a user supplied data as input to mysqld_multi command in vulnerable operations it will be a security issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782298 Title: command injections in mysqld_multi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/782298/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 793694] [NEW] Format string bug in parselog.pl
Public bug reported: Binary package hint: samba-doc samba-doc/examples/scripts/eventlog/parselog.pl have format string bug . test case : emanuel@amd64 /tmpecho '1 1 1 %n' | perl /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl Modification of a read-only value attempted at /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl line 30, line 1. emanuel@amd64 /tmpecho '1 1 1 1 %n' | perl /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl Modification of a read-only value attempted at /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl line 30, line 1. the bug can be found at : $outstr = sprintf TMG: %d\nTMW: %d\nEID: 1000\nETP: INFO\nECT: 0\nRS2: 0\nCRN: 0\nUSL: 0\nSRC: Syslog\nSRN: $cname\nSTR: $ln\nDAT:\n\n,time(),time(); fix : use %s to $cname and $ln . $outstr = sprintf TMG: %d\nTMW: %d\nEID: 1000\nETP: INFO\nECT: 0\nRS2: 0\nCRN: 0\nUSL: 0\nSRC: Syslog\nSRN: %s\nSTR: %s\nDAT:\n\n,time(),time(),$cname,$ln; ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/793694 Title: Format string bug in parselog.pl -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 793502] [NEW] Insecure temporary file creation in fsm_draw.py
Public bug reported: Binary package hint: python-ubuntuone-client ubuntuone-client/ubuntuone/syncdaemon/fsm/fsm_draw.py create temporary file with fixed name graph.debug under /tmp . test case : emanuel@emanuel-desktop:~$ export PYTHONPATH=/usr/share/xdot/ emanuel@emanuel-desktop:~$ python /usr/share/pyshared/ubuntuone-client/ubuntuone/syncdaemon/fsm/fsm_draw.py /usr/share/pyshared/ubuntuone-client/ubuntuone/syncdaemon/u1fsfsm.py Parsing file... (Mon Jun 6 15:32:14 2011) Building graph... (Mon Jun 6 15:32:16 2011) Drawing...(Mon Jun 6 15:32:16 2011) emanuel@emanuel-desktop:~$ ls -laF /tmp/graph.debug -rw-r--r-- 1 emanuel emanuel 13587 2011-06-06 15:32 /tmp/graph.debug the bug can be found at : dotcode = graph_base % \n.join(graph_lines) if debug: a = open(/tmp/graph.debug, w) a.write(dotcode) a.close() fix : use mkstemp alike functionality. ** Affects: ubuntuone-client (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/793502 Title: Insecure temporary file creation in fsm_draw.py -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 793533] [NEW] Insecure temporary file creation in asyncpk1.py
Public bug reported: Binary package hint: system-config-printer-gnome system-config-printer/asyncpk1.py create temporary file with fixed name foo under /tmp . testcase : 1) run python /usr/share/system-config-printer/asyncpk1.py 2) click on Go 3) click on Get file Result : /tmp/foo created . the bug can be found at : def get_file_clicked (self, button): self.my_file = file (/tmp/foo, w) self.conn.getFile (/admin/conf/cupsd.conf, file=self.my_file, reply_handler=self.got_file, error_handler=self.get_file_error) fix : use mkstemp alike functionality. ** Affects: system-config-printer (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/793533 Title: Insecure temporary file creation in asyncpk1.py -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 793694] [NEW] Format string bug in parselog.pl
Public bug reported: Binary package hint: samba-doc samba-doc/examples/scripts/eventlog/parselog.pl have format string bug . test case : emanuel@amd64 /tmpecho '1 1 1 %n' | perl /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl Modification of a read-only value attempted at /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl line 30, line 1. emanuel@amd64 /tmpecho '1 1 1 1 %n' | perl /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl Modification of a read-only value attempted at /usr/share/doc/samba-doc/examples/scripts/eventlog/parselog.pl line 30, line 1. the bug can be found at : $outstr = sprintf TMG: %d\nTMW: %d\nEID: 1000\nETP: INFO\nECT: 0\nRS2: 0\nCRN: 0\nUSL: 0\nSRC: Syslog\nSRN: $cname\nSTR: $ln\nDAT:\n\n,time(),time(); fix : use %s to $cname and $ln . $outstr = sprintf TMG: %d\nTMW: %d\nEID: 1000\nETP: INFO\nECT: 0\nRS2: 0\nCRN: 0\nUSL: 0\nSRC: Syslog\nSRN: %s\nSTR: %s\nDAT:\n\n,time(),time(),$cname,$ln; ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/793694 Title: Format string bug in parselog.pl -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 793703] [NEW] Format string bug in shtags.pl
Public bug reported: Binary package hint: vim-runtime vim/vim73/tools/shtags.pl have format string bug . test case : emanuel@emanuel-desktop:~$ echo 1 '/tmp/a%n' emanuel@emanuel-desktop:~$ /usr/share/vim/vim73/tools/shtags.pl '/tmp/a%n' Modification of a read-only value attempted at /usr/share/vim/vim73/tools/shtags.pl line 142, line 1. the bug can be found at : printf Using $shell for $ARGV\n; fix : use %s for $shell and $ARGV printf Using %s for %s\n , $shell , $ARGV ; ** Affects: vim (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/793703 Title: Format string bug in shtags.pl -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 793280] [NEW] DoS window manager with extremely long button
Public bug reported: Binary package hint: gxmessage displaying extremely long button causes the window manager to crash. test case : emanuel@emanuel-desktop:~$ gxmessage text -buttons `python -c print 'A'*115000` (gxmessage:8096): Gdk-WARNING **: Native Windows wider or taller than 65535 pixels are not supported The program 'gxmessage' received an X Window System error. This probably reflects a bug in the program. The error was 'RenderBadPicture (invalid Picture parameter)'. (Details: serial 316 error_code 158 request_code 148 minor_code 23) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) ** Affects: gxmessage (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/793280 Title: DoS window manager with extremely long button -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 793282] [NEW] DoS window manager with extremely long error
Public bug reported: Binary package hint: zenity displaying extremely long error causes the window manager to crash. if the keyboard doesn't respond , login in tty and run compiz . test case : emanuel@emanuel-desktop:~$ zenity --error --text=`python -c print 'A'*115000` (zenity:8369): Gdk-WARNING **: Native Windows wider or taller than 65535 pixels are not supported The program 'zenity' received an X Window System error. This probably reflects a bug in the program. The error was 'RenderBadPicture (invalid Picture parameter)'. (Details: serial 266 error_code 158 request_code 148 minor_code 8) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) sometimes it print other messages : emanuel@emanuel-desktop:~$ zenity --error --text=`python -c print 'A'*115000` (zenity:8406): Gdk-WARNING **: Native Windows wider or taller than 65535 pixels are not supported zenity: Fatal IO error 11 (Resource temporarily unavailable) on X server :0.0. ** Affects: zenity (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/793282 Title: DoS window manager with extremely long error -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 793289] [NEW] DoS window manager with extremely long error
Public bug reported: Binary package hint: vinagre displaying extremely long error causes the window manager to crash. if the keyboard doesn't respond , login in tty and run compiz . test case: emanuel@emanuel-desktop:~$ vinagre --file=`python -c print 'A'*115000` (vinagre:8697): Gdk-WARNING **: Native Windows wider or taller than 65535 pixels are not supported vinagre: Fatal IO error 11 (Resource temporarily unavailable) on X server :0.0. sometimes it print other messages : emanuel@emanuel-desktop:~$ vinagre --file=`python -c print 'A'*115000` (vinagre:8766): Gdk-WARNING **: Native Windows wider or taller than 65535 pixels are not supported The program 'vinagre' received an X Window System error. This probably reflects a bug in the program. The error was 'RenderBadPicture (invalid Picture parameter)'. (Details: serial 313 error_code 158 request_code 148 minor_code 8) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) ** Affects: vinagre (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/793289 Title: DoS window manager with extremely long error -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 793291] [NEW] DoS window manager with extremely long error
Public bug reported: Binary package hint: nautilus displaying extremely long error causes the window manager to crash. test case: emanuel@emanuel-desktop:~$ nautilus `python -c print 'A'*10` ** Affects: nautilus (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/793291 Title: DoS window manager with extremely long error -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 793293] [NEW] DoS window manager with extremely long error
Public bug reported: Binary package hint: pitivi displaying extremely long error causes the window manager to crash. if the keyboard doesn't respond , login in tty and run compiz . test case : emanuel@emanuel-desktop:~$ pitivi `python -c print 'A'*10` /usr/lib/pitivi/python/pitivi/ui/mainwindow.py:827: GtkWarning: Native Windows wider or taller than 65535 pixels are not supported dialog.run() pitivi: Fatal IO error 11 (Resource temporarily unavailable) on X server :0.0. sometimes it print other messages : emanuel@emanuel-desktop:~$ pitivi `python -c print 'A'*10` /usr/lib/pitivi/python/pitivi/ui/mainwindow.py:827: GtkWarning: Native Windows wider or taller than 65535 pixels are not supported dialog.run() The program 'pitivi' received an X Window System error. This probably reflects a bug in the program. The error was 'RenderBadPicture (invalid Picture parameter)'. (Details: serial 466 error_code 158 request_code 148 minor_code 8) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) ** Affects: pitivi (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/793293 Title: DoS window manager with extremely long error -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 792258] [NEW] gnome-calculator Segmentation fault
Public bug reported: Binary package hint: gcalctool /usr/bin/gnome-calculator crash with Segmentation fault message and throw errors when get long input . test case : emanuel@emanuel-desktop:~$ gcalctool -s `python -c print 'A'*4` gcalctool: malloc.c:3096: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) ((av)-bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd old_size == 0) || ((unsigned long) (old_size) = (unsigned long)__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) ~((2 * (sizeof(size_t))) - 1))) ((old_top)-size 0x1) ((unsigned long)old_end pagemask) == 0)' failed. Aborted emanuel@emanuel-desktop:~$ gcalctool -s `python -c print 'A'*5` Segmentation fault under GDB : Starting program: /usr/bin/gnome-calculator -s `python -c print 'A'*5` [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x0805b0e2 in _mp_equation_lex () tested on : gnome-calculator 5.28.2 ** Affects: gcalctool (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/792258 Title: gnome-calculator Segmentation fault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 792268] [NEW] xmessage X errors
Public bug reported: Binary package hint: x11-utils xmessage unable to handle long input and crash with X error . test case : 1 ) emanuel@emanuel-desktop:/tmp$ /usr/bin/xmessage 'text' -buttons `python -c print 'A'*10` X Error of failed request: BadAlloc (insufficient resources for operation) Major opcode of failed request: 53 (X_CreatePixmap) Serial number of failed request: 171 Current serial number in output stream: 190 2 ) the window opened and immediately closed with error . emanuel@emanuel-desktop:/tmp$ echo `python -c print 'A'*100` /tmp/Z emanuel@emanuel-desktop:/tmp$ /usr/bin/xmessage -file /tmp/Z X Error of failed request: BadLength (poly request too large or internal Xlib length error) Major opcode of failed request: 74 (X_PolyText8) Serial number of failed request: 198 Current serial number in output stream: 198 ** Affects: x11-utils (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/792268 Title: xmessage X errors -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 792601] [NEW] update-binfmts Segmentation fault
Public bug reported: Binary package hint: binfmt-support /usr/sbin/update-binfmts crash with Segmentation fault message when he get non valid input for display parameter (not cli\wine\jar\python2.7) test case : emanuel@emanuel-desktop:/tmp$ /usr/sbin/update-binfmts --display sometext sometext (disabled): Segmentation fault under GDB : Reading symbols from /usr/sbin/update-binfmts...(no debugging symbols found)...done. (gdb) r --display some-text Starting program: /usr/sbin/update-binfmts --display some-text some-text (disabled): Program received signal SIGSEGV, Segmentation fault. 0x0804b961 in ?? () (gdb) ** Affects: binfmt-support (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/792601 Title: update-binfmts Segmentation fault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 792628] [NEW] xhost double free or corruption
Public bug reported: Binary package hint: x11-xserver-utils /usr/bin/xhost crash with very long hostname parameter . test case : emanuel@emanuel-desktop:/tmp$ xhost SI:`python -c print 'A'*1`:`python -c print 'A'*1` *** glibc detected *** xhost: double free or corruption (out): 0x089a8f60 *** === Backtrace: = /lib/i386-linux-gnu/libc.so.6(+0x6b961)[0x17b961] /lib/i386-linux-gnu/libc.so.6(+0x6d28b)[0x17d28b] /lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0x18041d] xhost[0x80491a9] xhost[0x8049af9] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x126e37] xhost[0x8048ca1] === Memory map: 0011-0026a000 r-xp 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so 0026a000-0026b000 ---p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so 0026b000-0026d000 r--p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so 0026d000-0026e000 rw-p 0015c000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so 0026e000-00271000 rw-p 00:00 0 00271000-0028b000 r-xp 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1 0028b000-0028c000 r--p 00019000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1 0028c000-0028d000 rw-p 0001a000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1 00311000-00312000 r-xp 00:00 0 [vdso] 00444000-0055a000 r-xp 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0 0055a000-0055b000 ---p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0 0055b000-0055c000 r--p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0 0055c000-0055e000 rw-p 00117000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0 0055e000-0055f000 rw-p 00:00 0 006dd000-006e r-xp 08:01 4397 /usr/lib/libXmuu.so.1.0.0 006e-006e1000 r--p 2000 08:01 4397 /usr/lib/libXmuu.so.1.0.0 006e1000-006e2000 rw-p 3000 08:01 4397 /usr/lib/libXmuu.so.1.0.0 008a8000-008ac000 r-xp 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0 008ac000-008ad000 r--p 3000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0 008ad000-008ae000 rw-p 4000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0 00a68000-00a6a000 r-xp 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0 00a6a000-00a6b000 r--p 1000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0 00a6b000-00a6c000 rw-p 2000 08:01 7112 /usr/lib/i386-linux-gnu/libXau.so.6.0.0 00c79000-00c9 r-xp 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0 00c9-00c91000 r--p 00016000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0 00c91000-00c92000 rw-p 00017000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0 00e38000-00e54000 r-xp 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so 00e54000-00e55000 r--p 0001b000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so 00e55000-00e56000 rw-p 0001c000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so 00f9-00f92000 r-xp 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so 00f92000-00f93000 r--p 1000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so 00f93000-00f94000 rw-p 2000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so 08048000-0804b000 r-xp 08:01 2091 /usr/bin/xhost 0804b000-0804c000 r--p 2000 08:01 2091 /usr/bin/xhost 0804c000-0804d000 rw-p 3000 08:01 2091 /usr/bin/xhost 0899e000-089bf000 rw-p 00:00 0 [heap] b770-b7721000 rw-p 00:00 0 b7721000-b780 ---p 00:00 0 b788c000-b788f000 rw-p 00:00 0 b78a6000-b78a8000 rw-p 00:00 0 bfb05000-bfb2b000 rw-p 00:00 0 [stack] Aborted tested on : Ubuntu 11.04 , x11-xserver-utils package version : 7.6+2 ** Affects: x11-xserver-utils (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/792628 Title: xhost double free or corruption -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 792637] [NEW] dialog Segmentation fault
Public bug reported: Binary package hint: dialog dialog crash with long input to yesno and msgbox options . test case : 1 ) dialog --yesno `python -c print 'A'*10` 50 50 2 ) dialog --msgbox `python -c print 'A'*10` 50 50 under GDB : Starting program: /usr/bin/dialog --msgbox `python -c print 'A'*10` 50 50 Program received signal SIGSEGV, Segmentation fault. 0x080668c2 in ?? () ** Affects: dialog (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/792637 Title: dialog Segmentation fault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 792642] [NEW] xcutsel Buffer Overflow
Public bug reported: Binary package hint: x11-apps when /usr/bin/xcutsel get 83 characters or more from -selection option it crash with buffer overflow detected. test case : emanuel@emanuel-desktop:/tmp$ xcutsel -selection `python -c print 'A'*1` *** buffer overflow detected ***: xcutsel terminated === Backtrace: = /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x50)[0xb1adf0] /lib/i386-linux-gnu/libc.so.6(+0xe4cca)[0xb19cca] /lib/i386-linux-gnu/libc.so.6(+0xe43c8)[0xb193c8] /lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x95)[0xa9e7e5] /lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x2b06)[0xa74c66] /lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xad)[0xb1947d] /lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2d)[0xb193bd] xcutsel[0x804940c] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0xa4be37] xcutsel[0x8048c51] === Memory map: 0011-00165000 r-xp 08:01 4391 /usr/lib/libXaw7.so.7.0.0 00165000-00166000 r--p 00054000 08:01 4391 /usr/lib/libXaw7.so.7.0.0 00166000-0016c000 rw-p 00055000 08:01 4391 /usr/lib/libXaw7.so.7.0.0 0016c000-0016d000 rw-p 00:00 0 0016d000-0018e000 r-xp 08:01 5252 /usr/lib/libxkbfile.so.1.0.2 0018e000-0018f000 r--p 0002 08:01 5252 /usr/lib/libxkbfile.so.1.0.2 0018f000-0019 rw-p 00021000 08:01 5252 /usr/lib/libxkbfile.so.1.0.2 0019-00192000 r-xp 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so 00192000-00193000 r--p 1000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so 00193000-00194000 rw-p 2000 08:01 260950 /lib/i386-linux-gnu/libdl-2.13.so 00194000-00197000 r-xp 08:01 261021 /lib/i386-linux-gnu/libuuid.so.1.3.0 00197000-00198000 r--p 2000 08:01 261021 /lib/i386-linux-gnu/libuuid.so.1.3.0 00198000-00199000 rw-p 3000 08:01 261021 /lib/i386-linux-gnu/libuuid.so.1.3.0 00199000-001a1000 r-xp 08:01 7134 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0 001a1000-001a2000 r--p 7000 08:01 7134 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0 001a2000-001a3000 rw-p 8000 08:01 7134 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0 001a3000-001a7000 r-xp 08:01 7124 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0 001a7000-001a8000 r--p 3000 08:01 7124 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0 001a8000-001a9000 rw-p 4000 08:01 7124 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0 001a9000-001c3000 r-xp 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1 001c3000-001c4000 r--p 00019000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1 001c4000-001c5000 rw-p 0001a000 08:01 260968 /lib/i386-linux-gnu/libgcc_s.so.1 004f9000-00508000 r-xp 08:01 4401 /usr/lib/libXpm.so.4.11.0 00508000-00509000 r--p e000 08:01 4401 /usr/lib/libXpm.so.4.11.0 00509000-0050a000 rw-p f000 08:01 4401 /usr/lib/libXpm.so.4.11.0 00531000-00535000 r-xp 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0 00535000-00536000 r--p 3000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0 00536000-00537000 rw-p 4000 08:01 7120 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0 0065a000-00662000 r-xp 08:01 7116 /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2 00662000-00663000 r--p 7000 08:01 7116 /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2 00663000-00664000 rw-p 8000 08:01 7116 /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2 00803000-00919000 r-xp 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0 00919000-0091a000 ---p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0 0091a000-0091b000 r--p 00116000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0 0091b000-0091d000 rw-p 00117000 08:01 7110 /usr/lib/i386-linux-gnu/libX11.so.6.3.0 0091d000-0091e000 rw-p 00:00 0 00976000-0098d000 r-xp 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0 0098d000-0098e000 r--p 00016000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0 0098e000-0098f000 rw-p 00017000 08:01 7260 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0 009b1000-009b2000 r-xp 00:00 0 [vdso] 009bb000-009c8000 r-xp 08:01 7122 /usr/lib/i386-linux-gnu/libXext.so.6.4.0 009c8000-009c9000 r--p c000 08:01 7122 /usr/lib/i386-linux-gnu/libXext.so.6.4.0 009c9000-009ca000 rw-p d000 08:01 7122 /usr/lib/i386-linux-gnu/libXext.so.6.4.0 00a0a000-00a26000 r-xp 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so 00a26000-00a27000 r--p 0001b000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so 00a27000-00a28000 rw-p 0001c000 08:01 260927 /lib/i386-linux-gnu/ld-2.13.so 00a35000-00b8f000 r-xp 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so 00b8f000-00b9 ---p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so 00b9-00b92000 r--p 0015a000 08:01 260940 /lib/i386-linux-gnu/libc-2.13.so 00b92000-00b93000 rw-p
[Bug 791970] [NEW] Scite Buffer Overflow
Public bug reported: Binary package hint: scite there is a buffer overflow when filename parameter is more then 4096 characters . test case : emanuel@emanuel-desktop:~$ scite `python -c print 'A'*5000` *** buffer overflow detected ***: scite terminated tested on versions : 2.26 , 2.03 ** Affects: scite (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/791970 Title: Scite Buffer Overflow -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 792063] [NEW] gconf-editor Segmentation fault
Public bug reported: Binary package hint: gconf-editor /usr/bin/gconf-editor crash with Segmentation fault message . test case : emanuel@emanuel-desktop:~$ gconf-editor /A Segmentation fault under GDB : Starting program: /usr/bin/gconf-editor /A [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x0805ca52 in ?? () ** Affects: gconf-editor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/792063 Title: gconf-editor Segmentation fault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781982] Re: Format string bug in mysqldumpslow
mysql-client-5.1 package version : 5.1.41-3ubuntu12.10 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/781982 Title: Format string bug in mysqldumpslow -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 781985] Re: Format string bugs in mysqlhotcopy
mysql-server-5.1 package version : 5.1.41-3ubuntu12.10 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/781985 Title: Format string bugs in mysqlhotcopy -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 783509] [NEW] hipercdecode buffer overflow detected
Public bug reported: Binary package hint: foo2zjs when /usr/bin/hipercdecode get 11 characters or more from input (file or stdin) it crash with following message : buffer overflow detected. test case : emanuel@emanuel-desktop:/tmp$ echo AAA /tmp/11 emanuel@emanuel-desktop:/tmp$ hipercdecode /tmp/11 RECTYPE 1094795585 (len=1094795585,0x41414141 cnt=1) *** buffer overflow detected ***: hipercdecode terminated === Backtrace: = /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0x70b390] /lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0x70a2ca] /lib/tls/i686/cmov/libc.so.6(__fread_chk+0x120)[0x70ab50] hipercdecode[0x804930c] hipercdecode[0x804a0c6] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x63fbd6] hipercdecode[0x8048a81] === Memory map: 00233000-00234000 r-xp 00:00 0 [vdso] 00629000-0077c000 r-xp 08:06 526818 /lib/tls/i686/cmov/libc-2.11.1.so 0077c000-0077d000 ---p 00153000 08:06 526818 /lib/tls/i686/cmov/libc-2.11.1.so 0077d000-0077f000 r--p 00153000 08:06 526818 /lib/tls/i686/cmov/libc-2.11.1.so 0077f000-0078 rw-p 00155000 08:06 526818 /lib/tls/i686/cmov/libc-2.11.1.so 0078-00783000 rw-p 00:00 0 00dce000-00de9000 r-xp 08:06 528700 /lib/ld-2.11.1.so 00de9000-00dea000 r--p 0001a000 08:06 528700 /lib/ld-2.11.1.so 00dea000-00deb000 rw-p 0001b000 08:06 528700 /lib/ld-2.11.1.so 00e59000-00e76000 r-xp 08:06 522569 /lib/libgcc_s.so.1 00e76000-00e77000 r--p 0001c000 08:06 522569 /lib/libgcc_s.so.1 00e77000-00e78000 rw-p 0001d000 08:06 522569 /lib/libgcc_s.so.1 08048000-08052000 r-xp 08:06 527791 /usr/bin/hipercdecode 08052000-08053000 r--p 9000 08:06 527791 /usr/bin/hipercdecode 08053000-08056000 rw-p a000 08:06 527791 /usr/bin/hipercdecode 08056000-0b256000 rw-p 00:00 0 0b9eb000-0ba0c000 rw-p 00:00 0 [heap] b772d000-b772e000 rw-p 00:00 0 b7746000-b774a000 rw-p 00:00 0 bfd8b000-bfda rw-p 00:00 0 [stack] Aborted ** Affects: foo2zjs (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/783509 Title: hipercdecode buffer overflow detected -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 783603] [NEW] foomatic-combo-xml Buffer Overflow
*** This bug is a security vulnerability *** Public security bug reported: Binary package hint: foomatic-db-engine /usr/bin/foomatic-combo-xml write data given by parameters to fixed char[1024] with sprintf which can trigger buffer overflow . test case : emanuel@emanuel-desktop:/tmp$ foomatic-combo-xml -l `python -c print 'A'*1007` *** buffer overflow detected ***: foomatic-combo-xml terminated emanuel@emanuel-desktop:/tmp$ foomatic-combo-xml -p `python -c print 'A'*244` -d 1 *** buffer overflow detected ***: foomatic-combo-xml terminated emanuel@emanuel-desktop:/tmp$ foomatic-combo-xml -p 1 -d `python -c print 'A'*983` *** buffer overflow detected ***: foomatic-combo-xml terminated the bug can be found at : sprintf(printerfilename, %s/db/source/printer/%s.xml, libdir, pid); sprintf(driverfilename, %s/db/source/driver/%s.xml, libdir, driver); sprintf(optiondirname, %s/db/source/opt, libdir); sprintf(driverdirname, %s/db/source/driver, libdir); sprintf(printerdirname, %s/db/source/printer, libdir); sprintf(optionfilename, %s/db/source/opt/%s, libdir, direntry-d_name); fix : replace sprintf to snprintf. ** Affects: foomatic-db-engine (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/783603 Title: foomatic-combo-xml Buffer Overflow -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 783610] [NEW] intel_upload_blit_* commands Segmentation fault
Public bug reported: Binary package hint: intel-gpu-tools I get Segmentation fault when execute one of intel_upload_blit_* commands as regular user and root . as root the message is : (instead of Permission denied) DRM_IOCTL_I915_GEM_APERTURE failed: Invalid argument test case : emanuel@emanuel-desktop:/usr/bin$ intel_upload_blit_small DRM_IOCTL_I915_GEM_APERTURE failed: Permission denied Assuming 131072kB available aperture size. May lead to reduced performance or incorrect rendering. get chip id failed: -1 [13] param: 4, val: 0 get fences failed: -1 [13] param: 6, val: 0 Segmentation fault under GDB : intel_upload_blit_small intel_upload_blit_large : Program received signal SIGSEGV, Segmentation fault. 0x0012f983 in drm_intel_bo_subdata () from /lib/libdrm_intel.so.1 intel_upload_blit_large_map : Program received signal SIGSEGV, Segmentation fault. 0x0012f5cc in drm_intel_bo_map () from /lib/libdrm_intel.so.1 intel_upload_blit_large_gtt : Program received signal SIGSEGV, Segmentation fault. 0x001344a7 in drm_intel_gem_bo_map_gtt () from /lib/libdrm_intel.so.1 ** Affects: intel-gpu-tools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/783610 Title: intel_upload_blit_* commands Segmentation fault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781982] Re: Format string bug in mysqldumpslow
mysql-client-5.1 package version : 5.1.41-3ubuntu12.10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781982 Title: Format string bug in mysqldumpslow -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781985] Re: Format string bugs in mysqlhotcopy
mysql-server-5.1 package version : 5.1.41-3ubuntu12.10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781985 Title: Format string bugs in mysqlhotcopy -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 783716] [NEW] intel_bios_reader Segmentation fault
Public bug reported: Binary package hint: intel-gpu-tools /usr/bin/intel_bios_reader crash when get the intel_bios_reader binary as parameter . test case : emanuel@emanuel-desktop:/tmp$ md5sum /usr/bin/intel_bios_reader 7277594a2b9588909844115afd36e5ee /usr/bin/intel_bios_reader emanuel@emanuel-desktop:/tmp$ intel_bios_reader /usr/bin/intel_bios_reader VBT vers: 295.45 Segmentation fault under GDB : Program received signal SIGSEGV, Segmentation fault. *__GI_strncpy (s1=0xb3ea \377\277)\241\004\b$#*, s2=0xd8540589 Address 0xd8540589 out of bounds, n=16) at strncpy.c:42 42 strncpy.c: No such file or directory. in strncpy.c the call to strncpy : strncpy(signature, (char *)bdb-signature, 16); after compiling from source code and running under GDB : (gdb) p bdb-signature Cannot access memory at address 0xd8540589 ** Affects: intel-gpu-tools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/783716 Title: intel_bios_reader Segmentation fault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 783746] [NEW] fonttosfnt Segmentation fault
Public bug reported: Binary package hint: xfonts-utils /usr/bin/fonttosfnt crash with Segmentation fault message . test case : emanuel@emanuel-desktop:~$ fonttosfnt -o 1 /usr/share/fonts/truetype/freefont/FreeSans.ttf Segmentation fault under GDB : (gdb) r -o 1 /usr/share/fonts/truetype/freefont/FreeMono.ttf Starting program: /usr/bin/fonttosfnt -o 1 /usr/share/fonts/truetype/freefont/FreeMono.ttf Program received signal SIGSEGV, Segmentation fault. 0x08049970 in ?? () ** Affects: xfonts-utils (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/783746 Title: fonttosfnt Segmentation fault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 783754] [NEW] ucs2any Segmentation fault
Public bug reported: Binary package hint: xfonts-utils /usr/bin/ucs2any crash with Segmentation fault message . test case : emanuel@emanuel-desktop:/tmp$ touch Z emanuel@emanuel-desktop:/tmp$ cat 2.bdf STARTFONT 2.1 FONT 1-ISO10646-1 emanuel@emanuel-desktop:/tmp$ ucs2any 2.bdf Z iso8859-1 No default character defined. Segmentation fault under GDB : Starting program: /usr/bin/ucs2any 2.bdf Z iso8859-1 No default character defined. Program received signal SIGSEGV, Segmentation fault. 0x0804a39f in ?? () ** Affects: xfonts-utils (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/783754 Title: ucs2any Segmentation fault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782705] [NEW] command injection in ckbcomp
Public bug reported: Binary package hint: console-setup /usr/bin/ckbcomp have command injection bug . test case : root@emanuel-desktop:/tmp# touch /etc/console-setup/compose.a;echo Systeminj;#.inc /usr/share/consoletrans/a;echo Systeminj;#.acm /tmp/CKB root@emanuel-desktop:/tmp# /usr/bin/ckbcomp /tmp/CKB -symbols /tmp/CKB -charmap a;echo Systeminj;# WARNING: Can not find in /tmp/CKB. keymaps 0-127 strings as usual cat: /etc/console-setup/compose.a: No such file or directory Systeminj the bug can be found at : if ($charmap -f /etc/console-setup/compose.${charmap}.inc) { system(cat /etc/console-setup/compose.${charmap}.inc); } ** Affects: console-setup (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782705 Title: command injection in ckbcomp -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782832] [NEW] command injection in servicemenuinstallation
Public bug reported: Binary package hint: dolphin /usr/bin/servicemenuinstallation have command injection bug. in ubuntu 10.04 the file exist inside kdebase-bin package. in ubuntu 11.04 the file exist inside dolphin package. test case : emanuel@emanuel-desktop:/tmp$ touch a emanuel@emanuel-desktop:/tmp$ /usr/bin/servicemenuinstallation a;echo SystemInj2;# SystemInj emanuel@emanuel-desktop:/tmp$ tar -cf a.tar a emanuel@emanuel-desktop:/tmp$ /usr/bin/servicemenuinstallation a.tar;echo SystemInj2;exit 1;# SystemInj SystemInj the bug can be found at : archive = ARGV[0] exit(-1) if !uncompress(archive, dir) def uncompress(filename, output) system(sprintf($archivetypes[mimeType(filename)].to_s, filename, output)) end def mimeType(filename) IO.popen(file --mime-type -b + filename).gets().strip!() end ** Affects: dolphin (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782832 Title: command injection in servicemenuinstallation -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782862] [NEW] Insecure temporary file creation in strace option
Public bug reported: Binary package hint: f-spot strace option inside /usr/bin/f-spot create temporary file with fixed name f-spot.strace under /tmp . test case : emanuel@emanuel-desktop:/tmp$ f-spot --strace emanuel@emanuel-desktop:/tmp$ ls f-spot* f-spot.strace the bug can be found at : elif $run_strace; then strace -ttt -f -o /tmp/f-spot.strace mono $MONO_OPTIONS $EXE_TO_RUN $@ fix : use mktemp instead : `mktemp /tmp/f-spot.strace.XX` ** Affects: f-spot (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782862 Title: Insecure temporary file creation in strace option -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782705] Re: command injection in ckbcomp
fix : system(cat , /etc/console-setup/compose.${charmap}.inc); -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782705 Title: command injection in ckbcomp -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782479] Re: command injection in update-perl-sax-parsers
fix: system(ucf , --debconf-ok , --sum-file , /var/lib/libxml-sax-perl/ParserDetails.ini.md5sum , $tmpfile , $file); -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782479 Title: command injection in update-perl-sax-parsers -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782904] [NEW] Format string bug in h2xs
Public bug reported: Binary package hint: perl /usr/bin/h2xs have format string bug . test case : root@emanuel-desktop:/tmp# chfn -f emanuel-%n emanuel emanuel@emanuel-desktop:/tmp$ /usr/bin/h2xs wait.h Defaulting to backwards compatibility with perl 5.10.1 If you intend this module to be compatible with earlier perl versions, please specify a minimum perl version with the -b option. Writing Wait/ppport.h Writing Wait/lib/Wait.pm Modification of a read-only value attempted at /usr/bin/h2xs line 1226, DATA line 1. the bug can be found at : $licence = sprintf DEFAULT, $^V; Copyright (C) ${\(1900 + (localtime) [5])} by $author This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version %vd or, at your option, any later version of Perl 5 you may have available. DEFAULT fix : $licence = sprintf DEFAULT, $author , $^V; Copyright (C) ${\(1900 + (localtime) [5])} by %s This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version %vd or, at your option, any later version of Perl 5 you may have available. DEFAULT ** Affects: perl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782904 Title: Format string bug in h2xs -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782298] [NEW] command injections in mysqld_multi
Public bug reported: Binary package hint: mysql-server-5.1 /usr/bin/mysqld_multi have command injection bugs . test case : emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --example --silent /tmp/mysqld_multi_example 1 ) report option : emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --defaults-file=/tmp/mysqld_multi_example --user=User ping;sh; report --silent mysqld_multi log file version 2.16; run: Fri May 13 19:41:26 2011 Reporting MySQL servers /usr/bin/mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'User'@'localhost' (using password: NO)' $ 2 ) start option : emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --defaults-file=/tmp/mysqld_multi_example --log=/tmp/mlog;echo SystemInj;sh;echo 1 start SystemInj $ 3 ) stop option emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --defaults-file=/tmp/mysqld_multi_example --user=User ping;sh; stop --silent mysqld_multi log file version 2.16; run: Fri May 13 19:42:59 2011 Stopping MySQL servers /usr/bin/mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'User'@'localhost' (using password: NO)' $ the bug can be found at : 1 ) sub report_mysqlds $com= get_mysqladmin_options($i, @groups); $com.= ping /dev/null 21; system($com); 2 ) sub start_mysqlds() $com.= $tmp; $com.= $opt_log 21 if (!$opt_no_log); $com.= ; system($com); 3 ) sub stop_mysqlds() $com= get_mysqladmin_options($i, @groups); $com.= shutdown; $com.= $opt_log 21 if (!$opt_no_log); $com.= ; system($com); ** Affects: mysql-5.1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/782298 Title: command injections in mysqld_multi -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 782170] [NEW] command injection in deluser
Public bug reported: Binary package hint: adduser /usr/sbin/deluser have command injection bug . testcase : root@emanuel-desktop:/tmp# echo ;echo SystemInj;1:x:9898:9899:,,,:/home/Sysinj:/bin/bash /etc/passwd root@emanuel-desktop:/tmp# /usr/sbin/deluser ;echo SystemInj;1 no crontab for root SystemInj Removing user `;echo SystemInj;1' ... Warning: group `' has no more members. Done. the bug can be found at : if (system(crontab -l $user /dev/null 21) == 0) { ** Affects: adduser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782170 Title: command injection in deluser -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782209] [NEW] command injection in defoma-psfont-installer
Public bug reported: Binary package hint: psfontmgr /usr/bin/defoma-psfont-installer have command injection bug . test case : emanuel@emanuel-desktop:/tmp$ touch 123 123';echo Systeminj;echo '1 # select that file in next command emanuel@emanuel-desktop:/tmp$ /usr/bin/defoma-psfont-installer Systeminj No font gets registered. the bug can be found at : system(/bin/cat '$ppdfile' | /usr/bin/tr '\\r' '\\n' $tempfile); ** Affects: defoma (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782209 Title: command injection in defoma-psfont-installer -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782298] [NEW] command injections in mysqld_multi
Public bug reported: Binary package hint: mysql-server-5.1 /usr/bin/mysqld_multi have command injection bugs . test case : emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --example --silent /tmp/mysqld_multi_example 1 ) report option : emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --defaults-file=/tmp/mysqld_multi_example --user=User ping;sh; report --silent mysqld_multi log file version 2.16; run: Fri May 13 19:41:26 2011 Reporting MySQL servers /usr/bin/mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'User'@'localhost' (using password: NO)' $ 2 ) start option : emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --defaults-file=/tmp/mysqld_multi_example --log=/tmp/mlog;echo SystemInj;sh;echo 1 start SystemInj $ 3 ) stop option emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqld_multi --defaults-file=/tmp/mysqld_multi_example --user=User ping;sh; stop --silent mysqld_multi log file version 2.16; run: Fri May 13 19:42:59 2011 Stopping MySQL servers /usr/bin/mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'User'@'localhost' (using password: NO)' $ the bug can be found at : 1 ) sub report_mysqlds $com= get_mysqladmin_options($i, @groups); $com.= ping /dev/null 21; system($com); 2 ) sub start_mysqlds() $com.= $tmp; $com.= $opt_log 21 if (!$opt_no_log); $com.= ; system($com); 3 ) sub stop_mysqlds() $com= get_mysqladmin_options($i, @groups); $com.= shutdown; $com.= $opt_log 21 if (!$opt_no_log); $com.= ; system($com); ** Affects: mysql-5.1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782298 Title: command injections in mysqld_multi -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782466] [NEW] command injection in gst-visualise-0.10
Public bug reported: Binary package hint: gstreamer0.10-plugins-base-apps /usr/bin/gst-visualise-0.10 have command injection bug . test case : 1) from first argument ($pipe variable): emanuel@emanuel-desktop:/tmp$ gst-visualise-0.10 text 2/dev/null ; echo Systeminj ; # No configuration file /home/emanuel/.gst found. You might want to create one. Running gst-launch-0.10 osssrc ! text 2/dev/null ; echo Systeminj ; # ! { queue ! ffmpegcolorspace ! xvimagesink } Systeminj 2) from ~/.gst file : emanuel@emanuel-desktop:/tmp$ cat ~/.gst AUDIOSRC=test;echo Systeminj;exit; VIDEOSINK=test;echo Systeminj;exit; CVS_PATH=test;echo Systeminj;exit; emanuel@emanuel-desktop:/tmp$ gst-visualise-0.10 Running gst-launch-0.10 test;echo Systeminj;exit; ! goom ! { queue ! ffmpegcolorspace ! test;echo Systeminj;exit; } Systeminj the bug can be found at : $command = gst-launch-0.10 $cfg{AUDIOSRC} ! $pipe ! { queue ! ffmpegcolorspace ! $cfg{VIDEOSINK} }; print Running $command\n; system (PATH=\$PATH:.$cfg{CVS_PATH}./gstreamer/tools $command); ** Affects: gst-plugins-base0.10 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782466 Title: command injection in gst-visualise-0.10 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 782479] [NEW] command injection in update-perl-sax-parsers
Public bug reported: Binary package hint: libxml-sax-perl /usr/bin/update-perl-sax-parsers have command injection bug . test case : emanuel@emanuel-desktop:/tmp$ /usr/bin/update-perl-sax-parsers --update --file 2/dev/null ;echo Systeminj;exit; --ucf 1 update-perl-sax-parsers: Updating overall Perl SAX parser modules info file... Systeminj the bug can be found at : if ($ucf) { system(ucf --debconf-ok --sum-file /var/lib/libxml-sax-perl/ParserDetails.ini.md5sum $tmpfile $file); unlink $tmpfile or die(unlink $tmpfile: $!); } ** Affects: libxml-sax-perl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/782479 Title: command injection in update-perl-sax-parsers -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781982] [NEW] Format string bug in mysqldumpslow
Public bug reported: Binary package hint: mysql-client-5.1 /usr/bin/mysqldumpslow have format string bug . test case : emanuel@emanuel-desktop:/tmp$ cat /tmp/query_slow_log # User@Host: root[ro%sot] @ localhost [] # Query_time: 20.000941 Lock_time: 0.00 Rows_sent: 1 Rows_examined: 0 emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqldumpslow /tmp/query_slow_log Reading mysql slow query log from /tmp/query_slow_log Integer overflow in format string for prtf at /usr/bin/mysqldumpslow line 149, chunk 1. the bug can be found at : printf Count: %d Time=%.2fs (%ds) Lock=%.2fs (%ds) Rows=%.1f (%d), $user\@$host\n%s\n\n, $c, $at,$t, $al,$l, $ar,$r, $_; fix : printf Count: %d Time=%.2fs (%ds) Lock=%.2fs (%ds) Rows=%.1f (%d), %s\@%s\n%s\n\n, $c, $at,$t, $al,$l, $ar,$r, $user , $host , $_; ** Affects: mysql-5.1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/781982 Title: Format string bug in mysqldumpslow -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 781985] [NEW] Format string bugs in mysqlhotcopy
Public bug reported: Binary package hint: mysql-server-5.1 /usr/bin/mysqlhotcopy have format string bugs . test case : connect to mysql server and execute : mysql create database test; Query OK, 1 row affected (0.00 sec) mysql use test; Database changed mysql create table `a%n%n%n%n%n%n` (id int); Query OK, 0 rows affected (0.03 sec) root@emanuel-desktop:/# mkdir /tmp/mysqltest root@emanuel-desktop:/# /usr/bin/mysqlhotcopy -u root -p Password test /tmp/mysqltest --allowold --keepold Locked 1 tables in 0 seconds. Modification of a read-only value attempted at /usr/bin/mysqlhotcopy line 459. the bug can be found at : printf Flushed tables ($hc_tables) in %d seconds.\n, time-$start unless $opt{quiet}; fix : printf Flushed tables (%s) in %d seconds.\n, $hc_tables , time-$start unless $opt{quiet}; also here better use %s for $0 : printf $0 copied %d tables (%d files) in %d second%s (%d seconds overall).\n, $num_tables, $num_files, $hc_dur, ($hc_dur==1)?:s, time - $start_time unless $opt{quiet}; ** Affects: mysql-5.1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/781985 Title: Format string bugs in mysqlhotcopy -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 781873] [NEW] Format string bug in update-rc.d script
Public bug reported: Binary package hint: sysvinit /usr/sbin/update-rc.d and /usr/sbin/update-rc.d-insserv scripts have format string bug . test case : emanuel@emanuel-desktop /tmptouch bug%nf emanuel@emanuel-desktop /tmpupdate-rc.d ../../tmp/bug%nf start Modification of a read-only value attempted at /usr/sbin/update-rc.d line 187. emanuel@emanuel-desktop /tmpupdate-rc.d ../../tmp/bug%nf remove Modification of a read-only value attempted at /usr/sbin/update-rc.d line 82. the problem is here : printf STDERR update-rc.d: warning: $initdscript missing LSB information\n; printf STDERR update-rc.d: $initd/$bn exists during rc.d purge (use -f to force)\n; fix can be using print instead or add format %s to printf . same bug exist in update-rc.d-insserv command from insserv package . ** Affects: sysvinit (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781873 Title: Format string bug in update-rc.d script -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781907] [NEW] Format string bug in deluser
Public bug reported: Binary package hint: adduser /usr/sbin/deluser have format string bug . test case : root@emanuel-desktop:/tmp# mkdir %999s root@emanuel-desktop:/tmp# /tmp/%999s/../../usr/sbin/deluser Bug Integer overflow in format string for prtf at /tmp/%999s/../../usr/sbin/deluser line 469. The bug can be found at : sub fail { my ($errorcode, $format, @args) = @_; printf STDERR $0: $format,@args; exit $errorcode; } fix can be : printf STDERR %s: $format,$0,@args; also same function exist in adduser script . ** Affects: adduser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781907 Title: Format string bug in deluser -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781930] [NEW] Format string bug in ppmtolss16
Public bug reported: Binary package hint: syslinux /usr/bin/ppmtolss16 have format string bug . test case : emanuel@emanuel-desktop /tmpmkdir %999s emanuel@emanuel-desktop /tmp/tmp/%999s/../../usr/bin/ppmtolss16 /home/emanuel/Download/lantern.ppm Integer overflow in format string for prtf at /tmp/%999s/../../usr/bin/ppmtolss16 line 297. I take the picture from : http://cms.brookes.ac.uk/staff/SharonCurtis/teaching/archives/fp/imageplay/images/lantern.ppm the bug can be found at : if ( $lost ) { printf STDERR $0: Warning: color palette truncated (%d colors ignored)\n, $lost; } fix can be : printf STDERR %s: Warning: color palette truncated (%d colors ignored)\n, $0 , $lost; ** Affects: syslinux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781930 Title: Format string bug in ppmtolss16 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781948] [NEW] Format string bug in xscreensaver-text
Public bug reported: Binary package hint: xscreensaver-data /usr/bin/xscreensaver-text have format string bug . test case : emanuel@emanuel-desktop:~$ export HOME=/tmp emanuel@emanuel-desktop:~$ echo *textMode:Format_string_%n_bug /tmp/.xscreensaver emanuel@emanuel-desktop:~$ xscreensaver-text --verbose --verbose xscreensaver-text: reading /tmp/.xscreensaver Modification of a read-only value attempted at /usr/bin/xscreensaver-text line 191. the bug can be found at : if ($verbose 1) { printf STDERR $progname: mode:$text_mode\n; printf STDERR $progname: literal: $text_literal\n; printf STDERR $progname: file:$text_file\n; printf STDERR $progname: program: $text_program\n; printf STDERR $progname: url: $text_url\n; } Fix can be using print instead or add format %s to printf . ** Affects: xscreensaver (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781948 Title: Format string bug in xscreensaver-text -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781959] [NEW] Format string bug in kolab_smtpdpolicy
Public bug reported: Binary package hint: libkolab-perl /usr/bin/kolab_smtpdpolicy have format string bug . test case : emanuel@emanuel-desktop:/tmp$ /usr/bin/kolab_smtpdpolicy -ldap Bug%n.. Modification of a read-only value attempted at /usr/bin/kolab_smtpdpolicy line 161, DATA line 353. emanuel@emanuel-desktop:/tmp$ /usr/bin/kolab_smtpdpolicy -v -basedn a%n Modification of a read-only value attempted at /usr/bin/kolab_smtpdpolicy line 161, DATA line 353. the bug can be found at : 1) sub ldap_connect { my $ldapuri = URI-new($conf_ldapuri) || fatal_exit(error: could not parse given uri $conf_ldapuri); $ldap = Net::LDAP-new($conf_ldapuri) || fatal_exit(could not connect ldap server $conf_ldapuri: $@); 2) if( $verbose ) { mylog( $syslog_priority, ldap=$conf_ldapuri, basedn=$conf_basedn, binddn=$conf_binddn); } fix : all the calls to mylog and fatal_exit function need to be checked for format string bugs and add format where it missing , like : mylog( $syslog_priority, ldap=%s, basedn=%s, binddn=%s , $conf_ldapuri , $conf_basedn , $conf_binddn); ** Affects: libkolab-perl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781959 Title: Format string bug in kolab_smtpdpolicy -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781961] [NEW] Format string bugs in apparmor-utils
Public bug reported: Binary package hint: apparmor-utils /usr/sbin/audit and /usr/sbin/autodep and /usr/sbin/enforce have format string bugs . test case : emanuel@emanuel-desktop:/tmp$ /usr/sbin/audit /tmp/%n Modification of a read-only value attempted at /usr/sbin/audit line 122. emanuel@emanuel-desktop:/tmp$ /usr/sbin/autodep /tmp/%n Modification of a read-only value attempted at /usr/sbin/autodep line 112. emanuel@emanuel-desktop:/tmp$ /usr/sbin/enforce /tmp/%9s Integer overflow in format string for sprintf at /usr/sbin/enforce line 132. the bug can be found at : UI_Info(sprintf(gettext('%s does not exist, please double-check the path.') . $profiling)); fix : (like in /usr/sbin/complain) UI_Info(sprintf(gettext('%s does not exist, please double-check the path.'), $profiling)); ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781961 Title: Format string bugs in apparmor-utils -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781982] [NEW] Format string bug in mysqldumpslow
Public bug reported: Binary package hint: mysql-client-5.1 /usr/bin/mysqldumpslow have format string bug . test case : emanuel@emanuel-desktop:/tmp$ cat /tmp/query_slow_log # User@Host: root[ro%sot] @ localhost [] # Query_time: 20.000941 Lock_time: 0.00 Rows_sent: 1 Rows_examined: 0 emanuel@emanuel-desktop:/tmp$ /usr/bin/mysqldumpslow /tmp/query_slow_log Reading mysql slow query log from /tmp/query_slow_log Integer overflow in format string for prtf at /usr/bin/mysqldumpslow line 149, chunk 1. the bug can be found at : printf Count: %d Time=%.2fs (%ds) Lock=%.2fs (%ds) Rows=%.1f (%d), $user\@$host\n%s\n\n, $c, $at,$t, $al,$l, $ar,$r, $_; fix : printf Count: %d Time=%.2fs (%ds) Lock=%.2fs (%ds) Rows=%.1f (%d), %s\@%s\n%s\n\n, $c, $at,$t, $al,$l, $ar,$r, $user , $host , $_; ** Affects: mysql-5.1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781982 Title: Format string bug in mysqldumpslow -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 781985] [NEW] Format string bugs in mysqlhotcopy
Public bug reported: Binary package hint: mysql-server-5.1 /usr/bin/mysqlhotcopy have format string bugs . test case : connect to mysql server and execute : mysql create database test; Query OK, 1 row affected (0.00 sec) mysql use test; Database changed mysql create table `a%n%n%n%n%n%n` (id int); Query OK, 0 rows affected (0.03 sec) root@emanuel-desktop:/# mkdir /tmp/mysqltest root@emanuel-desktop:/# /usr/bin/mysqlhotcopy -u root -p Password test /tmp/mysqltest --allowold --keepold Locked 1 tables in 0 seconds. Modification of a read-only value attempted at /usr/bin/mysqlhotcopy line 459. the bug can be found at : printf Flushed tables ($hc_tables) in %d seconds.\n, time-$start unless $opt{quiet}; fix : printf Flushed tables (%s) in %d seconds.\n, $hc_tables , time-$start unless $opt{quiet}; also here better use %s for $0 : printf $0 copied %d tables (%d files) in %d second%s (%d seconds overall).\n, $num_tables, $num_files, $hc_dur, ($hc_dur==1)?:s, time - $start_time unless $opt{quiet}; ** Affects: mysql-5.1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/781985 Title: Format string bugs in mysqlhotcopy -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs