Your message dated Fri, 12 Aug 2005 23:32:05 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#255402: fixed in rlpr 2.05-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 20 Jun 2004 18:08:19 +0000
>From [EMAIL PROTECTED] Sun Jun 20 11:08:19 2004
Return-path: <[EMAIL PROTECTED]>
Received: from mta11.adelphia.net [68.168.78.205]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Bc6jr-0007H5-00; Sun, 20 Jun 2004 11:08:19 -0700
Received: from mizar.alcor.net ([69.167.148.207]) by mta11.adelphia.net
(InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with ESMTP
id <[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>; Sun, 20 Jun 2004 14:07:49 -0400
Received: from mdz by mizar.alcor.net with local (Exim 4.34)
id 1Bc6jM-0004d8-ME
for [EMAIL PROTECTED]; Sun, 20 Jun 2004 11:07:48 -0700
Date: Sun, 20 Jun 2004 11:07:48 -0700
From: Matt Zimmerman <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: Multiple security vulnerabilities: CAN-2004-0393, CAN-2004-0454 (DSA
524)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vkogqOf2sHV7VnPd"
Content-Disposition: inline
X-Reportbug-Version: 2.61
User-Agent: Mutt/1.5.6+20040523i
Sender: Matt Zimmerman <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--vkogqOf2sHV7VnPd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: rlpr
Version: 2.02-7
Severity: grave
Tags: security
A Debian security advisory was recently released for rlpr. Please merge
these fixes into unstable.
--
- mdz
--vkogqOf2sHV7VnPd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment;
filename="rlpr-CAN-2004-0393-CAN-2004-0454.diff"
diff -u rlpr-2.02/debian/changelog rlpr-2.02/debian/changelog
--- rlpr-2.02/debian/changelog
+++ rlpr-2.02/debian/changelog
@@ -1,3 +1,11 @@
+rlpr (2.02-7woody1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Fix format string vulnerability in msg() (CAN-2004-0393)
+ * Fix buffer overflow vulnerability in msg() (CAN-2004-0454)
+
+ -- Matt Zimmerman <[EMAIL PROTECTED]> Sat, 12 Jun 2004 13:00:53 -0700
+
rlpr (2.02-7) unstable; urgency=medium
* Modified postinst to ignore an existing /usr/doc/$package directory.
only in patch2:
unchanged:
--- rlpr-2.02.orig/src/msg.c
+++ rlpr-2.02/src/msg.c
@@ -159,22 +159,15 @@
return;
} else if (rlpr_msg->use_syslog) {
-
- /*
- * sigh. this really sucks, but what can we do: vsnprintf()
- * isn't yet standard enough to rely on. maybe if i can find
- * a portable implementation lying around somewhere i can make
- * a ../lib/vsnprintf.c
- */
-
char buf[BUFSIZ];
- vsprintf(buf, _(format), ap);
-
- if (errno != 0)
- strcat(buf, ": %m");
+ if (errno != 0) {
+ snprintf(buf, sizeof(buf), "%s: %%m", _(format));
+ } else {
+ snprintf(buf, sizeof(buf), "%s", _(format));
+ }
- syslog(rlpr_msg->syslog_prio[level], buf);
+ vsyslog(rlpr_msg->syslog_prio[level], buf, ap);
} else {
--vkogqOf2sHV7VnPd--
---------------------------------------
Received: (at 255402-close) by bugs.debian.org; 13 Aug 2005 06:38:30 +0000
>From [EMAIL PROTECTED] Fri Aug 12 23:38:30 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1E3pYr-0000LZ-00; Fri, 12 Aug 2005 23:32:05 -0700
From: Ari Pollak <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#255402: fixed in rlpr 2.05-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 12 Aug 2005 23:32:05 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: rlpr
Source-Version: 2.05-1
We believe that the bug you reported is fixed in the latest version of
rlpr, which is due to be installed in the Debian FTP archive:
rlpr_2.05-1.diff.gz
to pool/main/r/rlpr/rlpr_2.05-1.diff.gz
rlpr_2.05-1.dsc
to pool/main/r/rlpr/rlpr_2.05-1.dsc
rlpr_2.05-1_i386.deb
to pool/main/r/rlpr/rlpr_2.05-1_i386.deb
rlpr_2.05.orig.tar.gz
to pool/main/r/rlpr/rlpr_2.05.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ari Pollak <[EMAIL PROTECTED]> (supplier of updated rlpr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.7
Date: Thu, 11 Aug 2005 21:10:26 -0400
Source: rlpr
Binary: rlpr
Architecture: source i386
Version: 2.05-1
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <[EMAIL PROTECTED]>
Changed-By: Ari Pollak <[EMAIL PROTECTED]>
Description:
rlpr - A utility for lpd printing without using /etc/printcap
Closes: 255402
Changes:
rlpr (2.05-1) unstable; urgency=low
.
* Adopt package
* New upstream release
* Clean up some compiler warnings
* Update rules file to use debhelper
* Update standards-version to 3.6.2; no changes required
* Acknowledge previous NMUs (Closes: #255402)
Files:
aa668b36e7c4a4914bc162bbf10e71c2 546 net optional rlpr_2.05-1.dsc
64ee8ccd94aabc90b9f40d0b2ad79e79 222119 net optional rlpr_2.05.orig.tar.gz
d9da7d26e4142fda6a18cc27ed6d4be2 5100 net optional rlpr_2.05-1.diff.gz
c4c097fef50bc4420950e634cfda7598 49120 net optional rlpr_2.05-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC/Y3BwO+u47cOQDsRAwtYAJ47bOj4YpLQCIiUko9tYAX7liBPBQCfTp4u
ZOCL4QU+FHbD7HHNbxDlbdE=
=TtsE
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
