Package: leafnode Version: 1.11.1.rel-1 Severity: grave Tags: security confirmed sarge patch fixed-upstream
Please backport 1.11.2.rel-1 from unstable to fix CAN-2005-1453, two denial of service vulnerabilities that can crash fetchnews. <http://leafnode.sourceforge.net/leafnode-SA-2005-01.txt> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1453> Alternatively, try these two patches if a minimum solution is a requirement during the freeze. I'd strongly urge to update to 1.11.2 though, asking for release engineer approval. diff -u -r1.179 -r1.180 --- fetchnews.c 5 Apr 2005 20:09:45 -0000 1.179 +++ fetchnews.c 4 May 2005 09:05:33 -0000 1.180 @@ -1396,10 +1396,10 @@ (void)ftruncate(fileno(f), 0); (void)fclose(f); unlink(c); - free(stufftoget); ln_log(LNLOG_SWARNING, LNLOG_CARTICLE, "warning: %s: %s: server disconnect or timeout after BODY %lu", current_server->name, g->name, stufftoget[i]); + free(stufftoget); return 0; } if (sscanf(l, "%3ld", &n) != 1 || (n / 10 != 22)) { @@ -1437,10 +1437,10 @@ if (l == NULL) { /* article didn't terminate with a .: error */ (void)truncate(c, 0); (void)unlink(c); - free(stufftoget); ln_log(LNLOG_SWARNING, LNLOG_CARTICLE, "warning: %s: %s: server disconnect or timeout retrieving article %lu", current_server->name, g->name, stufftoget[i]); + free(stufftoget); return 0; } } =================================================================== diff -u -r1.181 -r1.182 --- fetchnews.c 4 May 2005 09:35:21 -0000 1.181 +++ fetchnews.c 4 May 2005 10:09:23 -0000 1.182 @@ -1206,7 +1206,10 @@ * * SourceForge bug 873149, reported 2004-01-08 by Toni Viemerö, * sourceforge user "skithund" */ - if (strcmp(l, ".") == 0 && requested_body) { + if (l == NULL) { + /* timeout - don't flush body */ + requested_body = FALSE; + } else if (strcmp(l, ".") == 0 && requested_body) { ln_log(LNLOG_SNOTICE, LNLOG_CTOP, "%s: %s:%lu: article without blank line after header, format violation", current_server->name, g->name, stufftoget[i]); requested_body = FALSE; -- Matthias Andree
