Hello Markus and Niko, On Mon, Mar 23, 2015 at 08:38:49PM +0100, Markus Koschany wrote: > Hello, > > On 23.03.2015 19:42, Niko Tyni wrote: > [...] > > There's an off-by-one error in libcapsinetwork network handling code, > > which was merged into monopd in version 0.9.4. > > Thanks for the report. > > [...] > > I have informed the monopd upstream maintainer, Sylvain Rochet, about this. > > His suggested patch was > > > > - char *readBuf = new char[MAXLINE]; > > + char *readBuf = new char[MAXLINE+1]; // MAXLINE + '\0' > > > > The issue is present in at least > > > > monopd_0.9.7-2 (jessie/sid, embeds the code) > > Since upstream and the security team agree that this is not exploitable > and thus not release critical, I suggest to fix this bug only in sid and > stretch.
Now that the CVE is public, I released monopd 0.9.8 containing:
Peter Pentchev (2):
Check for libsystemd in preference to libsystemd-daemon.
Fix a couple of typographical and grammatical errors.
Sylvain Rochet (2):
fixed CVE-2015-0841: off-by-one error in network code
systemd: it is not allowed to create a stand-alone Description
field, moved to [Unit] section
http://download.tuxfamily.org/gtkatlantic/monopd/monopd-0.9.8.tar.gz
http://download.tuxfamily.org/gtkatlantic/monopd/monopd-0.9.8.tar.gz.sha256sum
http://download.tuxfamily.org/gtkatlantic/monopd/monopd-0.9.8.tar.gz.asc
> My original intention was to ask for the removal of libcapsinetwork
> during the release cycle of stretch because the library seemed stable
> and reliable enough to warrant another inclusion in Debian stable. Given
> the fact that libcapsinetwork only supports IPv4 and the network code
> (including IPv6 support) is already included in monopd, we could also
> ask for the removal right now.
>
> If there are no objections, I will go ahead and ask the ftp team to
> remove libcapsinetwork from Debian (including Jessie).
I agree too, I actually asked for ;-)
Sylvain
signature.asc
Description: Digital signature
