Your message dated Wed, 18 Jul 2007 05:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#118784: fixed in util-linux 2.13~rc2-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: bsdutils
Version: 1:2.11l-4
Severity: wishlist
Tags: security
Hi,
I'm have the same problem as bug #104116. In /var/log/auth.log I read:
Nov 8 10:04:30 localhost libsafe.so[19177]: version 1.3
Nov 8 10:04:30 localhost libsafe.so[19177]: detected an attempt to write
across stack boundary.
Nov 8 10:04:30 localhost libsafe.so[19177]: terminating /usr/bin/logger
Nov 8 10:04:30 localhost libsafe.so[19177]: overflow caused by memcpy()
So I looked at the source and saw this piece of code:
static void
mysyslog(int fd, int logflags, int pri, char *tag, char *msg) {
char buf[1000], pid[30], *cp, *tp;
time_t now;
if (fd > -1) {
/* avoid snprintf - it does not exist on ancient systems */
if (logflags & LOG_PID)
sprintf (pid, "[%d]", getpid());
This one looks OK because I never saw such a big PID (when will Linux have 128
bits PID ? :>).
/* do snprintf by hand - ugly, but for once... */
sprintf(buf, "<%d>%.15s %.200s%s: %.400s",
pri, tp, cp, pid, msg);
This one is so ugly that it is too dangerous to use.
Debian is not an "ancient system" so it could use snprintf instead of this
hack.
You downgraded severity of bug #104116 because:
>Since the program runs under the UID and GID of the user it's hardly a
>security problem.
For sure logger is not installed SUID root. But some scripts that are run by
root do use it and may trust it more than they should. Call me paranoid but
this makes me more nervous than you.
-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux irancy 2.4.12-686 #2 Sat Oct 13 20:13:05 EST 2001 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages bsdutils depends on:
ii libc6 2.2.4-5 GNU C Library: Shared libraries an
--- End Message ---
--- Begin Message ---
Source: util-linux
Source-Version: 2.13~rc2-2
We believe that the bug you reported is fixed in the latest version of
util-linux, which is due to be installed in the Debian FTP archive:
bsdutils_2.13~rc2-2_i386.deb
to pool/main/u/util-linux/bsdutils_2.13~rc2-2_i386.deb
cfdisk-udeb_2.13~rc2-2_i386.udeb
to pool/main/u/util-linux/cfdisk-udeb_2.13~rc2-2_i386.udeb
fdisk-udeb_2.13~rc2-2_i386.udeb
to pool/main/u/util-linux/fdisk-udeb_2.13~rc2-2_i386.udeb
mount_2.13~rc2-2_i386.deb
to pool/main/u/util-linux/mount_2.13~rc2-2_i386.deb
util-linux-locales_2.13~rc2-2_all.deb
to pool/main/u/util-linux/util-linux-locales_2.13~rc2-2_all.deb
util-linux_2.13~rc2-2.diff.gz
to pool/main/u/util-linux/util-linux_2.13~rc2-2.diff.gz
util-linux_2.13~rc2-2.dsc
to pool/main/u/util-linux/util-linux_2.13~rc2-2.dsc
util-linux_2.13~rc2-2_i386.deb
to pool/main/u/util-linux/util-linux_2.13~rc2-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <[EMAIL PROTECTED]> (supplier of updated util-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 17 Jul 2007 23:28:54 -0600
Source: util-linux
Binary: util-linux cfdisk-udeb fdisk-udeb util-linux-locales bsdutils mount
Architecture: all i386 source
Version: 2.13~rc2-2
Distribution: experimental
Urgency: low
Maintainer: LaMont Jones <[EMAIL PROTECTED]>
Changed-By: LaMont Jones <[EMAIL PROTECTED]>
Description:
bsdutils - Basic utilities from 4.4BSD-Lite
cfdisk-udeb - Partition a hard drive (cfdisk)
fdisk-udeb - Partition a hard drive (manual)
mount - Tools for mounting and manipulating filesystems
util-linux - Miscellaneous system utilities
util-linux-locales - Locales files for util-linux
Closes: 118784 290077 345106 360279 360896 395442 413074
Changes:
util-linux (2.13~rc2-2) experimental; urgency=low
.
* arch is dealt with upstream now.
* Mention hfsplus in mount.8. Closes: #345106
* Add m32r. Closes: #413074
* use snprintf in logger.c. Closes: #118784
* Various typos in cfdisk.8. Closes: #360896
* cleanup copyright. Closes: #290077
* manpage typos. Closes: #360279, #395442
Files:
1aec1707c78571304d03fff4cea49703 53432 utils required
bsdutils_2.13~rc2-2_i386.deb
1e4c1ee32dddba60f411975b51b6ebe1 65760 debian-installer extra
fdisk-udeb_2.13~rc2-2_i386.udeb
2fe662f0e3cbca8577f40ba92bb30d7a 293648 base required
util-linux_2.13~rc2-2.diff.gz
6b238c0f5173026f7955e78629dba443 789 base required util-linux_2.13~rc2-2.dsc
caf31aa1772980079ea5679cbaa1c9df 565854 debian-installer extra
cfdisk-udeb_2.13~rc2-2_i386.udeb
ce7e4064bcecf8e0a330798e2b2af415 130876 admin required
mount_2.13~rc2-2_i386.deb
d11a5eaa9f5f2ad4882ba1c81a71f8aa 405934 utils required
util-linux_2.13~rc2-2_i386.deb
d2419398632feb6fddb09e3fb382d1e7 1282746 utils optional
util-linux-locales_2.13~rc2-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGnagIzN/kmwoKyScRAmjeAJ9RErztdbJBTMKC0TEIzjGtm6fFqgCgjp88
fFAvy5HpBNePU+ArYAlfOxQ=
=v1M4
-----END PGP SIGNATURE-----
--- End Message ---
