Bug#1072340: sredird: CVE-2004-2386, format string vulnerability
Hi Bastian, On Sat, Jun 01, 2024 at 05:11:25PM +0200, Bastian Germann wrote: > Control: notfound -1 sredird/2.1.0-1 > Control: fixed -1 2.2.1-1.1 > > I see that CVE-2004-2386 and maybe CVE-2004-2387 was addressed with #267098. > The diff (one change in LogMsg and one in HandleCPCCommand) that is in that > bug has survived until now. > But 2.2.2 has many more changes of the HandleCPCCommand kind: changing > sprintf to snprintf. > > main: 2 changes. > HandleIACCommand: 5 changes. > HandleCPCCommand: 17 additional changes: Any of these cound be CVE-2004-2387 > as well. > HDBUnlockFile: 1 change. > HDBLockFile: 7 changes. > > Plus TmpStrLen is extended to 512 bytes. > > Conclusion: Debian referenced both bugs as TEMP-0267098-76A1A1 before. Perfect, thanks for the confirmation. Regards, Salvatore
Bug#1072340: sredird: CVE-2004-2386, format string vulnerability
Control: notfound -1 sredird/2.1.0-1 Control: fixed -1 2.2.1-1.1 I see that CVE-2004-2386 and maybe CVE-2004-2387 was addressed with #267098. The diff (one change in LogMsg and one in HandleCPCCommand) that is in that bug has survived until now. But 2.2.2 has many more changes of the HandleCPCCommand kind: changing sprintf to snprintf. main: 2 changes. HandleIACCommand: 5 changes. HandleCPCCommand: 17 additional changes: Any of these cound be CVE-2004-2387 as well. HDBUnlockFile: 1 change. HDBLockFile: 7 changes. Plus TmpStrLen is extended to 512 bytes. Conclusion: Debian referenced both bugs as TEMP-0267098-76A1A1 before.
Bug#1072340: sredird: CVE-2004-2386, format string vulnerability
Hi Bastian, On Sat, Jun 01, 2024 at 12:41:43PM +0200, Bastian Germann wrote: > Source: sredird > Version: 2.1.0-1 > Severity: serious > Tags: security > X-Debbugs-Cc: secur...@debian.org > > Hi, > > This is affected by CVE-2004-2386, which was marked by the Security Team as > "NOT-FOR-US: sercd" but applies to sredird. There is a fixed version 2.2.2 > available, which I did not find in the Kermit project's download area but > at: > > http://ibiblio.org/pub/linux/system/serial/sredird-2.2.2.tar.gz > https://sources.buildroot.net/sredird/sredird-2.2.2.tar.gz Note, there is as well CVE-2004-2387. There are not very specific information for both, so it's unclear if CVE-2004-2387 and CVE-2004-2386 are addressed. Where do you have additional information on the issues from? Can you pass us those? Regards, Salvatore
Bug#1072340: sredird: CVE-2004-2386, format string vulnerability
Source: sredird Version: 2.1.0-1 Severity: serious Tags: security X-Debbugs-Cc: secur...@debian.org Hi, This is affected by CVE-2004-2386, which was marked by the Security Team as "NOT-FOR-US: sercd" but applies to sredird. There is a fixed version 2.2.2 available, which I did not find in the Kermit project's download area but at: http://ibiblio.org/pub/linux/system/serial/sredird-2.2.2.tar.gz https://sources.buildroot.net/sredird/sredird-2.2.2.tar.gz Cheers, Bastian
