Bug#951794: closing 951794
close 951794 2.0-2 thanks
Bug#836162: diversions for linkers need an update
Hi Niels, On Fri, Oct 07, 2016 at 05:35:00AM +, Niels Thykier wrote: > Lintian has embedded the checks, but has not taken over the tool. As in copy/pasted the logic, or is still calling out to hardening-check? > There were talk about putting the actual tool in devscritps, but I don't > know what happened with that. That said, I do not feel the tool fits > into lintian - at least not with lintian current design. devscripts seems fine to me if lintian doesn't want it. :) -Kees -- Kees Cook@debian.org
Bug#836162: diversions for linkers need an update
On Thu, Sep 01, 2016 at 05:17:06PM +0200, Moritz Muehlenhoff wrote: > I think we should remove hardening-wrapper for the stretch release? > dpkg-buildflags/dh > are around for a long time now and we're down to about 50 reverse > dependencies at > this point. Plus, lintian marks it as deprecated for quite a while now. > > Kees, what do you think? Yeah, it (and hardening-includes) should get removed in favor of the dpkg-buildflags method. However, this means we need to move the "hardening-check" script from hardening-includes to lintian, probably. -Kees -- Kees Cook@debian.org
Bug#797378: dosemu didn't change
This is a kernel bug, not a dosemu bug. Please see: https://lkml.org/lkml/2015/8/13/435 -- Kees Cook@debian.org
Bug#746508: NMU'ing AppArmor to fix #746508? [Was: apparmor-notify should depend on libnotify-bin]
Hi intrigeri, On Sun, Jun 01, 2014 at 11:08:58AM +0200, intrigeri wrote: > intrigeri wrote (03 May 2014 11:32:15 GMT) : > > Kees, do you want to fix this at the same time as you upload a newer > > upstream release (#743195), or separately? If you have no plans to > > upload shortly, I could be tempted to NMU just to fix this RC bug, if > > you don't mind, just to ensure AppArmor does not get thrown out > > of Jessie. > > If I find time, I'll likely NMU apparmor to fix this RC bug in the > next few days. I think I'll include the proposed update to > debian/watch (#738531) while I'm at it. Thoughts? That'd be great, yes. > Of course, it would be preferable to upload 2.8.3 instead, and fix > these bugs at the same time :) I've seen some reports that 2.8.3 has issues with the apache2 module. I haven't had time to set it up and test, though. -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#737921: breaks debian.org SMTP TLS
Severity: serious This breaks SMTP TLS connections to debian.org when the client presents a sha512 cert: ^ grep confSERVER_CERT /etc/mail/sendmail.mc define(`confSERVER_CERT',`/etc/ssl/certs/smtp-cert.pem')dnl $ openssl x509 -text -noout -in /etc/ssl/certs/smtp-cert.pem | grep 'Signature Algorithm' Signature Algorithm: sha512WithRSAEncryption client logs: May 23 06:52:09 vinyl sm-mta[6695]: STARTTLS=client, error: connect failed=-1, SSL_error=5, errno=104, retry=-1 May 23 06:52:09 vinyl sm-mta[6695]: ruleset=tls_server, arg1=SOFTWARE, relay=mailly.debian.org, reject=403 4.7.0 TLS handshake failed. server logs: 2014-05-23 19:21:58 TLS error on connection from smtp.outflux.net [2001:19d0:2:6:c0de:0:736d:7470] (gnutls_handshake): The signature algorithm is not supported. -Kees -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#732578: Issue after conversion of AppArmor package to dh(1) and Multi-Arch
On Fri, Jan 03, 2014 at 10:01:22PM +0100, intrigeri wrote: > dh(1) and Multi-Arch, thanks to Steve Langasek" revision adds > the --parallel option to dh, while Ubuntu's debian/rules does not do > it. Perhaps Kees integrated a preliminary patch from Steve, that was > slightly different from the one that eventually made it into Ubuntu, > or something. I'm looking at it with my git-brz lens, so I've no idea > how this kind of cherry-picks is done with Bazaar. > > Anyhow, getting rid of this option fixes the problem in my sid/amd64 > and sid/i386 build environments. > > I suspect different degrees of configured parallelism and/or available > CPU cores explain the differences we've seen occur on the buildd > network. FWIW, I'm myself using DEB_BUILD_OPTIONS='parallel=5'. Very nice work! Yes, I had added --parallel along with other changes since it seemed to work fine for me. > To end with, I'm not very skilled with Makefile's and all, but if > upstream build system does not support parallel builds, maybe there's > a way to forbid it entirely in there? This might avoid such problems > in the future. I will try to reproduce this with parallel=5 (I've used =4), and chase any resulting bug upstream. Thanks for finding this! -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#732578: Issue after conversion of AppArmor package to dh(1) and Multi-Arch
On Fri, Dec 20, 2013 at 01:48:48PM +0100, intrigeri wrote: > Steve Langasek wrote (19 Dec 2013 18:28:09 GMT) : > > Is it reproducible in a clean build on i386? > > Yes, the i386 binary package that exposes this issue was built on the > Debian buildd network: > https://buildd.debian.org/status/fetch.php?pkg=apparmor&arch=i386&ver=2.8.0-3&stamp=1386964661 > > ... but the source package currently FTBFS in my pbuilder sid i386 and > amd64 chroots (same for 2.8.0-0ubuntu35, FWIW), so I can't confirm > this issues is still current. I will report the FTBFS separately. After fixing the bison3-induced FTBFS, I still can't reproduce this i386 build problem. I'm uploading again now, and will see what the buildds produce... -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#655745: closing 655745
close 655745 thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#661161: closing 661161
close 661161 thanks debhelper 9.20120312 is now in Debian, and 9.20120115ubuntu3 is in Ubuntu, so the versioning used here is correct now. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#612035: vulnerability: rewrite arbitrary user file
Package: feh Version: 1.10-1 Severity: grave Tags: security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu natty This bug report was also filed in Ubuntu and can be found at http://launchpad.net/bugs/607328 The description, from segooon, follows: Binary package hint: feh Hi, I've just discovered that feh is vulnerable to rewriting any user file: tmpname_timestamper = estrjoin("", "/tmp/feh_", cppid, "_", basename, NULL); execlp("wget", "wget", "-N", "-O", tmpname_timestamper, newurl, quiet, (char*) NULL); If attacker knows PID of feh and knows the URL, it can create the link to any user file. wget would overwrite it. Thanks. -- System Information: Debian Release: squeeze/sid APT prefers natty APT policy: (500, 'natty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-12-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#612034: vulnerability: rewrite arbitrary user file
Package: aptitude Version: 0.6.3-3.2ubuntu1 Severity: grave Tags: security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu natty This bug report was also filed in Ubuntu and can be found at http://launchpad.net/bugs/607264 The description, from segooon, follows: Binary package hint: aptitude Hi, I've just discovered that aptitude is vulnerable to rewriting any user (maybe root) file: bool hier_editor::handle_key(const cw::config::key &k) if(homedir.empty()) { cfgfile = "/tmp/function_pkgs"; } save_hier(cfgfile); Here attacker can create link to any file in the system that user may write to. If process has no $HOME set, this file would be overwritten. It is rare that $HOME is null, but it such rare case it is vulnerable. Thanks. -- System Information: Debian Release: squeeze/sid APT prefers natty APT policy: (500, 'natty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-12-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#612033: vulnerability: rewrite arbitrary user file
Package: conky Version: 1.8.0-1ubuntu1 Severity: grave Tags: security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu natty This bug report was also filed in Ubuntu and can be found at http://launchpad.net/bugs/607309 The description, from segooon, follows: Binary package hint: conky Hi, I've just discovered that conky is vulnerable to rewriting any user file: char *getSkillname(const char *file, int skillid) if (!file_exists(file)) { skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE); writeSkilltree(skilltree, file); free(skilltree); } getXmlFromAPI() can be executed for a long time (e.g. bad connection), so between file_exists() and write_file() attacker can create link to any user file named "/tmp/.cesf". Attacker can choose the time when to create the link by watching for network connections. Thanks. -- System Information: Debian Release: squeeze/sid APT prefers natty APT policy: (500, 'natty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-12-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#612032: vulnerability: rewrite arbitrary user file
Package: tesseract Version: 2.04-2 Severity: grave Tags: security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu natty This bug report was also filed in Ubuntu and can be found at http://launchpad.net/bugs/607297 The description, from segooon, follows: Hi, I've just discovered that tesseract-ocr is vulnerable to rewriting any user file: DEBUG_WIN::DEBUG_WIN(//constructor length += sprintf (command + length, "\"stty opost; tty >/tmp/debug%d; while [ -s /tmp/debug%d ]\ndo\nsleep 1\ndone\" &\n", pid, pid); Here attacker can create link to any file in the system that user may write to. The only he has to know - the pid of process. As it is (last PID + 1) by default, it is not difficult to guess. Thanks. -- System Information: Debian Release: squeeze/sid APT prefers natty APT policy: (500, 'natty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-12-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#572468: flex: diff for NMU version 2.5.35-9.1
tags 572468 + patch tags 572468 + pending thanks Hello, I've prepared an NMU for flex (versioned as 2.5.35-9.1) and uploaded it to unstable. Please feel free to tell me if I should delay it longer. Thanks, -Kees -- Kees Cook@debian.org diff -u flex-2.5.35/doc/version.texi flex-2.5.35/doc/version.texi --- flex-2.5.35/doc/version.texi +++ flex-2.5.35/doc/version.texi @@ -1,4 +1,4 @@ -...@set UPDATED 1 June 2008 -...@set UPDATED-MONTH June 2008 +...@set UPDATED 9 September 2007 +...@set UPDATED-MONTH September 2007 @set EDITION 2.5.35 @set VERSION 2.5.35 diff -u flex-2.5.35/doc/stamp-vti flex-2.5.35/doc/stamp-vti --- flex-2.5.35/doc/stamp-vti +++ flex-2.5.35/doc/stamp-vti @@ -1,4 +1,4 @@ -...@set UPDATED 1 June 2008 -...@set UPDATED-MONTH June 2008 +...@set UPDATED 9 September 2007 +...@set UPDATED-MONTH September 2007 @set EDITION 2.5.35 @set VERSION 2.5.35 diff -u flex-2.5.35/debian/control flex-2.5.35/debian/control --- flex-2.5.35/debian/control +++ flex-2.5.35/debian/control @@ -5,10 +5,7 @@ Homepage: http://flex.sf.net/ Priority: optional Build-Depends: bison, gettext, texinfo, help2man, file, po-debconf, - autoconf, automake | automaken, cvs -# depending on cvs sucks, but gettext needs it without depending on it, -# and autoreconf calls autopoint from gettext, which uses a CVS repo in -# a tar ball. See Bug#506022 and Bug#508230 + autoconf, automake | automaken, autopoint Maintainer: Manoj Srivastava Standards-Version: 3.8.3.0 diff -u flex-2.5.35/debian/changelog flex-2.5.35/debian/changelog --- flex-2.5.35/debian/changelog +++ flex-2.5.35/debian/changelog @@ -1,3 +1,10 @@ +flex (2.5.35-9.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/control: add autopoint to build-deps, drop cvs (Closes: #572468). + + -- Kees Cook Sun, 20 Jun 2010 14:17:14 -0700 + flex (2.5.35-9) unstable; urgency=low * Update handling of lintian overrides.
Bug#534009: [pkg-cli-libs-team] RM: db4o/testing tangerine/testing longomatch/testing; out of date API, FTBFS
Hi Iain, On Mon, Jan 25, 2010 at 02:33:31PM +, Iain Lane wrote: > (everyone, please keep pkg-cli-libs-t...@lado or #534009 cced) > [...] > Thanks for your interest in this, Kees. We have actually been > working on this recently. See: > > http://git.debian.org/?p=pkg-cli-libs/packages/db4o.git;a=summary > > and the commits I will push there quite soon. > > Admittedly we haven't been keeping the BTS as up-to-date as we could > have, but a ping would have allowed us to explain the situation. One > of the reasons for the recent delays is that all CLI updates are > tied to a transition we are currently seeing through. > > Rest assured that a new version of db4o will be forthcoming very soon. Okay, excellent! I was just trying to reduce RC bugs for the bug squashing party. I'm glad this is getting attention. Thanks! -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516708: Debtorrent just won't give up after receiving 404
Hi Cameron, On Sun, Jan 24, 2010 at 05:47:29PM -0800, Cameron Dale wrote: > On Sun, Jan 24, 2010 at 3:53 AM, Sylvain Beucler wrote: > > Any progress on that RC issue? > > I have made some progress since it was made RC in October, but the bug > is more complicated than I first though. I will continue to work on > the solution, though my time has been limited of late by a busy work > schedule. Ah, very cool. I hadn't seen any comments on the bug, so I assumed there was no activity on it. > On Sun, Jan 24, 2010 at 4:49 PM, Kees Cook wrote: > > I've filed a removal request: > > I don't think this warrants a removal from testing, for the following reasons: > > 1. Though the original bug has been open for less than a year, the bug > was not made RC (serious) until October 2009 (3 months ago), when > another user noticed a side effect of the original bug that arguably > makes it serious. > > 2. I am working on a fix for the bug, and hope to have it committed in > the next week or two, and certainly before the freeze for the squeeze > release. > > 3. The requester did not contact me (the maintainer), nor did anyone > else, before requesting the removal, as mentioned here > http://wiki.debian.org/ftpmaster_Removals: "In all cases, if there is > a maintainer and it's not you, mention the maintainer's opinion or, if > you don't know it, mention how and when you tried to contact him. If > you didn't try to contact the maintainer, do so first." I was just seeking to remove from testing, not a removal from the archive. > In any case, removal of apt-transport-debtorrent is not required, as > it is a separate package from debtorrent, and is unaffected by this > bug. apt-transport-debtorrent doesn't depend on debtorrent, and it can > be used by itself on a machine to communicate with debtorrent on a > different machine. That's totally true, apt-cache rdepends was trying to trick me and was showing me things that were Recommends as well. > I'd like to close this removal request for the above reasons, but I'm > unsure of the etiquette related to that, and so I will leave it as is > in the hopes that someone will read this message before actually > performing the removal. That's fine for me; thanks for the update on debtorrent! -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#539163: should probably be normal
severity 539163 normal thanks I think this isn't serious. While it's possible that someone might select a auth-less list, that could potentially be what they _want_ for their crazy system. On the other hand, if it was an accident, some notice should be taken. But I see this more as a feature request than anything else. Further protecting a user who is already customizing their PAM stack is a good idea and nice to have, but shouldn't cause PAM to have an RC bug for it. -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#553286: non-maintainer upload
Hello! Attached is the patch that seems to be suggested as the solution, based on fw's comments. I'll upload this shortly... -Kees -- Kees Cook@debian.org diff -u debfoster-2.7/debian/postrm debfoster-2.7/debian/postrm --- debfoster-2.7/debian/postrm +++ debfoster-2.7/debian/postrm @@ -1,38 +1,9 @@ #!/bin/sh -OLDKEEPERS="/etc/apt/keepers" -KEEPERS="/var/lib/debfoster/keepers" - if [ "$1" = "purge" ] ; then - if [ -f $OLDKEEPERS ] ; then - echo "debfoster's list of wanted packages still exists. Do you" - echo -n "want to remove this file? ($OLDKEEPERS) [Y/n] " - read answer - case $answer in - y|Y|Yes|YES|yes|"") - rm -f $OLDKEEPERS - ;; - *) - echo "Not removing $OLDKEEPERS." - ;; - esac - fi - if [ -f $KEEPERS ] ; then - echo "debfoster's list of wanted packages still exists. Do you" - echo -n "want to remove this file? ($KEEPERS) [Y/n] " - read answer - case $answer in - y|Y|Yes|YES|yes|"") - rm -f $KEEPERS - ;; - *) - echo "Not removing $KEEPERS." - ;; - esac - fi + rm -f "/var/lib/debfoster/keepers" fi - # generated by other debhelper scripts. #DEBHELPER# reverted: --- debfoster-2.7/debian/postinst +++ debfoster-2.7.orig/debian/postinst @@ -1,64 +0,0 @@ -#! /bin/sh -# postinst script for #PACKAGE# -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -#* `configure' -#* `abort-upgrade' -#* `abort-remove' `in-favour' -# -#* `abort-deconfigure' `in-favour' -#`removing' -# -# for details, see /usr/share/doc/packaging-manual/ -# -# quoting from the policy: -# Any necessary prompting should almost always be confined to the -# post-installation script, and should be protected with a conditional -# so that unnecessary prompting doesn't happen if a package's -# installation fails and the `postinst' is called with `abort-upgrade', -# `abort-remove' or `abort-deconfigure'. - -OLDKEEPERS="/etc/apt/keepers" -NEWKEEPERS="/var/lib/debfoster/keepers" - -case "$1" in -configure) - if [ -f $OLDKEEPERS -a \! -f $NEWKEEPERS ] ; then - echo "$OLDKEEPERS exists, do you want me to move it" - echo -n "to its new location, $NEWKEEPERS? [Y/n] " - read ans - case $ans in - Y|y|Yes|yes|YES|"") - mv -fv $OLDKEEPERS $NEWKEEPERS - ;; - *) - echo "You don't want to move the file. Fine, but you will be asked" - echo "again which packages you want to keep when you run debfoster." - echo "Or you could move $OLDKEEPERS to $NEWKEEPERS by hand." - ;; - esac - fi -;; - -abort-upgrade|abort-remove|abort-deconfigure) - -;; - -*) -echo "postinst called with unknown argument \`$1'" >&2 -exit 0 -;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - - diff -u debfoster-2.7/debian/changelog debfoster-2.7/debian/changelog --- debfoster-2.7/debian/changelog +++ debfoster-2.7/debian/changelog @@ -1,3 +1,12 @@ +debfoster (2.7-1.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/{postinst,postrm}: remove policy-violating prompts for old +keepers file location that has not existed for 9 years now, and +unconditionally remove new keepers on purge (Closes: 553286). + + -- Kees Cook Sun, 24 Jan 2010 17:09:13 -0800 + debfoster (2.7-1) unstable; urgency=low * New upstream version. Closes: #448501.
Bug#516708: removal request
I've filed a removal request: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566760 -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#534009: Info received (still FTBFS)
I've filed a removal request: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566757 -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#534009: still FTBFS
After fixing debian/rules for the new csc location (mono-csc not csc), and adjusting debian/control for the new package names of cecil: libmono-cecil-cil-dev, libmono-cecil-flowanalysis-cil-dev, The package still fails to build, like due to big changes in cecil: ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(547,105): error CS0246: The type or namespace name `IMethodReferenceExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(570,63): error CS0246: The type or namespace name `IMethodInvocationExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(576,70): error CS0246: The type or namespace name `IMethodReferenceExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(584,79): error CS0246: The type or namespace name `IMethodReferenceExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(624,52): error CS0246: The type or namespace name `IFieldReferenceExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(665,52): error CS0246: The type or namespace name `ILiteralExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(670,46): error CS0246: The type or namespace name `AstExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(675,83): error CS0246: The type or namespace name `AstExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(695,49): error CS0246: The type or namespace name `AstExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(701,58): error CS0246: The type or namespace name `AstExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(712,36): error CS0246: The type or namespace name `AstExpression' could not be found. Are you missing a using directive or an assembly reference? ./Db4objects.Db4o.Tools/NativeQueries/QueryExpressionBuilder.cs(719,89): error CS0246: The type or namespace name `AstExpression' could not be found. Are you missing a using directive or an assembly reference? I think this package needs to be removed from testing as it cannot be built without doing a fair bit of work. Also note that the current version upstream is 7.12. Removing this from testing would also cause these to be removed: longomatch tangerine -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#557754: updates
severity 557754 important thanks Both of these issues are denials of service, so I'm reducing severity to "important". Additionally, upstream seems to indicate in their bug report that CVE-2007-2195 does not exist any more. -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#528938: next steps
It sounds like there are two possible solutions to the weak session: - improve the session on the client - improve the session on the server side The patch already exists for improving the client side of things. The help-needed tag is for the server changes, which is what direction this seems to have gone. As upstream hasn't responded, one of three things needs to happen to move forward on dealing with this RC bug: 1) develop the changes to generate the session on the server side. 2) reduce the severity below "serious". 3) contact the release team to keep block ajaxterm from testing and next stable. What makes the most sense for this bug? -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#551664: python-selinux python modules are missing
Package: libselinux Version: 2.0.87-1 Severity: grave Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch It was pointed out to me that python-selinux is missing all of its Python modules: As evidence from the build log[1]: drwxr-xr-x root/root 0 2009-10-14 05:39 ./ drwxr-xr-x root/root 0 2009-10-14 05:39 ./usr/ drwxr-xr-x root/root 0 2009-10-14 05:39 ./usr/lib/ drwxr-xr-x root/root 0 2009-10-14 05:39 ./usr/lib/python-support/ drwxr-xr-x root/root 0 2009-10-14 05:39 ./usr/lib/python-support/python-selinux/ drwxr-xr-x root/root 0 2009-10-14 05:39 ./usr/share/ drwxr-xr-x root/root 0 2009-10-14 05:39 ./usr/share/doc/ drwxr-xr-x root/root 0 2009-10-14 05:39 ./usr/share/doc/python-selinux/ -rw-r--r-- root/root 13127 2009-10-14 05:38 ./usr/share/doc/python-selinux/changelog.Debian.gz -rw-r--r-- root/root 3123 2009-10-14 05:38 ./usr/share/doc/python-selinux/copyright -rw-r--r-- root/root 10101 2009-09-28 20:17 ./usr/share/doc/python-selinux/changelog.gz drwxr-xr-x root/root 0 2009-10-14 05:39 ./usr/share/python-support/ drwxr-xr-x root/root 0 2009-10-14 05:39 ./usr/share/python-support/python-selinux/ -rw-r--r-- root/root 8 2009-10-14 05:39 ./usr/share/python-support/python-selinux/.version Looks like the Makefile did not abort when "pkg-config" was missing. Attached patch add the missing build-dep. Thanks! -Kees [1] https://buildd.debian.org/fetch.cgi?pkg=libselinux;ver=2.0.87-1;arch=i386;stamp=1255498769 -- Kees Cook@debian.org diff -u libselinux-2.0.85/debian/control libselinux-2.0.85/debian/control --- libselinux-2.0.85/debian/control +++ libselinux-2.0.85/debian/control @@ -7,7 +7,7 @@ Maintainer: Manoj Srivastava Standards-Version: 3.8.3.0 Build-Depends: file, libsepol1-dev (>= 2.0.37), python-all-dev (>= 2.3.5-11), - swig, ruby1.8-dev, ruby + swig, ruby1.8-dev, ruby, pkg-config XS-Python-Version: >= 2.4 Package: selinux-utils
Bug#541391: LZMA license inaccuracy
Package: xz-utils Version: 4.999.8beta-1 Severity: serious User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu karmic Hello! It seems that the license of the package needs further examination. It cannot be Public Domain, since it is derived from the "lzma" package. This is supported by both http://tukaani.org/lzma/history and the file headers for things like src/liblzma/lzma/lzma_encoder.c. So this is not correct: Files: src/liblzma/* License: PD liblzma is in the public domain. It does appear to be LGPL, so it's not a giant issue, but this package should be more carefully reviewed for copyright issues. Thanks, -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#537254: consolation?
If it's any consolation, mimetex isn't installed by default in cgi-bin, though moodle is a direct user. It's not clear if moodle's existing filtering limits this exposure or not. -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#531569: patch for unstable...
Attached is a patch for unstable to avoid this in the future... -- Kees Cook@debian.org Description: allow tetex-bin to be installable after 5 years. Ubuntu: https://bugs.edge.launchpad.net/bugs/384904 Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531569 Patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=56;filename=patch-5yr-old;att=1;bug=531569 Index: texlive-base-2007.dfsg.2/texmf-dist/tex/latex/base/latex.ltx === --- texlive-base-2007.dfsg.2.orig/texmf-dist/tex/latex/base/latex.ltx 2009-06-08 12:34:06.0 -0700 +++ texlive-base-2007.dfsg.2/texmf-dist/tex/latex/base/latex.ltx 2009-06-08 12:34:24.0 -0700 @@ -532,17 +532,17 @@ \expandafter\reser...@a\fmtversion\@nil \ifnum\count@>65 \typeout{^^J% -!!^^J% -! You are attempting to make a LaTeX format from a source file^^J% -! That is more than five years old.^^J% -!^^J% -! If you enter to scroll past this message then the format^^J% -! will be built, but please consider obtaining newer source files^^J% -! before continuing to build LaTeX.^^J% -!!^^J% ++=^^J% +| You are attempting to make a LaTeX format from a source file^^J% +| That is more than five years old.^^J% +|^^J% +| If you enter to scroll past this message then the format^^J% +| will be built, but please consider obtaining newer source files^^J% +| before continuing to build LaTeX.^^J% ++=^^J% } - \errhelp{To avoid this error message, obtain new LaTeX sources.} - \errmessage{LaTeX source files more than 5 years old!} + \typeout{To avoid this error message, obtain new LaTeX sources.} + \typeout{LaTeX source files more than 5 years old!} \fi \let\reser...@a\relax \fi
Bug#432120: CVE-2007-3360: remote IRC servers can execute arbitrary commands on client
Hi, On Sat, Jan 17, 2009 at 12:05:02PM +0100, Kurt Roeckx wrote: > On Sun, Sep 23, 2007 at 01:56:15PM +0200, Nico Golde wrote: > > I wrote a patch which should fix the issue. It is attached. > > Kind regards > > > > + if(which > sizeof(hook_functions) - 1) > > + return NO_ACTION_TAKEN; > > + > > This patch looks wrong. You probably want: > if(which > sizeof(hook_functions)/sizeof(*hook_functions) - 1) > > Ubuntu seems to have used this patch, so I think they still > have that issue, and I'm not sure how to contact them. So > I hope Kees can look into this. Thanks for the heads-up! Yeah, it looks like Ubuntu got the original patch. I will get it fixed up. (Feel free to email me, but if you want to reach Ubuntu security in general, you can use secur...@ubuntu.com.) -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#510972: CVE mapping
Unknown --- (Do these apply to IcedTea, or only WebStart which is not in openjdk?) http://sunsolve.sun.com/search/document.do?assetkey=1-26-244988-1 6727079, 6727081, 6694892, 6727071, 6707535, 6716217, 6767668 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344 http://sunsolve.sun.com/search/document.do?assetkey=1-26-246387-1 6704154 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345 http://sunsolve.sun.com/search/document.do?assetkey=1-26-246386-1 6674093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346 http://sunsolve.sun.com/search/document.do?assetkey=1-26-246366-1 6592792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347 Not Affected http://sunsolve.sun.com/search/document.do?assetkey=1-26-244989-1 6728071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355 Fixed in b14 http://blogs.sun.com/darcy/entry/openjdk_6_sources_for_b14 http://sunsolve.sun.com/search/document.do?assetkey=1-26-246346-1 6588160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348 http://sunsolve.sun.com/search/document.do?assetkey=1-26-246286-1 6497740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349 http://sunsolve.sun.com/search/document.do?assetkey=1-26-246266-1 6484091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350 http://sunsolve.sun.com/search/document.do?assetkey=1-26-245246-1 4486841 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351 http://sunsolve.sun.com/search/document.do?assetkey=1-26-244992-1 6755943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352 http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1 6734167 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353 http://sunsolve.sun.com/search/document.do?assetkey=1-26-244990-1 6733959 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354 http://sunsolve.sun.com/search/document.do?assetkey=1-26-244987-1 6726779, 676, 6751322, 6766136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359 http://sunsolve.sun.com/search/document.do?assetkey=1-26-244986-1 6721753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360 -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#499078: alignment patch
Hi, How about this patch as an alternative, which doesn't change the semantics of the array, but makes sure it is aligned. Thanks, -Kees -- Kees Cook@outflux.net diff -u jfsutils-1.1.12/debian/changelog jfsutils-1.1.12/debian/changelog --- jfsutils-1.1.12/debian/changelog +++ jfsutils-1.1.12/debian/changelog @@ -1,3 +1,10 @@ +jfsutils (1.1.12-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Force struct alignment for string array (Closes: #499078). + + -- Kees Cook <[EMAIL PROTECTED]> Sun, 26 Oct 2008 12:57:15 -0700 + jfsutils (1.1.12-2) unstable; urgency=low * use different linking parameter on alpha to avoid FTBFS (Closes: #490881) only in patch2: unchanged: --- jfsutils-1.1.12.orig/libfs/super.c +++ jfsutils-1.1.12/libfs/super.c @@ -162,7 +162,7 @@ */ int ujfs_put_superblk(FILE *fp, struct superblock *sb, int16_t is_primary) { - char buf[SIZE_OF_SUPER]; + char buf[SIZE_OF_SUPER] __attribute__ ((aligned(__alignof__(struct superblock; int rc; memset(buf, 0, SIZE_OF_SUPER);
Bug#503381: patch to disable jemalloc
Tags: patch thanks Hi, This patch disables jemalloc on architectures for which the *_2POW defines aren't defined. (Which is causing the FTBFS's for hppa, sparc, and s390.) Thanks, -Kees -- Kees Cook@outflux.net diff -u varnish-2.0.1/debian/rules varnish-2.0.1/debian/rules --- varnish-2.0.1/debian/rules +++ varnish-2.0.1/debian/rules @@ -14,6 +14,7 @@ # from having to guess our platform (since we know it already) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null) CFLAGS = -Wall -g @@ -24,6 +25,11 @@ CFLAGS += -O2 endif +# Disable jemalloc for architectures that lack *_2POW definitions +ifneq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:hppa:s390:sparc:)) + ARCH_CONFIG_FLAGS="--disable-jemalloc" +endif + configure: ./autogen.sh @@ -39,6 +45,7 @@ ./configure \ --host=$(DEB_HOST_GNU_TYPE) \ --build=$(DEB_BUILD_GNU_TYPE) \ + $(ARCH_CONFIG_FLAGS) \ --prefix=/usr \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ diff -u varnish-2.0.1/debian/changelog varnish-2.0.1/debian/changelog --- varnish-2.0.1/debian/changelog +++ varnish-2.0.1/debian/changelog @@ -1,3 +1,11 @@ +varnish (2.0.1-1.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/rules: disable jemalloc on architectures that lack *_2POW +definitions (Closes: #503381). + + -- Kees Cook <[EMAIL PROTECTED]> Sun, 26 Oct 2008 11:33:50 -0700 + varnish (2.0.1-1) unstable; urgency=low * New upstream version
Bug#502657: just swap all the longs
Tags: patch thanks Hi, This patch make netmaze run for my on amd64 -- I just swapped all the longs for ints. Behavior between i386 and amd64 looks the same to me now. -Kees -- Kees Cook@outflux.net diff -u netmaze-0.81+jpg0.82/allmove.c netmaze-0.81+jpg0.82/allmove.c --- netmaze-0.81+jpg0.82/allmove.c +++ netmaze-0.81+jpg0.82/allmove.c @@ -12,24 +12,24 @@ extern void play_sound(int); extern int random_maze(MAZE*,int,int); -extern long trigtab[]; +extern int trigtab[]; extern struct shared_struct *sm; -static void enemy_colision(long,long,PLAYER*,PLAYER*); +static void enemy_colision(int,int,PLAYER*,PLAYER*); static int enemy_touch(PLAYER *player,PLAYER *players); -static void wall_pcoll(long,long,PLAYER*); +static void wall_pcoll(int,int,PLAYER*); static int wall_scoll(PLAYER*,int nr); -static int player_hit(int,long,long,PLAYER *players); +static int player_hit(int,int,int,PLAYER *players); static void set_player_pos(PLAYER*,int,MAZE *mazeadd); static int add_shot(PLAYER*); static void remove_shot(PLAYER*,int); -static int ball_bounce(PLAYER *p,int i,int xc,int yc,long x,long y); +static int ball_bounce(PLAYER *p,int i,int xc,int yc,int x,int y); static void convert_trigtabs(int divider); -void myrandominit(long s); +void myrandominit(int s); static int myrandom(void); static void reset_player(PLAYER *players,int i); -long walktab[320],shoottab[320]; +int walktab[320],shoottab[320]; /* in diesem Programmteil sollten moeglichst keine @@ -56,7 +56,7 @@ { int i,joy,wink,plynum,j,next; PLAYER *player; - long plx,ply; + int plx,ply; int count; count = 1<config.divider; @@ -407,9 +407,9 @@ /* Player <-> Wall Collision */ /**/ -static void wall_pcoll(long xold,long yold,PLAYER *player) +static void wall_pcoll(int xold,int yold,PLAYER *player) { - long x,y; + int x,y; int xc,yc; int xflag=-1; int yflag=-1; @@ -547,9 +547,9 @@ static int wall_scoll(PLAYER *p,int i) { - long x,y; + int x,y; int xc,yc,flag=0; - long sx,sy; + int sx,sy; sx = p->shots[i].sx; sy = p->shots[i].sy; @@ -655,7 +655,7 @@ * wall_scoll-helper (not complete yet) */ -static int ball_bounce(PLAYER *p,int i,int xc,int yc,long x,long y) +static int ball_bounce(PLAYER *p,int i,int xc,int yc,int x,int y) { int f = 0,w = 0; @@ -744,7 +744,7 @@ /* Player <-> Player Collision */ // -static void enemy_colision(long xold,long yold,PLAYER *player,PLAYER *players) +static void enemy_colision(int xold,int yold,PLAYER *player,PLAYER *players) { if(enemy_touch(player,players)) { @@ -756,7 +756,7 @@ static int enemy_touch(PLAYER *player,PLAYER *players) { int i; - long xd,yd; + int xd,yd; for(i=0;ianzplayers;i++,players++) { @@ -785,10 +785,10 @@ /* -1: no hit / >= 0: playernr. */ // -static int player_hit(int plnr,long sx,long sy,PLAYER *plys) +static int player_hit(int plnr,int sx,int sy,PLAYER *plys) { int i; - long xd,yd; + int xd,yd; for(i=0;ianzplayers;i++,plys++) { @@ -977,7 +977,7 @@ * "Random" from: r.sedgewick/algorithms */ -void myrandominit(long s) +void myrandominit(int s) { int j; sm->rndshiftpos = 10; @@ -1006,9 +1006,9 @@ static void convert_trigtabs(int divider) { - long *tab1 = trigtab,*tab2 = walktab,*tab3 = shoottab; + int *tab1 = trigtab,*tab2 = walktab,*tab3 = shoottab; int i; - long s; + int s; static int t = -1; if(divider == t) return; diff -u netmaze-0.81+jpg0.82/netmaze.h netmaze-0.81+jpg0.82/netmaze.h --- netmaze-0.81+jpg0.82/netmaze.h +++ netmaze-0.81+jpg0.82/netmaze.h @@ -98,7 +98,7 @@ struct fd_mask { - u_long fds_bits[NOFILE/32+1]; + u_int fds_bits[NOFILE/32+1]; }; /* Structur auf MAZE. Here is all important maze-stuff */ @@ -114,18 +114,18 @@ int xdim; int ydim; char *setlist; - long *bitlist; + int *bitlist; } MAZE; /* PLAYER-Struct */ typedef struct { - long sx; - long sy; - long sxd; - long syd; + int sx; + int sy; + int sxd; + int syd; int salive; - long power; + int power; int next; /* next shot in chain */ int last; /* last shot in chain */ } SHOT; @@ -163,8 +163,8 @@ char name[MAXNAME+1]; char comment[MAXCOMMENT+1]; int team; - long x; - long y; + int x; + int y; int winkel; int fitness; int follow; @@ -200,8 +200,8 @@ int x2,h2; int ident; int rclip,lclip; - long xd,yd; - long rmax,rmin; + int xd,yd; + int rmax,rmin; int clipped; /* need for texture */ } WALL; @@ -290,8 +290,8 @@ int marks; /* # markers */ mapmark markers[32]; /* Map markers */ int rndshiftpos; /* Random */ - long rndshifttab[55];/* more random-stuff */ - volatile unsigned long drawwait; /* delay Draw .. */ + int rndshifttab[55];
Bug#502751: downgrade to "normal" or gracefully fail in postinst?
Tags: patch Hi! How about just allowing a download failure in the postinst instead? This wouldn't compromise the ability for "update-eicar" to do its job, but would allow the package to install if an external network was not available. Thanks, -Kees -- Kees Cook@outflux.net --- clamav-getfiles-2.0/debian/postinst~ 2008-10-25 22:18:07.0 -0700 +++ clamav-getfiles-2.0/debian/postinst 2008-10-25 22:18:16.0 -0700 @@ -8,6 +8,6 @@ if [ "$1" = "configure" ]; then db_get clamav-getfiles/download-eicar-com if [ "$RET" = "true" ]; then -update-eicar +update-eicar || true fi fi
Bug#498768: ubuntu patch matching upstream
Hi, On Sat, Sep 20, 2008 at 09:06:21AM +0200, Mike Hommey wrote: > On Fri, Sep 19, 2008 at 07:10:14PM -0700, Kees Cook wrote: > > The above changes are for CVE-2008-3529. > > Certainly not. It's not in upstream patch. This is where I was getting details: https://bugzilla.redhat.com/show_bug.cgi?id=461015 > > BTW, would it be possible to > > add a patch system to libxml2? It's much easier to split up the patches > > over time, and is nice for anyone doing post-release updates. :) > > There is a (D)VCS. True, though I prefer in-package patch systems for doing stable updates. > > > @@ -6476,8 +6475,6 @@ > > > } else if (list != NULL) { > > > xmlFreeNodeList(list); > > > list = NULL; > > > - } else if (ent->owner != 1) { > > > - ctxt->nbentities += ent->owner; > > > } > > > } > > > ent->checked = 1; > > > @@ -6668,6 +6665,8 @@ > > > ctxt->nodelen = 0; > > > return; > > > } > > > + } else if (ent->owner != 1) { > > > + ctxt->nbentities += ent->owner; > > > } > > > } else { > > > val = ent->content; > > > > Was this just interdiff output? There were some changes to this area of > > code that needed some by-hand backporting, so the versions used to > > compare might not end up looking clean. Or, I could have messed up the > > backport, but I put them through a bunch of xml regression tests and > > things seemed to be behaving. > > There was only 1 conflict when applying upstream patch for RHEL5, and > only because of tabulations/spaces, on my end... I'm not sure which version of the patch you're quoting, but I had 5 versions to do backports for: libxml2 | 2.6.32.dfsg-2ubuntu3 | intrepid/main libxml2 | 2.6.31.dfsg-2ubuntu1.2 | hardy-security/main libxml2 | 2.6.30.dfsg-2ubuntu1.3 | gutsy-security/main libxml2 | 2.6.27.dfsg-1ubuntu3.3 | feisty-security/main libxml2 | 2.6.24.dfsg-1ubuntu1.3 | dapper-security/main They all tested out fine for me. -Kees -- Kees Cook Ubuntu Security Team -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#498768: ubuntu patch matching upstream
Hi, On Fri, Sep 19, 2008 at 09:24:30PM +0200, Mike Hommey wrote: > On Mon, Sep 15, 2008 at 08:55:10AM -0700, Kees Cook wrote: > > As far as I know, this patch matches the upstream changes for the > > problem. Please see: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=460396 > > Actually there are differences between upstream and ubuntu changes: > (a is ubuntu, b is upstream) > > diff -u a/parser.c b/parser.c > --- a/parser.c > +++ b/parser.c > @@ -2390,7 +2390,6 @@ > */ > #define growBuffer(buffer) { \ > xmlChar *tmp;\ > -buffer##_size += XML_PARSER_BUFFER_SIZE ; > \ > buffer##_size *= 2; > \ > tmp = (xmlChar *) > \ > xmlRealloc(buffer, buffer##_size * sizeof(xmlChar));\ > @@ -3451,7 +3450,7 @@ >* Just output the reference >*/ > buf[len++] = '&'; > - while (len > buf_size - i - 10) { > + if (len > buf_size - i - 10) { > growBuffer(buf); > } > for (;i > 0;i--) The above changes are for CVE-2008-3529. BTW, would it be possible to add a patch system to libxml2? It's much easier to split up the patches over time, and is nice for anyone doing post-release updates. :) > @@ -6476,8 +6475,6 @@ > } else if (list != NULL) { > xmlFreeNodeList(list); > list = NULL; > - } else if (ent->owner != 1) { > - ctxt->nbentities += ent->owner; > } > } > ent->checked = 1; > @@ -6668,6 +6665,8 @@ > ctxt->nodelen = 0; > return; > } > + } else if (ent->owner != 1) { > + ctxt->nbentities += ent->owner; > } > } else { > val = ent->content; Was this just interdiff output? There were some changes to this area of code that needed some by-hand backporting, so the versions used to compare might not end up looking clean. Or, I could have messed up the backport, but I put them through a bunch of xml regression tests and things seemed to be behaving. -Kees -- Kees Cook Ubuntu Security Team -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#478057: [hardening-discuss] Linker fails on i386 and amd64 with hardening options
Hi Jörg, On Mon, Apr 28, 2008 at 06:43:36PM +0200, Jörg Sommer wrote: > I've enabled hardening support for slrn. Ah! I see the problem now. You're doing a separate debian/rules thing, instead of using hardening-wrapper and DEB_BUILD_HARDENING=1. You have: ifeq (,$(findstring nohardening,$(DEB_BUILD_OPTIONS))) # http://lists.debian.org/debian-devel-announce/2008/01/msg6.html CFLAGS += -fPIC -fPIE -fstack-protector -Wformat=2 -Wextra LDFLAGS += -Wl,-zrelro,-pie ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) CFLAGS += -D_FORTIFY_SOURCE=2 endif endif This won't work for reasons I mentioned in the prior email. I would recommend using hardening-wrapper directly[1]. If, however, you want to do it piece-meal, you will need multiple arch-specific tests for PIE and stack-protector (see hardening-wrapper source[2]), and you will need to pass "-fPIE" only to objects going into the final executable (-fPIC as usual for libraries), as well as "-pie" for the final gcc link of the executable. hardening-wrapper currently handles all these cases. You don't need a special-case for opopt, since FORITY_SOURCE will be silently ignored if -O is less than 2. -Kees [1] http://wiki.debian.org/Hardening add hardening-wrapper to debian/control Build-Deps add "export DEB_BUILD_HARDENING=1" to debian/rules [2] http://svn.debian.org/wsvn/hardening/hardening-wrapper/debian/rules?op=file&rev=0&sc=0 -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#478057: [hardening-discuss] Linker fails on i386 and amd64 with hardening options
Hi Jörg, On Mon, Apr 28, 2008 at 06:43:36PM +0200, Jörg Sommer wrote: > gcc -g -O2 -Wall -g -O2 -fPIC -fPIE -fstack-protector -Wformat=2 -Wextra \ > -D_FORTIFY_SOURCE=2 -Wl,-zrelro,-pie conftest.c > > but this fails on i386 and amd64. > > /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: > relocation R_X86_64_32S against `__libc_csu_fini' can not be used when making > a shared object; recompile with -fPIC > /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: could not read > symbols: Bad value > > Can someone of you help me? The build also fails on Sparc, but I don't > have the config.log to tell why. I expect it's the same reason. hardening-wrapper isn't setting "-Wl,-zrelro,-pie" ... that command-line is wrong. First, for relro, it should be "-Wl,-z,relro". "-pie" needs to be specified on the gcc command-line, not the linker command-line, since gcc is responsible for choosing the crt, etc. Do you know what the origin of the -Wl addition is? This, for example, works: gcc -g -O2 -Wall -g -O2 -fPIC -fPIE -pie -fstack-protector -Wformat=2 \ -Wextra -D_FORTIFY_SOURCE=2 -Wl,-z,relro -o hello hello.c Note, AFAIK, -fPIC and -fPIE is redundant: -fPIE is a subset of -fPIC. -Kees -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#469891: [hardening-discuss] Bug#465827: Bug#465827: FTBFS on m68k using hardening-wrapper
On Fri, Mar 21, 2008 at 06:42:50PM +0100, Luk Claes wrote: > quagga's FTBFS seems to come from using hardening-wrapper. Please do ack > or deny, TIA. Yes, this appears true (though it is totally unrelated to -z relro) :) I have uploaded hardening-wrapper 1.6 now, which disables PIE for m68k and hppa (architectures that don't support it). -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#465827: [hardening-discuss] Bug#465827: FTBFS on m68k using hardening-wrapper
Hi! On Fri, Mar 21, 2008 at 03:47:57PM +0100, Luk Claes wrote: > On Fri, Feb 15, 2008 at 09:44:40AM +0100, Tobias Toedter wrote: > > > I've just switched to use hardening-wrapper for my package worker. > > However, on m68k, the package FTBFS with this error message: > > This is not m68k specific, it happens on some other archs too. > > > checking for gcc... gcc > > checking for C compiler default output file name... > > configure: error: C compiler cannot create executables > > The problem is that '-z relro' is on some archs interpreted as two > options instead of one because of the whitespace. This can be solved by > using '-Wl,z,relro' instead... I think you meant '-Wl,-z,relro', but -Wl is for passing ld flags down from gcc. In the hardening-wrapper's case, it is passing the -z relro directly to ld. Additionally, it's not passed as white-space, it's passed as two arguments. This is what -Wl,-z,relro does too. For example, if -Wl,-z,relro works, so should hardening-wrapper: $ strace -s 1024 -f gcc -o hi hi.c -Wl,-z,relro ... [pid 15948] execve("/usr/bin/ld", ["/usr/bin/ld", ... "-z", "relro", ... ... I don't have an m68k machine to test with, but if you run with DEB_BUILD_HARDENING_DEBUG=1 you should be able to see the commands that are being run during the configure script, and should help narrow down the problem. -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#434444: NMU of libpoe-component-jabber-perl
Hi, I'd like to NMU a work-around fix for this problem. Currently libpoe-component-jabber-perl is unusable, this NMU will fix the problem. Please see attached proposed NMU debdiff. -- Kees Cook@outflux.net diff -Nru /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/debian/changelog /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/debian/changelog --- /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/debian/changelog 2007-09-10 11:01:53.0 -0700 +++ /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/debian/changelog 2007-09-10 11:01:53.0 -0700 @@ -1,3 +1,11 @@ +libpoe-component-jabber-perl (1.1-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Replace deprecated POE::Preprocessor with Filter::Template +(Closes: #43). + + -- Kees Cook <[EMAIL PROTECTED]> Mon, 10 Sep 2007 10:58:03 -0700 + libpoe-component-jabber-perl (1.1-1) unstable; urgency=low * Initial Release (Closes: #323240). diff -Nru /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/COMPTester.pl /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/COMPTester.pl --- /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/COMPTester.pl 2005-04-09 10:57:37.0 -0700 +++ /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/COMPTester.pl 2007-09-10 11:01:53.0 -0700 @@ -1,6 +1,6 @@ #!/usr/bin/perl -use POE::Preprocessor; +use Filter::Template; const XNode POE::Filter::XML::Node use warnings; diff -Nru /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/J2Tester.pl /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/J2Tester.pl --- /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/J2Tester.pl 2004-03-28 18:02:07.0 -0800 +++ /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/J2Tester.pl 2007-09-10 11:01:53.0 -0700 @@ -1,6 +1,6 @@ #!/usr/bin/perl -use POE::Preprocessor; +use Filter::Template; const XNode POE::Filter::XML::Node use warnings; diff -Nru /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/LEGACYTester.pl /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/LEGACYTester.pl --- /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/LEGACYTester.pl 2005-04-09 10:46:33.0 -0700 +++ /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/LEGACYTester.pl 2007-09-10 11:01:53.0 -0700 @@ -1,6 +1,6 @@ #!/usr/bin/perl -use POE::Preprocessor; +use Filter::Template; const XNode POE::Filter::XML::Node use warnings; diff -Nru /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/XMPPSimpleTester.pl /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/XMPPSimpleTester.pl --- /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/XMPPSimpleTester.pl 2005-04-08 23:27:25.0 -0700 +++ /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/XMPPSimpleTester.pl 2007-09-10 11:01:53.0 -0700 @@ -1,6 +1,6 @@ #!/usr/bin/perl -use POE::Preprocessor; +use Filter::Template; const XNode POE::Filter::XML::Node use warnings; diff -Nru /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/XMPPTester.pl /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/XMPPTester.pl --- /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/examples/XMPPTester.pl 2005-04-08 23:26:27.0 -0700 +++ /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/examples/XMPPTester.pl 2007-09-10 11:01:53.0 -0700 @@ -1,6 +1,6 @@ #!/usr/bin/perl -use POE::Preprocessor; +use Filter::Template; const XNode POE::Filter::XML::Node use warnings; diff -Nru /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/lib/POE/Component/Jabber/Client/Component.pm /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/lib/POE/Component/Jabber/Client/Component.pm --- /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/lib/POE/Component/Jabber/Client/Component.pm 2005-04-09 21:54:39.0 -0700 +++ /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/lib/POE/Component/Jabber/Client/Component.pm 2007-09-10 11:01:53.0 -0700 @@ -1,5 +1,5 @@ package POE::Component::Jabber::Client::Component; -use POE::Preprocessor; +use Filter::Template; const XNode POE::Filter::XML::Node use warnings; use strict; diff -Nru /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/lib/POE/Component/Jabber/Client/J2.pm /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/lib/POE/Component/Jabber/Client/J2.pm --- /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/lib/POE/Component/Jabber/Client/J2.pm 2005-04-09 21:54:50.0 -0700 +++ /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/lib/POE/Component/Jabber/Client/J2.pm 2007-09-10 11:01:53.0 -0700 @@ -1,5 +1,5 @@ package POE::Component::Jabber::Client::J2; -use POE::Preprocessor; +use Filter::Template; const XNode POE::Filter::XML::Node use warnings; use strict; diff -Nru /tmp/wO9Kg26sZF/libpoe-component-jabber-perl-1.1/lib/POE/Component/Jabber/Client/Legacy.pm /tmp/xyhpRVvisp/libpoe-component-jabber-perl-1.1/lib/POE/Compo
Bug#404125: NMU?
Hi, I've packaged the missing dep[1] for the new version (2.02) of libpoe-component-jabber-perl, so once that's been sponsored and made its way past NEW, the attached diff should work for the 2.02 version of libpoe-component-jabber-perl. I've also attached an interdiff between the diff.gz's and the .dsc. The orig is here[2]. Thanks, -Kees [1] http://mentors.debian.net/debian/pool/main/l/libpoe-component-sslify-perl/libpoe-component-sslify-perl_0.08-1.dsc [2] http://search.cpan.org/CPAN/authors/id/N/NP/NPEREZ/POE-Component-Jabber-2.02.tar.gz -- Kees Cook@outflux.net diff -u libpoe-component-jabber-perl-1.1/debian/changelog libpoe-component-jabber-perl-2.02/debian/changelog --- libpoe-component-jabber-perl-1.1/debian/changelog +++ libpoe-component-jabber-perl-2.02/debian/changelog @@ -1,3 +1,13 @@ +libpoe-component-jabber-perl (2.02-0.1) unstable; urgency=low + + * NMU + * New upstream release (Closes: #404125). + * debian/control: add new Build-Deps libmodule-build-perl and +libpoe-component-sslify-perl. + * debian/rules: converted to using Module::Build. + + -- Kees Cook <[EMAIL PROTECTED]> Mon, 27 Aug 2007 14:16:01 -0700 + libpoe-component-jabber-perl (1.1-1) unstable; urgency=low * Initial Release (Closes: #323240). diff -u libpoe-component-jabber-perl-1.1/debian/rules libpoe-component-jabber-perl-2.02/debian/rules --- libpoe-component-jabber-perl-1.1/debian/rules +++ libpoe-component-jabber-perl-2.02/debian/rules @@ -13,14 +13,14 @@ build: build-stamp build-stamp: dh_testdir - $(PERL) Makefile.PL INSTALLDIRS=vendor - $(MAKE) OPTIMIZE="-Wall -O2 -g" + $(PERL) Build.PL --default installdirs=vendor + $(PERL) Build touch build-stamp clean: dh_testdir dh_testroot - -$(MAKE) distclean + -[ ! -f Build ] || $(PERL) Build distclean dh_clean build-stamp install-stamp install: build install-stamp @@ -28,9 +28,8 @@ dh_testdir dh_testroot dh_clean -k - $(MAKE) test - $(MAKE) install DESTDIR=$(TMP) PREFIX=/usr - rmdir --ignore-fail-on-non-empty --parents $(TMP)/usr/lib/perl5 + $(PERL) Build test + $(PERL) Build install destdir=$(TMP) touch install-stamp binary-arch: diff -u libpoe-component-jabber-perl-1.1/debian/control libpoe-component-jabber-perl-2.02/debian/control --- libpoe-component-jabber-perl-1.1/debian/control +++ libpoe-component-jabber-perl-2.02/debian/control @@ -2,7 +2,7 @@ Section: perl Priority: optional Build-Depends: debhelper (>= 4.0.2) -Build-Depends-Indep: perl (>= 5.8.0-7), libnet-ssleay-perl, libdigest-sha1-perl, libauthen-sasl-perl, libpoe-filter-xml-perl, libpoe-perl +Build-Depends-Indep: perl (>= 5.8.0-7), libnet-ssleay-perl, libdigest-sha1-perl, libauthen-sasl-perl, libpoe-filter-xml-perl, libpoe-perl, libmodule-build-perl, libpoe-component-sslify-perl Maintainer: Florian Ragwitz <[EMAIL PROTECTED]> Standards-Version: 3.6.2 Format: 1.0 Source: libpoe-component-jabber-perl Binary: libpoe-component-jabber-perl Architecture: all Version: 2.02-0.1 Maintainer: Florian Ragwitz <[EMAIL PROTECTED]> Standards-Version: 3.6.2 Build-Depends: debhelper (>= 4.0.2) Build-Depends-Indep: perl (>= 5.8.0-7), libnet-ssleay-perl, libdigest-sha1-perl, libauthen-sasl-perl, libpoe-filter-xml-perl, libpoe-perl, libmodule-build-perl, libpoe-component-sslify-perl Files: fc66b0afdcb6f11b4ce61d016d299a04 31275 libpoe-component-jabber-perl_2.02.orig.tar.gz 786d0ad4bf18be2891bf0a956cda1f9f 1969 libpoe-component-jabber-perl_2.02-0.1.diff.gz libpoe-component-jabber-perl_2.02-0.1.diff.gz Description: Binary data
Bug#434444: jirc won't run
Hi! Thanks for reporting this. It looks like this is actually a problem in libpoe-component-jabber-perl (see bug #404125). I suspect I can work around it with some Perl tricks, but in the meantime I will raise the priority of the other bug. On Mon, Jul 23, 2007 at 10:46:15PM +0100, Reuben Thomas wrote: > BEGIN failed--compilation aborted at > /usr/share/perl5/POE/Component/Jabber/Client/Legacy.pm line 2. -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#421140: NMU prep
Tags: patch Hi! Attached is the NMU I'd like to upload shortly. Thanks, -Kees -- Kees Cook@outflux.net diff -u libgtkada2-2.8.1/debian/control libgtkada2-2.8.1/debian/control --- libgtkada2-2.8.1/debian/control +++ libgtkada2-2.8.1/debian/control @@ -2,7 +2,7 @@ Section: libs Priority: optional Maintainer: Ludovic Brenta <[EMAIL PROTECTED]> -Build-Depends: debhelper (>= 4.2.13), gnat (>= 4.1), libglade2-dev, libpopt-dev, libgnomeui-dev, libglu1-xorg-dev | libglu1-mesa-dev, perl, texinfo, quilt, tetex-bin +Build-Depends: debhelper (>= 4.2.13), gnat (>= 4.1), libglade2-dev, libpopt-dev, libgnomeui-dev, libglu1-xorg-dev | libglu1-mesa-dev, perl, texinfo, quilt, texlive, texlive-generic-recommended Standards-Version: 3.7.2 Package: libgtkada2-dev diff -u libgtkada2-2.8.1/debian/changelog libgtkada2-2.8.1/debian/changelog --- libgtkada2-2.8.1/debian/changelog +++ libgtkada2-2.8.1/debian/changelog @@ -1,3 +1,10 @@ +libgtkada2 (2.8.1-5.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/control: tetex->texlive transition to fix FTBFS (Closes: #421140). + + -- Kees Cook <[EMAIL PROTECTED]> Wed, 23 May 2007 13:25:51 -0700 + libgtkada2 (2.8.1-5) unstable; urgency=low * patches/00-makefiles.patch: pass @CFLAGS@ to configure, instead of the
Bug#421140: fix for FTBFS
Hello! Attached is a fix for this bug (texlive dep change). -- Kees Cook@outflux.net diff -u libgtkada2-2.8.1/debian/control libgtkada2-2.8.1/debian/control --- libgtkada2-2.8.1/debian/control +++ libgtkada2-2.8.1/debian/control @@ -2,7 +2,7 @@ Section: libs Priority: optional Maintainer: Ludovic Brenta <[EMAIL PROTECTED]> -Build-Depends: debhelper (>= 4.2.13), gnat (>= 4.1), libglade2-dev, libpopt-dev, libgnomeui-dev, libglu1-xorg-dev | libglu1-mesa-dev, perl, texinfo, quilt, tetex-bin +Build-Depends: debhelper (>= 4.2.13), gnat (>= 4.1), libglade2-dev, libpopt-dev, libgnomeui-dev, libglu1-xorg-dev | libglu1-mesa-dev, perl, texinfo, quilt, texlive, texlive-generic-recommended Standards-Version: 3.7.2 Package: libgtkada2-dev
Bug#416423: BMP loader integer overflows
Package: xmms Version: 1:1.2.10+20070301-1 Severity: grave Tags: patch, security Two CVEs against XMMS exist: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0653 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0654 "Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via crafted header information in a skin bitmap image, which triggers memory corruption." Attached is the patch being used in Ubuntu. -- Kees Cook@outflux.net #! /bin/sh /usr/share/dpatch/dpatch-run ## 50-bmp-loader-overflows.dpatch by Kees Cook <[EMAIL PROTECTED]> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Patch to address integer underflow (CVE-2007-0654) and overflow ## DP: (CVE-2007-0653) in BMP loader. @DPATCH@ diff -urNad xmms-1.2.10+20061201~/xmms/bmp.c xmms-1.2.10+20061201/xmms/bmp.c --- xmms-1.2.10+20061201~/xmms/bmp.c2006-07-10 07:59:36.0 -0700 +++ xmms-1.2.10+20061201/xmms/bmp.c 2007-03-26 18:57:33.893403289 -0700 @@ -19,6 +19,12 @@ */ #include "xmms.h" +#if HAVE_STDINT_H +#include +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xU +#endif + struct rgb_quad { guchar rgbBlue; @@ -183,7 +189,7 @@ } else if (bitcount != 24 && bitcount != 16 && bitcount != 32) { - gint ncols, i; + guint32 ncols, i; ncols = offset - headSize - 14; if (headSize == 12) @@ -201,9 +207,16 @@ } } fseek(file, offset, SEEK_SET); + /* verify buffer size */ + if (!h || !w || + w > (((UINT32_MAX - 3) / 3) / h) || + h > (((UINT32_MAX - 3) / 3) / w)) { + g_warning("read_bmp(): width(%u)*height(%u) too large", w, h); + goto failure; + } + data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */ buffer = g_malloc(imgsize); fread(buffer, imgsize, 1, file); - data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */ if (bitcount == 1) read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);
Bug#415753: mp3cd: Fails to run with SoX Version >= 13
On Wed, Mar 21, 2007 at 07:04:11PM +0100, Christian von Essen wrote: > As of version 13, SoX has changed the format of the information > sent to stdout. Because of this, mp3cd fails to parse the information > and no CD can be burnt. > The attached patch should fix this. Thanks for noticing the breakage! I've changed the patch around a little and tested with old and new SoX, and it seems to be working. I'll get the new version uploaded shortly. Thanks again and take care, -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#414832: ubuntu fixes
Tags: patch Attached is the patch used in Ubuntu's ktorrent 2.0.3 version. -- Kees Cook@outflux.net diff -Nru ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/chunkcounter.cpp ktorrent-2.0.3+dfsg1/libktorrent/torrent/chunkcounter.cpp --- ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/chunkcounter.cpp 2006-10-09 11:04:10.0 -0500 +++ ktorrent-2.0.3+dfsg1/libktorrent/torrent/chunkcounter.cpp 2007-03-11 11:33:38.0 -0500 @@ -59,12 +59,13 @@ void ChunkCounter::inc(Uint32 idx) { + if (idx < cnt.size()) cnt[idx]++; } void ChunkCounter::dec(Uint32 idx) { - if (cnt[idx] > 0) + if (idx < cnt.size() && cnt[idx] > 0) cnt[idx]--; } diff -Nru ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/peer.cpp ktorrent-2.0.3+dfsg1/libktorrent/torrent/peer.cpp --- ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/peer.cpp 2006-10-09 11:04:10.0 -0500 +++ ktorrent-2.0.3+dfsg1/libktorrent/torrent/peer.cpp 2007-03-11 11:35:27.0 -0500 @@ -182,11 +182,21 @@ { Out() << "len err HAVE" << endl; kill(); - return; } - -haveChunk(this,ReadUint32(tmp_buf,1)); -pieces.set(ReadUint32(tmp_buf,1),true); +else +{ + Uint32 ch = ReadUint32(tmp_buf,1); + if (ch < pieces.getNumBits()) + { + haveChunk(this,ch); + pieces.set(ch,true); + } + else + { + Out(SYS_CON|LOG_NOTICE) << "Received invalid have value, kicking peer" << endl; + kill(); + } +} break; case BITFIELD: if (len != 1 + pieces.getNumBytes()) diff -Nru ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/torrent.cpp ktorrent-2.0.3+dfsg1/libktorrent/torrent/torrent.cpp --- ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/torrent.cpp 2006-10-09 11:04:10.0 -0500 +++ ktorrent-2.0.3+dfsg1/libktorrent/torrent/torrent.cpp 2007-03-11 11:37:36.0 -0500 @@ -141,9 +141,13 @@ if (!v || v->data().getType() != Value::STRING) throw Error(i18n("Corrupted torrent!")); -path += v->data().toString(encoding); -if (j + 1 < ln->getNumChildren()) - path += bt::DirSeparator(); +QString sd = v->data().toString(encoding); +if (sd != "..") +{ + path += sd; + if (j + 1 < ln->getNumChildren()) + path += bt::DirSeparator(); +} } // we do not want empty dirs
Bug#414170: gpgme patch
ftp://ftp.gnupg.org/gcrypt/gpgme/patches/gpgme-1.1.3-multiple-message.patch -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#414075: mplayer patch
Attaching mplayer patch (same fix, different path) -- Kees Cook@outflux.net --- mplayer-1.0~rc1.orig/loader/dmo/DMO_VideoDecoder.c +++ mplayer-1.0~rc1/loader/dmo/DMO_VideoDecoder.c @@ -121,6 +121,7 @@ this->iv.m_bh = malloc(bihs); memcpy(this->iv.m_bh, format, bihs); +this->iv.m_bh->biSize = bihs; this->iv.m_State = STOP; //this->iv.m_pFrame = 0;
Bug#414072: CVE-2007-1246: DMO decoder heap allocation overflow
Package: xine-lib Version: 1.1.2+dfsg-2 Severity: grave Tags: patch, security http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 says: "The DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in MPlayer 1.0rc1 and earlier does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code." xine-lib has a copy of this code in src/libw32dll/. Attached is the (tiny) patch I used in Ubuntu for 1.1.2. -- Kees Cook@outflux.net --- xine-lib-1.1.2+repacked1.orig/src/libw32dll/dmo/DMO_VideoDecoder.c +++ xine-lib-1.1.2+repacked1/src/libw32dll/dmo/DMO_VideoDecoder.c @@ -118,6 +118,7 @@ this->iv.m_bh = (BITMAPINFOHEADER*)malloc(bihs); memcpy(this->iv.m_bh, format, bihs); +this->iv.m_bh->biSize = bihs; this->iv.m_State = STOP; //this->iv.m_pFrame = 0;
Bug#414069: CVE-2007-0999: still vulnerable to format string exploits
Package: ekiga Version: 2.0.3-4 Severity: grave Tags: patch, security Hello! Unfortunately, it seems the upstream changes for CVE-2007-1006 weren't sufficient to solve the problems. Upstream is preparing 2.0.6 to be released[1], but in the meantime, I've attached the patch I'm using in Ubuntu for 2.0.3. [1] http://bugzilla.gnome.org/show_bug.cgi?id=415526 -- Kees Cook@outflux.net #! /bin/sh /usr/share/dpatch/dpatch-run ## 51_fix-format-strings.dpatch by Kees Cook <[EMAIL PROTECTED]> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad ekiga-2.0.3~/lib/gui/gmdialog.h ekiga-2.0.3/lib/gui/gmdialog.h --- ekiga-2.0.3~/lib/gui/gmdialog.h 2006-03-12 07:46:42.0 -0800 +++ ekiga-2.0.3/lib/gui/gmdialog.h 2007-03-08 17:00:30.144521663 -0800 @@ -127,7 +127,7 @@ const char *, const char *, const char *, - ...); + ...) G_GNUC_PRINTF(4,5); /** @@ -140,7 +140,7 @@ GtkWidget *gnomemeeting_error_dialog (GtkWindow *parent, const char *, const char *format, - ...); + ...) G_GNUC_PRINTF(3,4); /** @@ -153,7 +153,7 @@ GtkWidget *gnomemeeting_warning_dialog (GtkWindow *parent, const char *, const char *format, - ...); + ...) G_GNUC_PRINTF(3,4); /** @@ -166,7 +166,7 @@ GtkWidget *gnomemeeting_message_dialog (GtkWindow *parent, const char *, const char *format, - ...); + ...) G_GNUC_PRINTF(3,4); /** @@ -179,7 +179,7 @@ GtkWidget *gnomemeeting_progress_dialog (GtkWindow *parent, const char *, const char *format, -...); +...) G_GNUC_PRINTF(3,4); G_END_DECLS diff -urNad ekiga-2.0.3~/lib/gui/gmstatusbar.c ekiga-2.0.3/lib/gui/gmstatusbar.c --- ekiga-2.0.3~/lib/gui/gmstatusbar.c 2006-03-12 07:46:42.0 -0800 +++ ekiga-2.0.3/lib/gui/gmstatusbar.c 2007-03-08 17:00:30.148521870 -0800 @@ -48,7 +48,7 @@ gboolean, gboolean, const char *, - ...); + va_list args); static int gm_statusbar_clear_msg_cb (gpointer); @@ -100,7 +100,7 @@ gboolean flash_message, gboolean info_message, const char *msg, - ...) + va_list args) { gint id = 0; gint msg_id = 0; @@ -119,17 +119,12 @@ gtk_statusbar_pop (GTK_STATUSBAR (sb), id); if (msg) { - -va_list args; char buffer [1025]; -va_start (args, msg); vsnprintf (buffer, 1024, msg, args); msg_id = gtk_statusbar_push (GTK_STATUSBAR (sb), id, buffer); -va_end (args); - if (flash_message) gtk_timeout_add (15000, gm_statusbar_clear_msg_cb, GINT_TO_POINTER (msg_id)); diff -urNad ekiga-2.0.3~/lib/gui/gmstatusbar.h ekiga-2.0.3/lib/gui/gmstatusbar.h --- ekiga-2.0.3~/lib/gui/gmstatusbar.h 2006-03-12 07:46:42.0 -0800 +++ ekiga-2.0.3/lib/gui/gmstatusbar.h 2007-03-08 17:00:30.148521870 -0800 @@ -94,7 +94,7 @@ */ void gm_statusbar_flash_message (GmStatusbar *, const char *msg, -...); +...) G_GNUC_PRINTF(2,3); /* DESCRIPTION : / @@ -105,7 +105,7 @@ */ void gm_statusbar_push_message (GmStatusbar *, const char *msg, - ...); + ...) G_GNUC_PRINTF(2,3); /* DESCRIPTION : / @@ -116,7 +116,7 @@ */ void gm_statusbar_push_info_message (GmStatusbar *, const char *msg, -...); +...) G_GNUC_PRINTF(2,3); G_END_DECLS diff -urNad ekiga-2.0.3~/lib/gui/gmtexttagaddon.h ekiga-2.0.3/lib/gui/gmtexttagaddon.h --- ekiga-2.0.3~/lib/gui/gmtexttagaddon.h 2006-03-12 07:46:42.0 -0800 +++ ekiga-2.0.3/lib/gui/gmtexttagaddon.h2007-03-08 17:00:30.148521870 -0800 @@ -97,7 +97,7 @@ **/ void gtk_text_tag_add_actions
Bug#411944: CVE-2007-1006: format string overflows
Package: ekiga Version: 2.0.3-2 Severity: grave Tags: patch, security, fixed-upstream http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1006 says: "Multiple format string vulnerabilities in the gm_main_window_flash_message function in Ekiga before 2.0.5 allow attackers to cause a denial of service and possibly execute arbitrary code via a crafted Q.931 SETUP packet." See attached patch for upstream fix. -- Kees Cook@outflux.net Index: urlhandler.cpp === --- urlhandler.cpp (revision 4825) +++ urlhandler.cpp (revision 4826) @@ -532,13 +532,13 @@ if (call_address.Find ("+type=directory") != P_MAX_INDEX) { - gm_main_window_flash_message (main_window, _("User not found")); + gm_main_window_flash_message (main_window, "%s", _("User not found")); call_history_item->end_reason = g_strdup (_("User not found")); endpoint->SetCallingState (GMManager::Standby); } else { - gm_main_window_flash_message (main_window, _("Failed to call user")); + gm_main_window_flash_message (main_window, "%s", _("Failed to call user")); call_history_item->end_reason = g_strdup (_("Failed to call user")); } Index: manager.cpp === --- manager.cpp (revision 4825) +++ manager.cpp (revision 4826) @@ -715,7 +715,7 @@ gnomemeeting_threads_enter (); msg = g_strdup_printf (_("Forwarding call to %s"), (const char*) forward_party); - gm_main_window_flash_message (main_window, msg); + gm_main_window_flash_message (main_window, "%s", msg); gm_history_window_insert (history_window, msg); gnomemeeting_threads_leave (); g_free (msg); @@ -873,7 +873,7 @@ /* Update the log and status bar */ msg = g_strdup_printf (_("Call from %s"), (const char *) utf8_name); gnomemeeting_threads_enter (); - gm_main_window_flash_message (main_window, msg); + gm_main_window_flash_message (main_window, "%s", msg); gm_chat_window_push_info_message (chat_window, NULL, msg); gm_history_window_insert (history_window, msg); gnomemeeting_threads_leave (); @@ -913,7 +913,7 @@ /* Display the action message */ gnomemeeting_threads_enter (); if (short_reason) -gm_main_window_flash_message (main_window, short_reason); +gm_main_window_flash_message (main_window, "%s", short_reason); if (long_reason) gm_history_window_insert (history_window, long_reason); gnomemeeting_threads_leave (); @@ -1061,7 +1061,7 @@ msg = g_strdup_printf (_("Connected with %s"), utf8_name); gm_main_window_set_status (main_window, utf8_name); gm_main_window_set_panel_section (main_window, CALL); - gm_main_window_flash_message (main_window, msg); + gm_main_window_flash_message (main_window, "%s", msg); gm_chat_window_push_info_message (chat_window, NULL, msg); gm_main_window_update_calling_state (main_window, GMManager::Connected); gm_chat_window_update_calling_state (chat_window, @@ -1351,7 +1351,7 @@ gm_calls_history_item_free (call_history_item); gm_history_window_insert (history_window, msg_reason); - gm_main_window_flash_message (main_window, msg_reason); + gm_main_window_flash_message (main_window, "%s", msg_reason); gm_chat_window_push_info_message (chat_window, NULL, ""); gnomemeeting_threads_leave (); Index: sip.cpp === --- sip.cpp (revision 4825) +++ sip.cpp (revision 4826) @@ -319,7 +319,7 @@ #endif gm_history_window_insert (history_window, msg); - gm_main_window_flash_message (main_window, msg); + gm_main_window_flash_message (main_window, "%s", msg); if (endpoint.GetCallingState() == GMManager::Standby) gm_main_window_set_account_info (main_window, endpoint.GetRegisteredAccounts());
Bug#411942: CVE-2007-0007: tmp file overwrites
Package: gnucash Version: 2.0.2-3 Severity: grave Tags: security, fixed-upstream http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0007 says: "gnucash 2.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) gnucash.trace, (2) qof.trace, and (3) qof.trace.[PID] temporary files." See also bug #406983 -- this CVE is fixed in version 2.0.5. -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#411192: CVE-2007-0981: serious cookie-stealing vulnerability
Package: iceweasel Version: 2.0.0.1+dfsg-2 Severity: grave Tags: security, fixed-upstream, patch http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981 says: "Mozilla based browsers allows remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code." Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=370445 Upstream patch: https://bugzilla.mozilla.org/attachment.cgi?id=255252 -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#411084: CVE-2007-0901,0902: XSS in debugging information
Package: moin Version: 1.3.4-3 Severity: grave Tags: patch, security http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0901 says: "Multiple cross-site scripting (XSS) vulnerabilities in Info pages in MoinMoin 1.5.7 allow remote attackers to inject arbitrary web script or HTML via the (1) hitcounts and (2) general parameters, different vectors than CVE-2007-0857." This appears not to be true for the 1.5.x line of Moin, but it is true in 1.3.x. Attached is the patch I'm using in Ubuntu, which also includes fixes for CVE-2007-0902, by allowing for "show_traceback" to be set to 0 in site configurations. -- Kees Cook@outflux.net diff -Nur moin1.3-1.3.4/MoinMoin/multiconfig.py moin1.3-1.3.4.new/MoinMoin/multiconfig.py --- moin1.3-1.3.4/MoinMoin/multiconfig.py 2005-03-12 13:26:14.0 -0800 +++ moin1.3-1.3.4.new/MoinMoin/multiconfig.py 2007-02-15 12:48:43.507437578 -0800 @@ -245,6 +245,7 @@ show_section_numbers = 1 show_timings = 0 show_version = 0 +show_traceback = 1 siteid = 'default' theme_default = 'modern' theme_force = False diff -Nur moin1.3-1.3.4/MoinMoin/request.py moin1.3-1.3.4.new/MoinMoin/request.py --- moin1.3-1.3.4/MoinMoin/request.py 2005-03-06 14:15:45.0 -0800 +++ moin1.3-1.3.4.new/MoinMoin/request.py 2007-02-15 12:48:36.011047587 -0800 @@ -915,7 +915,7 @@ self.print_exception(*saved_exc) else: try: -cgitb.Hook(file=self).handle(saved_exc) +cgitb.Hook(file=self,display=self.cfg.show_traceback).handle(saved_exc) # was: cgitb.handler() except: self.print_exception(*saved_exc) diff -Nur moin1.3-1.3.4/MoinMoin/support/cgitb.py moin1.3-1.3.4.new/MoinMoin/support/cgitb.py --- moin1.3-1.3.4/MoinMoin/support/cgitb.py 2005-01-09 10:48:07.0 -0800 +++ moin1.3-1.3.4.new/MoinMoin/support/cgitb.py 2007-02-15 12:48:36.011047587 -0800 @@ -85,7 +85,7 @@ osinfo + '' + \ 'MoinMoin Release %s [Revision %s]' % (version.release, version.revision) head = '' + pydoc.html.heading( -'%s%s' % (str(etype), str(evalue)), +'%s%s' % (pydoc.html.escape(str(etype)), pydoc.html.escape(str(evalue))), '#ff', '#6622aa', versinfo + '' + date) + ''' A problem occurred in a Python script. Here is the sequence of function calls leading up to the error, in the order they occurred.''' @@ -141,7 +141,7 @@ %s''' % '\n'.join(rows)) -exception = ['%s: %s' % (strong(str(etype)), str(evalue))] +exception = ['%s: %s' % (strong(pydoc.html.escape(str(etype))), pydoc.html.escape(str(evalue)))] if type(evalue) is types.InstanceType: for name in dir(evalue): value = pydoc.html.repr(getattr(evalue, name))
Bug#410850: links to upstream changes
Here are the upstream changes for the ruby and unzip fixes: http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/backupDatabase.rb?rev=611302&r1=485972&r2=611302 http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/databaseScripts.rb?rev=611304&r1=485124&r2=611304 http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/redoPodcasts.rb?rev=611303&r1=527198&r2=611303 http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleAlbums.rb?rev=611306&r1=513319&r2=611306 http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleArtists.rb?rev=611300&r1=513319&r2=611300 http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleImages.rb?rev=611298&r1=513461&r2=611298 http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/databasescripts/staleStatistics.rb?rev=611301&r1=484927&r2=611301 http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/scripts/mp3fix/mp3fixer.rb?rev=611452&r1=515416&r2=611452 http://websvn.kde.org/trunk/extragear/multimedia/amarok/src/magnatunebrowser/magnatunealbumdownloader.cpp?rev=633728&r1=632452&r2=633728 -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#410850: misleading CVE
BTW, the CVE is misleading, there are ruby script fixes needed as well as the unzip bug. Attached is a patch for the ruby fixes, which appear to be in upstream 1.4.5 already. -- Kees Cook@outflux.net diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/backupDatabase.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/backupDatabase.rb --- amarok-1.4.3/amarok/src/scripts/databasescripts/backupDatabase.rb 2006-09-04 19:42:40.0 -0700 +++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/backupDatabase.rb 2007-02-13 13:39:04.198770848 -0800 @@ -37,14 +37,12 @@ destination = $*[0] + "/" unless FileTest.directory?( destination ) -error = "Error: Save destination must be a directory" -`dcop amarok playlist popupMessage '#{error}'` +system("dcop", "amarok", "playlist", "popupMessage", "Error: Save destination must be a directory") exit( 1 ) end unless FileTest.writable_real?( destination ) -error = "Error: Destination directory not writable." -`dcop amarok playlist popupMessage '#{error}'` +system("dcop", "amarok", "playlist", "popupMessage", "Error: Destination directory not writeable.") exit( 1 ) end @@ -68,14 +66,11 @@ db = `dcop amarok script readConfig MySqlDbName`.chomp!() user = `dcop amarok script readConfig MySqlUser`.chomp!() pass = `dcop amarok script readConfig MySqlPassword`.chomp!() -`mysqldump -u #{user} -p#{pass} #{db} > #{dest}` +system("mysqldump", "-u", user, "-p", pass, db, "-r", dest); when "2" # postgres -error = "Sorry, postgresql database backups have not been implemented" -`dcop amarok playlist popupMessage #{error}` +system("dcop", "amarok", "playlist", "popupMessage", "Sorry, postgresql database backups have not been implemented.") exit( 1 ) end -message = "Database backup saved to: #{destination}/#{filename}" -`dcop amarok playlist popupMessage '#{message}'` - +system("dcop", "amarok", "playlist", "popupMessage", "Database backup saved to: #{destination}/#{filename}") diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/databaseScripts.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/databaseScripts.rb --- amarok-1.4.3/amarok/src/scripts/databasescripts/databaseScripts.rb 2006-09-04 19:42:40.0 -0700 +++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/databaseScripts.rb 2007-02-13 13:39:04.198770848 -0800 @@ -16,7 +16,7 @@ require 'Korundum' rescue LoadError error = 'Korundum (KDE bindings for ruby) from kdebindings v3.4 is required for this script.' -`dcop amarok playlist popupMessage "DatabaseScripts: #{error}"` +system("dcop", "amarok", "playlist", "popupMessage", "DatabaseScripts: #{error}") exit end @@ -103,7 +103,7 @@ filename = File.dirname( File.expand_path( __FILE__ ) ) + "/staleStatistics.rb" end -`ruby "#{filename}" "#{arg}"` +system("ruby", filename, arg) done( 0 ) end diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/redoPodcasts.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/redoPodcasts.rb --- amarok-1.4.3/amarok/src/scripts/databasescripts/redoPodcasts.rb 2006-09-04 19:42:40.0 -0700 +++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/redoPodcasts.rb 2007-02-13 13:39:04.198770848 -0800 @@ -12,6 +12,6 @@ podcasts.each do |channel| print "Adding podcast: #{channel}\n" -`dcop amarok playlistbrowser addPodcast #{channel}` +system("dcop", "amarok", "playlistbrowser", "addPodcast", channel) end print "Done.\n" diff -Nur amarok-1.4.3/amarok/src/scripts/databasescripts/staleAlbums.rb amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleAlbums.rb --- amarok-1.4.3/amarok/src/scripts/databasescripts/staleAlbums.rb 2006-09-04 19:42:40.0 -0700 +++ amarok-1.4.3.new/amarok/src/scripts/databasescripts/staleAlbums.rb 2007-02-13 13:39:04.202771047 -0800 @@ -5,30 +5,36 @@ # (c) 2006 Roland Gigler <[EMAIL PROTECTED]> # License: GNU General Public License V2 -`dcop amarok playlist shortStatusMessage "Removing stale 'album' entries from the database"` +class String +def shellquote +return "'" + self.gsub("'", "'''") + "'" +end +end + +system("dcop", "amarok", "playlist", &quo
Bug#410850: CVE-2006-6980: magnatune shell escapes
Package: amarock Version: 1.4.4-2 Severity: grave Tags: patch, security CVE-2006-6980 says[1]: "The ruby handlers in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters." There is an open KDE bug report[2], and SuSE has patched this problem. I'm working on extracting the patches now... [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6979 [2] http://bugs.kde.org/show_bug.cgi?id=138499 -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#402063: vulnerable to overflow in PS handling (CVE-2006-5864)
On Thu, Dec 07, 2006 at 10:12:14PM +0100, Loïc Minier wrote: > Thanks for the bug and the patch! I had flagged the Ubuntu security > notice, but didn't have time to upload it yet. Okay, great. I wanted to make sure all the upstreams had the bug recorded, just in case. :) The Gnome report is here: http://bugzilla.gnome.org/show_bug.cgi?id=383485 > I saw that you updated 0.4 and 0.6, but not 0.1; perhaps you do not > ship evince 0.1 anymore, but if you do, do you know whether is it > affected? The earliest supported evince in Ubuntu is 0.4. As far as I can tell, if ps/ps.c exists in the codebase, it's vulnerable. (Since that file was embedded from a vulnerable version of gv.) Thanks! -- Kees Cook@outflux.net
Bug#402063: vulnerable to overflow in PS handling (CVE-2006-5864)
Package: evince Version: 0.4.0-2 Severity: critical Tags: security, patch This is the same vulnerability as reported against gv as bug 398292, since evince has old gv code embedded (I've updated the wiki to reflect this: http://wiki.debian.org/EmbeddedCodeCopies) Patch attached (applies to both 0.4.0 and 0.6.1). -- Kees Cook@outflux.net diff -Nur evince-0.4.0/ps/ps.c evince-0.4.0.new/ps/ps.c --- evince-0.4.0/ps/ps.c2005-06-17 06:33:00.0 -0700 +++ evince-0.4.0.new/ps/ps.c2006-12-04 12:28:32.280683848 -0800 @@ -1225,6 +1225,9 @@ quoted = 1; line++; while(*line && !(*line == ')' && level == 0)) { + if (cp - text >= PSLINELENGTH - 2) { +return NULL; + } if(*line == '\\') { if(*(line + 1) == 'n') { *cp++ = '\n'; @@ -1295,8 +1298,12 @@ } } else { -while(*line && !(*line == ' ' || *line == '\t' || *line == '\n')) +while(*line && !(*line == ' ' || *line == '\t' || *line == '\n')) { + if (cp - text >= PSLINELENGTH - 2) { +return NULL; + } *cp++ = *line++; +} } *cp = '\0'; if(next_char)
Bug#399845: patch
Tags: patch Hello! I've reported this upstream[1] and suggested a possible patch[2] to disable handling of GNUTYPE_NAMES (since it is a deprecated type). [1] https://savannah.gnu.org/bugs/index.php?18355 [2] https://savannah.gnu.org/bugs/download.php?file_id=11327 -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#396277: possible fix?
Tags: patch Seems like the tmp file isn't needed at all? Possible patch attached. -- Kees Cook@outflux.net diff -u thttpd-2.23beta1/debian/thttpd.logrotate thttpd-2.23beta1/debian/thttpd.logrotate --- thttpd-2.23beta1/debian/thttpd.logrotate +++ thttpd-2.23beta1/debian/thttpd.logrotate @@ -4,15 +4,9 @@ compress missingok delaycompress -prerotate - if pidof thttpd 2>&1 > /dev/null; then - touch /tmp/start_thttpd - fi -endscript postrotate - if [ -f /tmp/start_thttpd ]; then + if pidof thttpd 2>&1 > /dev/null; then /etc/init.d/thttpd restart 2>&1 > /dev/null - rm -f /tmp/start_thttpd fi endscript }
Bug#395809: vnc4 authentication bypass
Package: vnc4 Version: 4.1.1+X4.3.0-19 Severity: grave Tags: security RealVNC 4.1.2 was released to plug holes in authentication handling. Quoting the CVE: 'allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server...' http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2369 http://www.realvnc.com/products/free/4.1/release-notes.html -- Kees Cook@outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#343042: yaird: IDE init fails
Package: yaird Version: 0.0.12-1 Followup-For: Bug #343042 I'm seeing the same problems with yaird. Made 2.6.14 unbootable. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages yaird depends on: ii cpio 2.6-9 GNU cpio -- a program to manage ar ii dash 0.5.3-1 The Debian Almquist Shell ii libc62.3.5-8.1 GNU C Library: Shared libraries an ii libhtml-template-perl2.7-1 HTML::Template : A module for usin ii libparse-recdescent-perl 1.94.free-1 Generates recursive-descent parser ii perl 5.8.7-9 Larry Wall's Practical Extraction yaird recommends no packages. -- debconf-show failed -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#337085: squirrelmail: failed to connect to SSL imap
Package: squirrelmail Version: 2:1.4.5-2 Severity: grave Tags: patch Justification: renders package unusable squirrelmail uses the wrong prefix for SSL imap connections. This is reported (and fixed) here: http://libarynth.f0.am/cgi-bin/twiki/view/Libarynth/SquirrelMail /usr/share/squirrelmail/functions/imap_general.php line 441 - $imap_server_address = 'tls://' . $imap_server_address; + $imap_server_address = 'ssl://' . $imap_server_address; -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages squirrelmail depends on: ii apache [httpd]1.3.34-1 versatile, high-performance HTTP s ii apache2-mpm-prefork [httpd] 2.0.55-3 traditional model for Apache2 ii libapache-mod-php44:4.4.0-4 server-side, HTML-embedded scripti ii libapache2-mod-php4 4:4.4.0-4 server-side, HTML-embedded scripti ii perl 5.8.7-7Larry Wall's Practical Extraction ii php4 4:4.4.0-4 server-side, HTML-embedded scripti ii php4-cgi 4:4.4.0-4 server-side, HTML-embedded scripti Versions of packages squirrelmail recommends: pn ispell | aspell | aspel(no description available) ii squirrelmail-locales1.4.5-20050713-1 Translations for the SquirrelMail -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#334938: libssl0.9.8: libcrypt-ssleay-perl seg faults via https addresses
Package: libssl0.9.8 Version: 0.9.8a-2 Severity: grave Justification: renders package unusable There is a seg fault when using Perl LWP to access https sites: #0 0xb7dc3942 in SSL_CTX_ctrl () from /usr/lib/i686/cmov/libssl.so.0.9.8 #1 0xb7de07de in XS_Crypt__SSLeay__CTX_new () from /usr/lib/perl5/auto/Crypt/SSLeay/SSLeay.so #2 0x080c0ad0 in Perl_pp_entersub () #3 0x080b95ba in Perl_runops_standard () #4 0x08064e43 in perl_run () #5 0x0805fd4f in main () For example: $ perl -MHTTP::Request -MLWP::UserAgent -e ' $agent = LWP::UserAgent->new(); $request = HTTP::Request->new("GET" => "https://www.osdl.org/";); $response = $agent->request($request); ' Segmentation fault -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages libssl0.9.8 depends on: ii debconf [debconf-2.0] 1.4.58 Debian configuration management sy ii libc6 2.3.5-6GNU C Library: Shared libraries an libssl0.9.8 recommends no packages. -- debconf information: libssl0.9.8/restart-services: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]