Bug#466539: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
On Tuesday 19 February 2008 19:39, Romain Beauxis wrote: Le Tuesday 19 February 2008 14:08:46 Thijs Kinkhorst, vous avez écrit : As a side note, I've already done a lot of things to try to fix this, but upstream seems not to care at all, and didn't maintain this package for 1 year (last upload was my NMU)... So am I right to conclude that we'd better remove this package rather than to try and fix it? Well, popcon is not zero, but unless maintainer is willing to support it (he is upstream too), then yes, that's my point too. No further comment by maintainer, I'm filing a removal bug then. Thijs pgpV0EKSIzVlA.pgp Description: PGP signature
Bug#466539: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Hi, alright I had time testing this with an exploit now and indeed the version in unstable is vulnerable and not fixed. I am going to upload a 0-day NMU to fix this. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpLnr8VpMPuc.pgp Description: PGP signature
Bug#466539: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Hi, are you sure this is fixed in unstable? Looking at the code it seems to be partly fixed. The checks for MAX_CGI_LEN are included but: - strcpy(loginPassword,in+7); + loginPassword.set(in+7); - LOG_DEBUG(ICY client: %s %s,loginPassword,mount?mount:unknown); + LOG_DEBUG(ICY client: %s %s,loginPassword.cstr(),mount?mount:unknown); } if (mount) - strcpy(loginMount,mount); + loginMount.set(mount); handshakeICY(Channel::SRC_ICECAST,isHTTP); sock = NULL;// socket is taken over by channel, so don`t close it @@ -318,7 +329,7 @@ if (!isAllowed(ALLOW_BROADCAST)) throw HTTPException(HTTP_SC_UNAVAILABLE,503); - strcpy(loginPassword,servMgr-password);// pwd already checked + loginPassword.set(servMgr-password); // pwd already checked - is not included which is bad because loginPassword is declared as charloginPassword[64]; while #define MAX_CGI_LEN 512. So it looks to me that the code is still affected. I did not try to exploit it though. Comments? Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpBUXdrwfqOw.pgp Description: PGP signature
Bug#466539: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Package: gnome-peercast Version: 0.5.4-1.1 Severity: grave Tags: security Justification: user security hole Hi ! CVE-2007-6454 as been fixed for peercast, but since this package includes a static version of the code, the vulnerability still applies there. As a side note, I've already done a lot of things to try to fix this, but upstream seems not to care at all, and didn't maintain this package for 1 year (last upload was my NMU)... Romain -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.24-rc7-mactel (SMP w/2 CPU cores; PREEMPT) Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466539: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
On Tuesday 19 February 2008 13:57, Romain Beauxis wrote: Package: gnome-peercast Version: 0.5.4-1.1 Severity: grave Tags: security Justification: user security hole Hi ! CVE-2007-6454 as been fixed for peercast, but since this package includes a static version of the code, the vulnerability still applies there. As a side note, I've already done a lot of things to try to fix this, but upstream seems not to care at all, and didn't maintain this package for 1 year (last upload was my NMU)... So am I right to conclude that we'd better remove this package rather than to try and fix it? Thijs pgpJRZyJWf49q.pgp Description: PGP signature
Bug#466539: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Le Tuesday 19 February 2008 14:08:46 Thijs Kinkhorst, vous avez écrit : As a side note, I've already done a lot of things to try to fix this, but upstream seems not to care at all, and didn't maintain this package for 1 year (last upload was my NMU)... So am I right to conclude that we'd better remove this package rather than to try and fix it? Well, popcon is not zero, but unless maintainer is willing to support it (he is upstream too), then yes, that's my point too. Romain