Your message dated Fri, 12 Aug 2005 23:32:05 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#255402: fixed in rlpr 2.05-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 20 Jun 2004 18:08:19 +0000 >From [EMAIL PROTECTED] Sun Jun 20 11:08:19 2004 Return-path: <[EMAIL PROTECTED]> Received: from mta11.adelphia.net [68.168.78.205] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Bc6jr-0007H5-00; Sun, 20 Jun 2004 11:08:19 -0700 Received: from mizar.alcor.net ([69.167.148.207]) by mta11.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with ESMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Sun, 20 Jun 2004 14:07:49 -0400 Received: from mdz by mizar.alcor.net with local (Exim 4.34) id 1Bc6jM-0004d8-ME for [EMAIL PROTECTED]; Sun, 20 Jun 2004 11:07:48 -0700 Date: Sun, 20 Jun 2004 11:07:48 -0700 From: Matt Zimmerman <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: Multiple security vulnerabilities: CAN-2004-0393, CAN-2004-0454 (DSA 524) Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="vkogqOf2sHV7VnPd" Content-Disposition: inline X-Reportbug-Version: 2.61 User-Agent: Mutt/1.5.6+20040523i Sender: Matt Zimmerman <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Package: rlpr Version: 2.02-7 Severity: grave Tags: security A Debian security advisory was recently released for rlpr. Please merge these fixes into unstable. -- - mdz --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="rlpr-CAN-2004-0393-CAN-2004-0454.diff" diff -u rlpr-2.02/debian/changelog rlpr-2.02/debian/changelog --- rlpr-2.02/debian/changelog +++ rlpr-2.02/debian/changelog @@ -1,3 +1,11 @@ +rlpr (2.02-7woody1) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Fix format string vulnerability in msg() (CAN-2004-0393) + * Fix buffer overflow vulnerability in msg() (CAN-2004-0454) + + -- Matt Zimmerman <[EMAIL PROTECTED]> Sat, 12 Jun 2004 13:00:53 -0700 + rlpr (2.02-7) unstable; urgency=medium * Modified postinst to ignore an existing /usr/doc/$package directory. only in patch2: unchanged: --- rlpr-2.02.orig/src/msg.c +++ rlpr-2.02/src/msg.c @@ -159,22 +159,15 @@ return; } else if (rlpr_msg->use_syslog) { - - /* - * sigh. this really sucks, but what can we do: vsnprintf() - * isn't yet standard enough to rely on. maybe if i can find - * a portable implementation lying around somewhere i can make - * a ../lib/vsnprintf.c - */ - char buf[BUFSIZ]; - vsprintf(buf, _(format), ap); - - if (errno != 0) - strcat(buf, ": %m"); + if (errno != 0) { + snprintf(buf, sizeof(buf), "%s: %%m", _(format)); + } else { + snprintf(buf, sizeof(buf), "%s", _(format)); + } - syslog(rlpr_msg->syslog_prio[level], buf); + vsyslog(rlpr_msg->syslog_prio[level], buf, ap); } else { --vkogqOf2sHV7VnPd-- --------------------------------------- Received: (at 255402-close) by bugs.debian.org; 13 Aug 2005 06:38:30 +0000 >From [EMAIL PROTECTED] Fri Aug 12 23:38:30 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1E3pYr-0000LZ-00; Fri, 12 Aug 2005 23:32:05 -0700 From: Ari Pollak <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#255402: fixed in rlpr 2.05-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Fri, 12 Aug 2005 23:32:05 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: rlpr Source-Version: 2.05-1 We believe that the bug you reported is fixed in the latest version of rlpr, which is due to be installed in the Debian FTP archive: rlpr_2.05-1.diff.gz to pool/main/r/rlpr/rlpr_2.05-1.diff.gz rlpr_2.05-1.dsc to pool/main/r/rlpr/rlpr_2.05-1.dsc rlpr_2.05-1_i386.deb to pool/main/r/rlpr/rlpr_2.05-1_i386.deb rlpr_2.05.orig.tar.gz to pool/main/r/rlpr/rlpr_2.05.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ari Pollak <[EMAIL PROTECTED]> (supplier of updated rlpr package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Format: 1.7 Date: Thu, 11 Aug 2005 21:10:26 -0400 Source: rlpr Binary: rlpr Architecture: source i386 Version: 2.05-1 Distribution: unstable Urgency: low Maintainer: Ari Pollak <[EMAIL PROTECTED]> Changed-By: Ari Pollak <[EMAIL PROTECTED]> Description: rlpr - A utility for lpd printing without using /etc/printcap Closes: 255402 Changes: rlpr (2.05-1) unstable; urgency=low . * Adopt package * New upstream release * Clean up some compiler warnings * Update rules file to use debhelper * Update standards-version to 3.6.2; no changes required * Acknowledge previous NMUs (Closes: #255402) Files: aa668b36e7c4a4914bc162bbf10e71c2 546 net optional rlpr_2.05-1.dsc 64ee8ccd94aabc90b9f40d0b2ad79e79 222119 net optional rlpr_2.05.orig.tar.gz d9da7d26e4142fda6a18cc27ed6d4be2 5100 net optional rlpr_2.05-1.diff.gz c4c097fef50bc4420950e634cfda7598 49120 net optional rlpr_2.05-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC/Y3BwO+u47cOQDsRAwtYAJ47bOj4YpLQCIiUko9tYAX7liBPBQCfTp4u ZOCL4QU+FHbD7HHNbxDlbdE= =TtsE -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]