Your message dated Thu, 26 Mar 2015 06:32:07 +0000 with message-id <[email protected]> and subject line Bug#781160: Removed package(s) from unstable has caused the Debian Bug report #781044, regarding monopd/libcapsinetwork: CVE-2015-0841: off-by-one error in network code to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 781044: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781044 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: monopd Version: 0.9.7-2 Severity: normal Tags: upstream patch security Control: clone -1 -2 Control: reassign -2 libcapsinetwork0c2a 0.3.0-7 Control: found -2 0.3.0-8 There's an off-by-one error in libcapsinetwork network handling code, which was merged into monopd in version 0.9.4. >From src/listener.cpp, Listener::checkActivity(): #define MAXLINE 1024 [...] char *readBuf = new char[MAXLINE]; int n = read((*it)->fd(), readBuf, MAXLINE); if (n <= 0) // socket was closed { (*it)->setStatus(Socket::Closed); delete[] readBuf; return; // notification is (still) in earlier iteration } readBuf[n] = 0; With an input line longer than 1023, this will write zero at readBuf[1024] which is out of bounds. Florian Weimer from the security team says this isn't exploitable with the glibc malloc (dlmalloc), but might theoretically be with other malloc implementations like jemalloc. CVE-2015-0841 has been assigned to track this potential vulnerability, but I'm leaving the severity at 'normal' as this doesn't seem to be an issue for Debian. I have informed the monopd upstream maintainer, Sylvain Rochet, about this. His suggested patch was - char *readBuf = new char[MAXLINE]; + char *readBuf = new char[MAXLINE+1]; // MAXLINE + '\0' The issue is present in at least monopd_0.9.7-2 (jessie/sid, embeds the code) libcapsinetwork_0.3.0-7 (wheezy, used by the wheezy monopd) libcapsinetwork_0.3.0-8 (jessie/sid, no reverse dependencies) The wheezy monopd doesn't contain the bug itself, only through libcapsinetwork linkage. I'm cloning a separate bug for libcapsinetwork. Please note that it's dead upstream (according to debian/copyright), and monopd upstream says it could be safely removed as no one should really want to use it anymore. -- Niko Tyni [email protected]
--- End Message ---
--- Begin Message ---Version: 0.3.0-8+rm Dear submitter, as the package libcapsinetwork has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/781160 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
