Bug#861750: xpuzzles: package not comply with DFSG, it should be in non-free
Package: xpuzzles Version: 5.5.4.1-2 Severity: serious Justification: Policy 2.2.1 *** Please type your report below this line *** According to the copyright file in this package, # Permission to use, copy, modify, and distribute this software and # its documentation for any purpose and without fee is hereby granted, It not allow selling the software, so the package should be in non-free archive. -- System Information: Debian Release: testing/unstable Architecture: i386 (i686) Kernel: Linux 2.6.8.1-3-386 Locale: LANG=en_US, LC_CTYPE=en_US Versions of packages xpuzzles depends on: ii libc6 2.3.5-1ubuntu12.5.10.1 GNU C Library: Shared libraries an ii libice6 4.3.0.dfsg.1-6ubuntu25.3 Inter-Client Exchange library ii libsm6 4.3.0.dfsg.1-6ubuntu25.3 X Window System Session Management ii libx11-64.3.0.dfsg.1-6ubuntu25.3 X Window System protocol client li ii libxt6 4.3.0.dfsg.1-6ubuntu25.3 X Toolkit Intrinsics ii xlibs 4.3.0.dfsg.1-6ubuntu25.3 X Window System client libraries m -- no debconf information
Bug#302578: dict-jargon: FTBFS: Error on w3m and lynx calls
Hi, * Apparently xmlto calls w3m or lynx to convert html to text, but I can't find the call. (I don't know why neither one is a Build-Depend.) If w3m is installed, it is called, but creates an error. Since I can't locate the error, I have listed w3m as Build-Conflicts-Indep. The cause of the problem is described below. 1. According to jargsrc-4.4.4/Makefile, jargon.txt: jargon-web.xml $(XSLFILES) xmlto -p -width=79 -m jargon-text.xsl txt jargon-web.xml xmlto is called with -p width=79. 2. xmlto then pass option -width=79 to /usr/share/xmlto/format/docbook/txt 3. /usr/share/xmlto/format/docbook/txt, then pass the option -width=79 to w3m like this, /usr/bin/w3m -T text/html -dump -width=79 /tmp/xmlto.NGhmUC/jargon-web.proc 4. Since w3m not recognize the option -width=nn, then it return error. == More == According to /usr/share/xmlto/format/docbook/txt, it contains the following code, if [ -x /usr/bin/w3m ] then CONVERT=/usr/bin/w3m ARGS=-T text/html -dump elif [ -x /usr/bin/lynx ] then CONVERT=/usr/bin/lynx ARGS=-force_html -dump -nolist -width=72 elif [ -x /usr/bin/links ] then CONVERT=/usr/bin/links ARGS=-dump else echo 2 No way to convert HTML to text found. exit 1 fi 1. I have just tried to resolve this problem by editing jargsrc-4.4.4/Makefile like this, WIDTH_ARGS=$(shell \ if [ -x /usr/bin/w3m ]; \ then \ echo '-cols 79'; \ elif [ -x /usr/bin/lynx ]; \ then \ echo '-width=79'; \ elif [ -x /usr/bin/links ]; \ then \ echo '-width 79'; \ fi \ ) jargon.txt: jargon-web.xml $(XSLFILES) xmlto -p $(WIDTH_ARGS) -m jargon-text.xsl txt jargon-web.xml 2. After apply this solution, the w3m error is resolved. 3. However, it create another error when applying the patch, patch debian/jargon-patch, since the patch is used to apply to the output generated by lynx only, not w3m. 4. I'll try to resolved this new issue. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#446862: phpmyadmin: default config allow mysql's [EMAIL PROTECTED] access from remote host
Package: phpmyadmin Version: 4:2.6.2-3sarge5 Severity: critical Justification: root security hole Tags: security patch Since, phpmyadmin is on apache, and apache can be accessed from remote host, so remote host can access mysql's [EMAIL PROTECTED] via phpmyadmin. This will break mysql security policy. I would like to suggest the patch to set default mysql host, by determining the network interface to which the client is connecting. * If connecting by http://localhost/phpmyadmin, the mysql host will be 'localhost'. * If connecting by http://hostname.hostdomain/phpmyadmin, the mysql host will be 'hostname.hostdomain'. * If php can't determine client information; for security reason, 'localhost.localdomain' will be set as mysql host. (By default, '[EMAIL PROTECTED]' will get the same privileges as other remote root access, '[EMAIL PROTECTED]', in mysql.) This will make phpmyadmin to be able to serve remote access, while not breaking security setting in mysql. One can still leave blank password in mysql's [EMAIL PROTECTED], by not worrying about it can be remotely accessed. The attached file is the patch for version 2.6.2-3sarge5 and 2.9.1.1-4. -- System Information: Debian Release: testing/unstable Architecture: i386 (i686) Kernel: Linux 2.6.10-5-386 Locale: LANG=C, LC_CTYPE=thai Versions of packages phpmyadmin depends on: ii apache [httpd] 1.3.31-6ubuntu0.9Versatile, high-performance HTTP s ii debconf 1.4.29ubuntu4Debian configuration management sy ii php44:4.3.8-3ubuntu7.15 A server-side, HTML-embedded scrip ii php4-cgi4:4.3.10-10ubuntu4.8 server-side, HTML-embedded scripti ii php4-mysql 4:4.3.8-3ubuntu7.15 MySQL module for php4 ii ucf 1.07 Update Configuration File: preserv -- debconf information excluded diff --exclude='.*.swp' -ur phpmyadmin-2.6.2-3sarge5.orig/config.inc.php phpmyadmin-2.6.2-3sarge5/config.inc.php --- phpmyadmin-2.6.2-3sarge5.orig/config.inc.php 2007-10-16 11:40:28.613403000 +0700 +++ phpmyadmin-2.6.2-3sarge5/config.inc.php 2007-10-16 15:10:53.231170048 +0700 @@ -64,11 +64,32 @@ /** * Server(s) configuration */ +function non_fake_server_name($server_name) { +if (!isset($_SERVER['SERVER_ADDR'])) return false; +// HTTP_HOST can be in the format, host:port +list($server_name) = explode(':', $server_name); +foreach (gethostbynamel($server_name) as $ip) { +if ($_SERVER['SERVER_ADDR'] == $ip) return true; +} return false; +} +// By default, '[EMAIL PROTECTED]' will get the same privileges as +// other remote root access ('[EMAIL PROTECTED]') in mysql. +// For security reason, assume remote access using 'localhost.localdomain', +// when client information is missing. +if (empty($_SERVER)) $client_dependent_localhost = 'localhost.localdomain'; +// Client may fake Host: header. +elseif (isset($_SERVER['SERVER_NAME']) non_fake_server_name($_SERVER['SERVER_NAME'])) +$client_dependent_localhost = $_SERVER['SERVER_NAME']; +elseif (isset($_SERVER['HTTP_HOST']) non_fake_server_name($_SERVER['HTTP_HOST'])) +list($client_dependent_localhost) = explode(':', $_SERVER['HTTP_HOST']); +elseif (isset($_SERVER['SERVER_ADDR'])) +$client_dependent_localhost = $_SERVER['SERVER_ADDR']; +else $client_dependent_localhost = 'localhost.localdomain'; $i = 0; // The $cfg['Servers'] array starts with $cfg['Servers'][1]. Do not use $cfg['Servers'][0]. // You can disable a server config entry by setting host to ''. $i++; -$cfg['Servers'][$i]['host'] = 'localhost'; // MySQL hostname or IP address +$cfg['Servers'][$i]['host'] = $client_dependent_localhost; // MySQL hostname or IP address $cfg['Servers'][$i]['port'] = ''; // MySQL port - leave blank for default port $cfg['Servers'][$i]['socket']= ''; // Path to the socket - leave blank for default socket $cfg['Servers'][$i]['connect_type'] = 'socket';// How to connect to MySQL server ('tcp' or 'socket') diff --exclude='.*.swp' -ur phpmyadmin-2.9.1.1-4.orig/debian/src/config.inc.php phpmyadmin-2.9.1.1-4/debian/src/config.inc.php --- phpmyadmin-2.9.1.1-4.orig/debian/src/config.inc.php 2007-10-16 10:28:42.024104000 +0700 +++ phpmyadmin-2.9.1.1-4/debian/src/config.inc.php 2007-10-16 15:17:54.682099768 +0700 @@ -7,6 +7,28 @@ // Load secret generated on postinst include('/etc/phpmyadmin/blowfish_secret.inc.php'); +function non_fake_server_name($server_name) { +if (!isset($_SERVER['SERVER_ADDR'])) return false; +// HTTP_HOST can be in the format, host:port +list($server_name) = explode(':', $server_name); +foreach (gethostbynamel($server_name) as $ip) { +if ($_SERVER['SERVER_ADDR'] == $ip) return true; +} return false; +} +// By default, '[EMAIL PROTECTED]' will get the same privileges as +// other remote root access ('[EMAIL PROTECTED]') in mysql. +// For security reason, assume remote access using
Bug#374577: mimms: patch to fix many buffer overflows vulnerability
Martin Schulze [EMAIL PROTECTED] wrote:One question remains, though: + // buf_size = min(count, buf_size); + if (buf_size count) buf_size = count;Is there any reason not to write mim() here?It's a bit faster than buf_size = min(), since there's no need to reassign "buf_size" again, if it's less than "count" :) __คุณใช้ Yahoo! รึเปล่าคุณเบื่อหน่ายอีเมลขยะใช่ไหม Yahoo! เมล มีการป้องกันอีเมลขยะที่ดีที่สุด http://th.mail.yahoo.com
Bug#374577: mimms: patch to fix many buffer overflows vulnerability
Package: mimms Version: 0.0.9-1 Severity: grave Justification: user security hole Tags: security patch According to the patch attached in this report, it has many possible buffer overflows. For example, - memcpy(buf, data, length) without bounding the limit of length, while length depend on the input data incoming from the internet. - read(s, data, BUF_SIZE) in main(), where BUF_SIZE is much greater than sizeof(data) which is only 1024 chars allocated in main(), while BUF_SIZE is defined as 1024*128. -- System Information: Debian Release: testing/unstable Architecture: i386 (i686) Kernel: Linux 2.6.10-5-386 Locale: LANG=C, LC_CTYPE=thai Versions of packages mimms depends on: ii libc6 2.3.5-1ubuntu12 GNU C Library: Shared libraries an ii libgcc1 1:3.4.2-2ubuntu1 GCC support library ii libpopt01.7-4lib for parsing cmdline parameters ii libstdc++5 1:3.3.4-9ubuntu5 The GNU Standard C++ Library v3 ii libuuid11.35-6ubuntu1Universally unique id library -- no debconf information __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- mimms-0.0.9.orig/mimms.cpp 2004-10-22 21:38:33.0 +0700 +++ mimms-0.0.9/mimms.cpp 2006-05-13 21:27:57.168095728 +0700 @@ -66,6 +66,9 @@ int stream_ids[20]; int output_fh; +// There's currently no use of put_32() that num_bytes depend on input and +// cause buffer overflow. +// Use put_32() with care, it can cause buffer overflow. static void put_32 (command_t *cmd, uint32_t value) { for (int i=0; i4; i++) { cmd-buf[cmd-num_bytes++] = (value (8*i)) 0xff; @@ -81,6 +84,8 @@ return value; } +#define min(a, b) (a) (b) ? (a) : (b) +#define max(a, b) (a) (b) ? (a) : (b) static void send_command (int s, int command, uint32_t switches, uint32_t extra, int length, char *data) { @@ -107,8 +112,24 @@ put_32 (cmd, switches); put_32 (cmd, extra); - memcpy (cmd.buf[48], data, length); - if (length 7) + // buffer overflow, when the length depend on input, such as, url length + //memcpy (cmd.buf[48], data, length); + // Use min() to limit the upperbound length. + //memcpy (cmd.buf[48], data, min(length, sizeof cmd.buf - 48)); + // But the negative length can also cause buffer overflow, in case size_t is + // unsigned and length is casted to size_t. + // length can be negative in the line, + // send_command (s, 0x33, num_stream_ids, + // 0x | stream_ids[0] 16, + // (num_stream_ids-1)*6+2 , data); + // in main() below, where num_stream_ids is zero. + // The solution is to cast length to size_t before min() compare. + memcpy (cmd.buf[48], data, + min((size_t)length, sizeof cmd.buf - 48*(sizeof cmd.buf[0]))); + if (length 7 +// to avoid buffer overflow +(48 + length)*(sizeof cmd.buf[0]) + 8 - (length 7) = sizeof cmd.buf + ) memset(cmd.buf[48 + length], 0, 8 - (length 7)); if (send (s, cmd.buf, len8*8+48, 0) != (len8*8+48)) { @@ -152,18 +173,37 @@ } -static void string_utf16(char *dest, const char *src, int len) { +// At this time, dest_size has unit in byte, which specify the length in bytes +// of the buffer pointed to by dest. +static void string_utf16(char *dest, size_t dest_size, const char *src, int len) { int i; memset (dest, 0, 1000); - for (i=0; ilen; i++) { + //for (i=0; ilen /* avoid buffer overflow */ i*2+1 dest_size; i++) + for (i=0; + ilen + /* avoid buffer overflow */ + // For generic stuff. + // This can be buffer overflow at ref_note{string_utf16#1} if + // sizeof dest[0] 1 + //(i*2+1)*(sizeof dest[0]) dest_size; + // So, advance 1 step + (i*2+2)*(sizeof dest[0]) = dest_size; + i++) { dest[i*2] = src[i]; -dest[i*2+1] = 0; +dest[i*2+1] = 0; // ref_note{string_utf16#1} } + //if (i*2+1 = dest_size) return; // avoid buffer overflow + // For generic stuff. + // This can be buffer overflow at ref_note{string_utf16#2} if + // sizeof dest[0] 1 + //if ((i*2+1)*(sizeof dest[0]) = dest_size) return; // avoid buffer overflow + // So, advance 1 step + if ((i*2+2)*(sizeof dest[0]) dest_size) return; // avoid buffer overflow dest[i*2] = 0; - dest[i*2+1] = 0; + dest[i*2+1] = 0; // ref_note{string_utf16#2} } static void print_answer (char *data, int len) { @@ -201,7 +241,10 @@ while (command == 0x1b) { int len; -len = recv (s, data, BUF_SIZE, 0) ; +//len = recv (s, data, BUF_SIZE, 0) ; +// For generic stuff +//len = recv (s, data, BUF_SIZE*(sizeof data[0]), 0) ; +len = recv (s, data, sizeof data, 0) ; if (!len) { dprintf (\nalert! eof\n); return; @@ -214,14 +257,41 @@ } } -static int get_data (int s, char *buf, size_t count) { +// This will continue to recv() data, even though buf_size is reached. +// Both buf_size and count
Bug#368816: pine: should have another binary package which have no debian patch
Package: pine Version: 4.62-1 Severity: grave Justification: renders package unusable It should have binary .deb package for the original pine, so that it can be redistributed in debian ftp archive. The package name may be pine-orig, for example. Without binary package, users will don't know that it have pine source package, from debian archive, ready to be built. I try apt-cache search -n pine, and find no package named pine, and thought that it have no any pine package in debian archive. I don't even know that it already have source package. Until yesterday, I try to search for the problem in debian mailing list, and discover that it already have the source package. But that takes time over 1 year, from when I first try to find the pine package from debian. Think of that users spend years to discover the pine package? Many users will lost their opportunity to know that it have pine source package ready for them. That's why I consider this bug as renders package unusable. -- System Information: Debian Release: testing/unstable Architecture: i386 (i686) Kernel: Linux 2.6.10-5-386 Locale: LANG=C, LC_CTYPE=thai Versions of packages pine depends on: ii libc6 2.3.5-1ubuntu12 GNU C Library: Shared libraries an ii libldap2 2.1.30-2ubuntu4.1 OpenLDAP libraries ii libncurses55.4-4 Shared libraries for terminal hand ii libssl0.9.70.9.7d-3ubuntu0.2 SSL shared libraries ii mime-support 3.26-1MIME files 'mime.types' 'mailcap -- no debconf information __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]