Bug#861750: xpuzzles: package not comply with DFSG, it should be in non-free

2017-05-03 Thread Anon Sricharoenchai 
Package: xpuzzles
Version: 5.5.4.1-2
Severity: serious
Justification: Policy 2.2.1

*** Please type your report below this line ***
According to the copyright file in this package,

   #  Permission to use, copy, modify, and distribute this software and
   #  its documentation for any purpose and without fee is hereby granted,

It not allow selling the software, so the package should be in non-free
archive.


-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1-3-386
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages xpuzzles depends on:
ii  libc6   2.3.5-1ubuntu12.5.10.1   GNU C Library: Shared libraries an
ii  libice6 4.3.0.dfsg.1-6ubuntu25.3 Inter-Client Exchange library
ii  libsm6  4.3.0.dfsg.1-6ubuntu25.3 X Window System Session Management
ii  libx11-64.3.0.dfsg.1-6ubuntu25.3 X Window System protocol client li
ii  libxt6  4.3.0.dfsg.1-6ubuntu25.3 X Toolkit Intrinsics
ii  xlibs   4.3.0.dfsg.1-6ubuntu25.3 X Window System client libraries m

-- no debconf information

Bug#302578: dict-jargon: FTBFS: Error on w3m and lynx calls

2008-08-29 Thread Anon Sricharoenchai 
Hi,

* Apparently xmlto calls w3m or lynx to convert html to text, but I can't
  find the call.  (I don't know why neither one is a Build-Depend.)  If w3m
  is installed, it is called, but creates an error.  Since I can't locate
  the error, I have listed w3m as Build-Conflicts-Indep.

The cause of the problem is described below.

1. According to jargsrc-4.4.4/Makefile,

  jargon.txt: jargon-web.xml $(XSLFILES)
 xmlto -p -width=79 -m jargon-text.xsl txt jargon-web.xml

   xmlto is called with -p width=79.

2. xmlto then pass option -width=79 to /usr/share/xmlto/format/docbook/txt

3. /usr/share/xmlto/format/docbook/txt, then pass the option
-width=79 to w3m like this,
  /usr/bin/w3m -T text/html -dump -width=79
/tmp/xmlto.NGhmUC/jargon-web.proc

4. Since w3m not recognize the option -width=nn, then it return error.


== More ==

According to /usr/share/xmlto/format/docbook/txt, it contains the
following code,

   if [ -x /usr/bin/w3m ]
   then
 CONVERT=/usr/bin/w3m
 ARGS=-T text/html -dump
   elif [ -x /usr/bin/lynx ]
   then
 CONVERT=/usr/bin/lynx
 ARGS=-force_html -dump -nolist -width=72
   elif [ -x /usr/bin/links ]
   then
 CONVERT=/usr/bin/links
 ARGS=-dump
   else
 echo 2 No way to convert HTML to text found.
 exit 1
   fi

1. I have just tried to resolve this problem by editing
jargsrc-4.4.4/Makefile like this,

   WIDTH_ARGS=$(shell \
 if [ -x /usr/bin/w3m ]; \
 then \
   echo '-cols 79'; \
 elif [ -x /usr/bin/lynx ]; \
 then \
   echo '-width=79'; \
 elif [ -x /usr/bin/links ]; \
 then \
   echo '-width 79'; \
 fi \
   )

   jargon.txt: jargon-web.xml $(XSLFILES)
xmlto -p $(WIDTH_ARGS) -m jargon-text.xsl txt jargon-web.xml

2. After apply this solution, the w3m error is resolved.

3. However, it create another error when applying the patch, patch 
debian/jargon-patch, since the patch is used to apply to the output
generated by lynx only, not w3m.

4. I'll try to resolved this new issue.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#446862: phpmyadmin: default config allow mysql's [EMAIL PROTECTED] access from remote host

2007-10-16 Thread Anon Sricharoenchai 
Package: phpmyadmin
Version: 4:2.6.2-3sarge5
Severity: critical
Justification: root security hole
Tags: security patch

Since, phpmyadmin is on apache, and apache can be accessed from remote
host, so remote host can access mysql's [EMAIL PROTECTED] via phpmyadmin.
This will break mysql security policy.

I would like to suggest the patch to set default mysql host, by
determining the network interface to which the client is connecting.

* If connecting by http://localhost/phpmyadmin, the mysql host will be
 'localhost'.
* If connecting by http://hostname.hostdomain/phpmyadmin, the mysql host
  will be 'hostname.hostdomain'.
* If php can't determine client information; for security reason,
  'localhost.localdomain' will be set as mysql host. (By default,
  '[EMAIL PROTECTED]' will get the same privileges as other
  remote root access, '[EMAIL PROTECTED]', in mysql.)

This will make phpmyadmin to be able to serve remote access, while not
breaking security setting in mysql.  One can still leave blank password
in mysql's [EMAIL PROTECTED], by not worrying about it can be remotely
accessed.

The attached file is the patch for version 2.6.2-3sarge5 and 2.9.1.1-4.


-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Kernel: Linux 2.6.10-5-386
Locale: LANG=C, LC_CTYPE=thai

Versions of packages phpmyadmin depends on:
ii  apache [httpd]  1.3.31-6ubuntu0.9Versatile, high-performance HTTP s
ii  debconf 1.4.29ubuntu4Debian configuration management sy
ii  php44:4.3.8-3ubuntu7.15  A server-side, HTML-embedded scrip
ii  php4-cgi4:4.3.10-10ubuntu4.8 server-side, HTML-embedded scripti
ii  php4-mysql  4:4.3.8-3ubuntu7.15  MySQL module for php4
ii  ucf 1.07 Update Configuration File: preserv

-- debconf information excluded
diff --exclude='.*.swp' -ur phpmyadmin-2.6.2-3sarge5.orig/config.inc.php phpmyadmin-2.6.2-3sarge5/config.inc.php
--- phpmyadmin-2.6.2-3sarge5.orig/config.inc.php	2007-10-16 11:40:28.613403000 +0700
+++ phpmyadmin-2.6.2-3sarge5/config.inc.php	2007-10-16 15:10:53.231170048 +0700
@@ -64,11 +64,32 @@
 /**
  * Server(s) configuration
  */
+function non_fake_server_name($server_name) {
+if (!isset($_SERVER['SERVER_ADDR'])) return false;
+// HTTP_HOST can be in the format, host:port
+list($server_name) = explode(':', $server_name);
+foreach (gethostbynamel($server_name) as $ip) {
+if ($_SERVER['SERVER_ADDR'] == $ip) return true;
+} return false;
+}
+// By default, '[EMAIL PROTECTED]' will get the same privileges as
+// other remote root access ('[EMAIL PROTECTED]') in mysql.
+// For security reason, assume remote access using 'localhost.localdomain',
+// when client information is missing.
+if (empty($_SERVER)) $client_dependent_localhost = 'localhost.localdomain';
+// Client may fake Host: header.
+elseif (isset($_SERVER['SERVER_NAME'])  non_fake_server_name($_SERVER['SERVER_NAME']))
+$client_dependent_localhost = $_SERVER['SERVER_NAME'];
+elseif (isset($_SERVER['HTTP_HOST'])  non_fake_server_name($_SERVER['HTTP_HOST']))
+list($client_dependent_localhost) = explode(':', $_SERVER['HTTP_HOST']);
+elseif (isset($_SERVER['SERVER_ADDR']))
+$client_dependent_localhost = $_SERVER['SERVER_ADDR'];
+else $client_dependent_localhost = 'localhost.localdomain';
 $i = 0;
 // The $cfg['Servers'] array starts with $cfg['Servers'][1].  Do not use $cfg['Servers'][0].
 // You can disable a server config entry by setting host to ''.
 $i++;
-$cfg['Servers'][$i]['host']  = 'localhost'; // MySQL hostname or IP address
+$cfg['Servers'][$i]['host']  = $client_dependent_localhost; // MySQL hostname or IP address
 $cfg['Servers'][$i]['port']  = '';  // MySQL port - leave blank for default port
 $cfg['Servers'][$i]['socket']= '';  // Path to the socket - leave blank for default socket
 $cfg['Servers'][$i]['connect_type']  = 'socket';// How to connect to MySQL server ('tcp' or 'socket')
diff --exclude='.*.swp' -ur phpmyadmin-2.9.1.1-4.orig/debian/src/config.inc.php phpmyadmin-2.9.1.1-4/debian/src/config.inc.php
--- phpmyadmin-2.9.1.1-4.orig/debian/src/config.inc.php	2007-10-16 10:28:42.024104000 +0700
+++ phpmyadmin-2.9.1.1-4/debian/src/config.inc.php	2007-10-16 15:17:54.682099768 +0700
@@ -7,6 +7,28 @@
 // Load secret generated on postinst
 include('/etc/phpmyadmin/blowfish_secret.inc.php');
 
+function non_fake_server_name($server_name) {
+if (!isset($_SERVER['SERVER_ADDR'])) return false;
+// HTTP_HOST can be in the format, host:port
+list($server_name) = explode(':', $server_name);
+foreach (gethostbynamel($server_name) as $ip) {
+if ($_SERVER['SERVER_ADDR'] == $ip) return true;
+} return false;
+}
+// By default, '[EMAIL PROTECTED]' will get the same privileges as
+// other remote root access ('[EMAIL PROTECTED]') in mysql.
+// For security reason, assume remote access using

Bug#374577: mimms: patch to fix many buffer overflows vulnerability

2006-06-26 Thread Anon Sricharoenchai 
Martin Schulze [EMAIL PROTECTED] wrote:One question remains, though: +  // buf_size = min(count, buf_size); +  if (buf_size  count) buf_size = count;Is there any reason not to write mim() here?It's a bit faster than buf_size = min(), since there's no need to reassign "buf_size" again, if it's less than "count" :) __คุณใช้ Yahoo! รึเปล่าคุณเบื่อหน่ายอีเมลขยะใช่ไหม  Yahoo! เมล มีการป้องกันอีเมลขยะที่ดีที่สุด http://th.mail.yahoo.com

Bug#374577: mimms: patch to fix many buffer overflows vulnerability

2006-06-19 Thread Anon Sricharoenchai 
Package: mimms
Version: 0.0.9-1
Severity: grave
Justification: user security hole
Tags: security patch

According to the patch attached in this report, it has many possible buffer
overflows.
For example,
- memcpy(buf, data, length) without bounding the limit of length,
  while length depend on the input data incoming from the internet.
- read(s, data, BUF_SIZE) in main(), where BUF_SIZE is much greater than
  sizeof(data) which is only 1024 chars allocated in main(), while
  BUF_SIZE is defined as 1024*128.


-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Kernel: Linux 2.6.10-5-386
Locale: LANG=C, LC_CTYPE=thai

Versions of packages mimms depends on:
ii  libc6   2.3.5-1ubuntu12  GNU C Library: Shared libraries an
ii  libgcc1 1:3.4.2-2ubuntu1 GCC support library
ii  libpopt01.7-4lib for parsing cmdline parameters
ii  libstdc++5  1:3.3.4-9ubuntu5 The GNU Standard C++ Library v3
ii  libuuid11.35-6ubuntu1Universally unique id library

-- no debconf information


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com --- mimms-0.0.9.orig/mimms.cpp	2004-10-22 21:38:33.0 +0700
+++ mimms-0.0.9/mimms.cpp	2006-05-13 21:27:57.168095728 +0700
@@ -66,6 +66,9 @@
 int stream_ids[20];
 int output_fh;
 
+// There's currently no use of put_32() that num_bytes depend on input and
+// cause buffer overflow.
+// Use put_32() with care, it can cause buffer overflow.
 static void put_32 (command_t *cmd, uint32_t value) {
   for (int i=0; i4; i++) {
 cmd-buf[cmd-num_bytes++] = (value  (8*i))  0xff;
@@ -81,6 +84,8 @@
   return value;
 }
 
+#define min(a, b) (a)  (b) ? (a) : (b)
+#define max(a, b) (a)  (b) ? (a) : (b)
 static void send_command (int s, int command, uint32_t switches, 
 			  uint32_t extra, int length,
 			  char *data) {
@@ -107,8 +112,24 @@
   put_32 (cmd, switches);
   put_32 (cmd, extra);
 
-  memcpy (cmd.buf[48], data, length);
-  if (length  7)
+  // buffer overflow, when the length depend on input, such as, url length
+  //memcpy (cmd.buf[48], data, length);
+  // Use min() to limit the upperbound length.
+  //memcpy (cmd.buf[48], data, min(length, sizeof cmd.buf - 48));
+  // But the negative length can also cause buffer overflow, in case size_t is
+  // unsigned and length is casted to size_t.
+  // length can be negative in the line,
+  //   send_command (s, 0x33, num_stream_ids, 
+  //		0x | stream_ids[0]  16, 
+  //		(num_stream_ids-1)*6+2 , data);
+  // in main() below, where num_stream_ids is zero.
+  // The solution is to cast length to size_t before min() compare.
+  memcpy (cmd.buf[48], data,
+	  min((size_t)length, sizeof cmd.buf - 48*(sizeof cmd.buf[0])));
+  if (length  7 
+// to avoid buffer overflow
+(48 + length)*(sizeof cmd.buf[0]) + 8 - (length  7) = sizeof cmd.buf
+  )
 memset(cmd.buf[48 + length], 0, 8 - (length  7));
 
   if (send (s, cmd.buf, len8*8+48, 0) != (len8*8+48)) {
@@ -152,18 +173,37 @@
 
 }
 
-static void string_utf16(char *dest, const char *src, int len) {
+// At this time, dest_size has unit in byte, which specify the length in bytes
+// of the buffer pointed to by dest.
+static void string_utf16(char *dest, size_t dest_size, const char *src, int len) {
   int i;
 
   memset (dest, 0, 1000);
 
-  for (i=0; ilen; i++) {
+  //for (i=0; ilen  /* avoid buffer overflow */ i*2+1  dest_size; i++)
+  for (i=0;
+   ilen 
+   /* avoid buffer overflow */
+   // For generic stuff.
+   // This can be buffer overflow at ref_note{string_utf16#1} if
+   // sizeof dest[0]  1
+   //(i*2+1)*(sizeof dest[0])  dest_size;
+   // So, advance 1 step
+   (i*2+2)*(sizeof dest[0]) = dest_size;
+   i++) {
 dest[i*2] = src[i];
-dest[i*2+1] = 0;
+dest[i*2+1] = 0; // ref_note{string_utf16#1}
   }
+  //if (i*2+1 = dest_size) return; // avoid buffer overflow
+  // For generic stuff.
+  // This can be buffer overflow at ref_note{string_utf16#2} if
+  // sizeof dest[0]  1
+  //if ((i*2+1)*(sizeof dest[0]) = dest_size) return; // avoid buffer overflow
+  // So, advance 1 step
+  if ((i*2+2)*(sizeof dest[0])  dest_size) return; // avoid buffer overflow
 
   dest[i*2] = 0;
-  dest[i*2+1] = 0;
+  dest[i*2+1] = 0; // ref_note{string_utf16#2}
 }
 
 static void print_answer (char *data, int len) {
@@ -201,7 +241,10 @@
   while (command == 0x1b) {
 int len;
 
-len = recv (s, data, BUF_SIZE, 0) ;
+//len = recv (s, data, BUF_SIZE, 0) ;
+// For generic stuff
+//len = recv (s, data, BUF_SIZE*(sizeof data[0]), 0) ;
+len = recv (s, data, sizeof data, 0) ;
 if (!len) {
   dprintf (\nalert! eof\n);
   return;
@@ -214,14 +257,41 @@
   }
 }
 
-static int get_data (int s, char *buf, size_t count) {
+// This will continue to recv() data, even though buf_size is reached.
+// Both buf_size and count

Bug#368816: pine: should have another binary package which have no debian patch

2006-05-24 Thread Anon Sricharoenchai 
Package: pine
Version: 4.62-1
Severity: grave
Justification: renders package unusable

It should have binary .deb package for the original pine, so that it can
be redistributed in debian ftp archive.  The package name may be
pine-orig, for example.

Without binary package, users will don't know that it have pine source
package, from debian archive, ready to be built.
I try apt-cache search -n pine, and find no package named pine, and
thought that it have no any pine package in debian archive.
I don't even know that it already have source package.
Until yesterday, I try to search for the problem in debian mailing list,
and discover that it already have the source package.
But that takes time over 1 year, from when I first try to find the pine
package from debian.

Think of that users spend years to discover the pine package?
Many users will lost their opportunity to know that it have pine source
package ready for them.  That's why I consider this bug as
renders package unusable.


-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Kernel: Linux 2.6.10-5-386
Locale: LANG=C, LC_CTYPE=thai

Versions of packages pine depends on:
ii  libc6  2.3.5-1ubuntu12   GNU C Library: Shared libraries an
ii  libldap2   2.1.30-2ubuntu4.1 OpenLDAP libraries
ii  libncurses55.4-4 Shared libraries for terminal hand
ii  libssl0.9.70.9.7d-3ubuntu0.2 SSL shared libraries
ii  mime-support   3.26-1MIME files 'mime.types'  'mailcap

-- no debconf information


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]