Bug#129104: cgiemail: buffer overflow and script reading vulnerabilities

[Thomas Smith]

On Mon, Apr 08, 2002 at 02:50:18PM -0500, Colin Watson wrote:
> Better fixes are available, though. I'd forgotten that the last
> message in this bug left it up to me to test them ... I'll have a look
> today or tomorrow and see if we can get this sorted.
> 
> -- Colin Watson [EMAIL PROTECTED]
There is a new version to test, just in case you have already downloaded
it.

As before, it is at .  The version
to test is 1.6-14.

I should have time to test this version on Wednesday.  If it goes
reasonably well, I can upload it then, and then bug aj.  OTOH, feel free
to upload the package if you have time to test it and it works for you.
The thing that doesn't work for me is dpkg-reconfigure, although it
_should_ work because I redid the debconf stuff according to
debconf-devel(8).  Blah.

Thank you for your time.
-- 
Thomas "resc" Smith <[EMAIL PROTECTED]>
web: http://finbar.dyndns.org/
gpg key id 1024D/ACABA81E, fingerprint:
3A47 CFA5 0E5D CF4A 5B22  12D3 FF1B 84FE ACAB A81E



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#110610: sarg: segfaults with corrupt input from past runs of sqmgrlog

[Tim Bell]

> I notice that the version of "sarg" currently available is 1.2.1-1 (in
> both testing and unstable).
> 
> Could you please attempt to verify if this problem also exists in the new
> version ?

Yes, it seems to be fixed now, so the bug may be closed.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#129104: cgiemail: buffer overflow and script reading vulnerabilities

[Colin Watson]

On Mon, Apr 08, 2002 at 10:36:31AM -0400, Bruce R. Lewis wrote:
> A recent message on debian-devel-announce shows cgiemail having been
> removed from the upcoming release.
> 
> Has the buffer overflow fix for cgicso been checked in?  If not, one
> option is to remove cgicso entirely, as it is really not useful except
> at MIT, and its existence probably confuses some people.
> 
> As for the script-reading vulnerability, why not just have cgiemail and
> cgiecho not echo back the message sent at all; just say "a message was
> sent" or somesuch.  Seems like a quick fix is needed if cgiemail is to
> be included in woody.

Better fixes are available, though. I'd forgotten that the last message
in this bug left it up to me to test them ... I'll have a look today or
tomorrow and see if we can get this sorted.

-- 
Colin Watson  [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#141838: kdelibs3-crypto: package cannot be installed when kdelibs3 is already there

[root]

Package: kdelibs3-crypto
Version: 4:2.2.1-11
Severity: grave
Justification: renders package unusable

This is the result of apt-get -f install:
Adding `diversion of /usr/lib/kde2/kio_https.la to 
/usr/lib/kde2/kio_https-nossl.la by kdelibs3-crypto'
Adding `diversion of /usr/lib/kde2/kio_https.so to 
/usr/lib/kde2/kio_https-nossl.so by kdelibs3-crypto'
Adding `diversion of /usr/lib/libkssl.so.2.0.2 to 
/usr/lib/libkssl-nossl.so.2.0.2 by kdelibs3-crypto'
Adding `diversion of /usr/lib/libkssl.la to /usr/lib/libkssl-nossl.la by 
kdelibs3-crypto'
dpkg: error processing 
/cdrom//pool/non-US/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.1-11_i386.deb 
(--unpack):
 trying to overwrite `/usr/share/apps/kssl/caroot/ca-bundle.crt', which is also
 in package kdelibs3
 dpkg-deb: subprocess paste killed by signal (Broken pipe)
 Removing `diversion of /usr/lib/kde2/kio_https.la to 
/usr/lib/kde2/kio_https-nossl.la by kdelibs3-crypto'
 Removing `diversion of /usr/lib/kde2/kio_https.so to 
/usr/lib/kde2/kio_https-nossl.so by kdelibs3-crypto'
 Removing `diversion of /usr/lib/libkssl.so.2.0.2 to 
/usr/lib/libkssl-nossl.so.2.0.2 by kdelibs3-crypto'
 Removing `diversion of /usr/lib/libkssl.la to /usr/lib/libkssl-nossl.la by 
kdelibs3-crypto'
 Errors were encountered while processing:
  /cdrom//pool/non-US/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.1-11_i386.deb
  E: Sub-process /usr/bin/dpkg returned an error code (1)
  

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux perlbroker.kosmos 2.2.19-udma100-ext3 #1 SMP Sat Oct 20 18:53:37 
CEST 2001 i486
Locale: LANG=C, LC_CTYPE=C



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#141825: kyahoo: Receiving the basic smilie :) doesn't show the picture, and there is some text appended to each received line

[Simon Burnet]

Package: kyahoo
Version: 0.7.0-7
Severity: normal

There are two bugs in this report. Both are minor inconveniences.

1) The smilie :) doesn't appear on incoming messages.

2) Some junk is appended after the end of each incoming message. Please
interpret [] as a square box, which I can't include, but it looks something
like:
[];0,0[]0

- Simon.


-- System Information
Debian Release: 3.0
Kernel Version: Linux Nuxtes 2.2.11 #1 Thu Sep 2 01:04:16 BST 1999 i686 unknown

Versions of the packages kyahoo depends on:
ii  kdelibs3   2.2.2-13   KDE core libraries (runtime files)
ii  libc6  2.2.5-3GNU C Library: Shared libraries and Timezone
ii  libjpeg62  6b-5   The Independent JPEG Group's JPEG runtime li
ii  libpng21.0.12-3   PNG library - runtime
ii  libqt2 2.3.1-19   Qt GUI Library (runtime version).
ii  libstdc++2.10- 2.95.4-5   The GNU stdc++ library
ii  xlibs  4.1.0-14   X Window System client libraries
ii  zlib1g 1.1.4-1compression library - runtime


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#129104: cgiemail: buffer overflow and script reading vulnerabilities

[Bruce R. Lewis]

A recent message on debian-devel-announce shows cgiemail having been
removed from the upcoming release.

Has the buffer overflow fix for cgicso been checked in?  If not, one
option is to remove cgicso entirely, as it is really not useful except
at MIT, and its existence probably confuses some people.

As for the script-reading vulnerability, why not just have cgiemail and
cgiecho not echo back the message sent at all; just say "a message was
sent" or somesuch.  Seems like a quick fix is needed if cgiemail is to
be included in woody.

There's an approach you could take that would be backward compatible:
Have cgiemail and cgicso only echo back the message if its first line is
clearly a valid mail header.  However, maybe a quick fix would be better
to get it into the release.

-- 
<[EMAIL PROTECTED](if (brl-related? message); Bruce R. Lewis
  "users.sourceforge.net"   ; http://brl.sourceforge.net/
  "alum.mit.edu")]>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#141760: ssh2: init.d file has wrong default port

[Brian White]

Package: ssh2
Version: 2.0.13-7

When SSH2 starts, it tries to read the port number from the config file.
If it is not present, it sets PORT=.  However, SSH2 starts on port 22
if that parameter is not set.

This prevents the "stop" and "restart" directives from working:

wolf:~$ ls -l /var/run/ssh*
-rw-r--r--1 root root4 Apr  8 05:59 /var/run/sshd2_22.pid

wolf:~$ bash -x /etc/init.d/ssh2 restart
+ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+ DAEMON=/usr/sbin/sshd2
+ NAME=sshd2
++ perl -ne 'print $1 if /^\s*Port\s+(\d+)\b/' /etc/ssh2/sshd2_config
+ PORT=
+ '[' -z '' ']'
+ PORT=
+ DESC=Secure Shell server v2
+ test -f /usr/sbin/sshd2
+ set -e
+ echo -n 'Restarting Secure Shell server v2: '
Restarting Secure Shell server v2: + start-stop-daemon --stop --quiet --oknodo 
--pidfile /var/run/sshd2_.pid --exec /usr/sbin/sshd2
+ sleep 1
+ start-stop-daemon --start --quiet --pidfile /var/run/sshd2_.pid --exec 
/usr/sbin/sshd2
FATAL: Creating listener failed: port 22 probably already in use!

  Brian
 ( [EMAIL PROTECTED] )

---
  80% of people surveyed think they are above-average drivers


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#141613: [patch] freedce: package dependencies

[Peter Samuelson]

tags 141613 patch
thanks

for debian/changelog:
  * Non-developer ... non-upload
  * Merge freedce-dceidl and freedce-uuid into libfreedce-dev
(closes: #141613)
  * libfreedce-dev Depends: libdcethreads-dev
  * Move uuid back to /usr/bin: it is used for application development,
not system administration
  * Remove several unneeded *.dirs files


diff -urN debian.orig/control debian/control
--- debian.orig/control Sun Apr  7 07:40:41 2002
+++ debian/control  Mon Apr  8 01:19:41 2002
@@ -14,28 +14,18 @@
 
 Package: libfreedce-dev
 Architecture: any
-Depends: ${shlibs:Depends}
-Conflicts: uuid-dev
-Description: A free implementation of DCE RPC
- This package contains freedce development files
-
-Package: freedce-dceidl
-Architecture: any
-Depends: ${shlibs:Depends}
+Depends: ${shlibs:Depends}, libdcethreads-dev
+Provides: freedce-dceidl, freedce-uuid
+Replaces: freedce-dceidl, freedce-uuid
+Conflicts: freedce-dceidl, freedce-uuid, uuid-dev
 Description: A free implementation of DCE RPC
- This process contains freedce idl which is needed in order to develop using 
freedce
+ This package contains the freedce development environment.
 
 Package: freedce-rpcd
 Architecture: any
 Depends: ${shlibs:Depends}
 Description: A free implementation of DCE RPC
  This package contains DCE rpcd.
-
-Package: freedce-uuid
-Architecture: any
-Depends: ${shlibs:Depends}
-Description: A free implementation of DCE RPC
- This package contains uuid which is a binary useful for freedce development
 
 Package: freedce-doc
 Architecture: all
diff -urN debian.orig/freedce-dceidl.dirs debian/freedce-dceidl.dirs
--- debian.orig/freedce-dceidl.dirs Sun Apr  7 07:40:41 2002
+++ debian/freedce-dceidl.dirs  Wed Dec 31 18:00:00 1969
@@ -1,2 +0,0 @@
-usr/
-usr/bin
diff -urN debian.orig/freedce-dceidl.files debian/freedce-dceidl.files
--- debian.orig/freedce-dceidl.filesSun Apr  7 07:40:41 2002
+++ debian/freedce-dceidl.files Wed Dec 31 18:00:00 1969
@@ -1,2 +0,0 @@
-usr/bin/dceidl
-usr/bin/idl
diff -urN debian.orig/freedce-dceidl.undocumented 
debian/freedce-dceidl.undocumented
--- debian.orig/freedce-dceidl.undocumented Sun Apr  7 07:40:41 2002
+++ debian/freedce-dceidl.undocumented  Wed Dec 31 18:00:00 1969
@@ -1,2 +0,0 @@
-dceidl.1
-idl.1
diff -urN debian.orig/freedce-rpcd.dirs debian/freedce-rpcd.dirs
--- debian.orig/freedce-rpcd.dirs   Sun Apr  7 07:40:41 2002
+++ debian/freedce-rpcd.dirsWed Dec 31 18:00:00 1969
@@ -1,2 +0,0 @@
-usr/
-usr/sbin
diff -urN debian.orig/freedce-uuid.dirs debian/freedce-uuid.dirs
--- debian.orig/freedce-uuid.dirs   Sun Apr  7 07:40:41 2002
+++ debian/freedce-uuid.dirsWed Dec 31 18:00:00 1969
@@ -1,2 +0,0 @@
-usr/
-usr/sbin/
diff -urN debian.orig/freedce-uuid.files debian/freedce-uuid.files
--- debian.orig/freedce-uuid.files  Sun Apr  7 07:40:41 2002
+++ debian/freedce-uuid.files   Wed Dec 31 18:00:00 1969
@@ -1 +0,0 @@
-usr/sbin/uuid
diff -urN debian.orig/freedce-uuid.undocumented debian/freedce-uuid.undocumented
--- debian.orig/freedce-uuid.undocumented   Sun Apr  7 07:40:41 2002
+++ debian/freedce-uuid.undocumentedWed Dec 31 18:00:00 1969
@@ -1 +0,0 @@
-uuid.8
diff -urN debian.orig/libfreedce-dev.dirs debian/libfreedce-dev.dirs
--- debian.orig/libfreedce-dev.dirs Sun Apr  7 07:40:41 2002
+++ debian/libfreedce-dev.dirs  Wed Dec 31 18:00:00 1969
@@ -1,4 +0,0 @@
-usr/
-usr/lib
-usr/include
-usr/include/dce
diff -urN debian.orig/libfreedce-dev.files debian/libfreedce-dev.files
--- debian.orig/libfreedce-dev.filesSun Apr  7 07:40:41 2002
+++ debian/libfreedce-dev.files Mon Apr  8 01:28:33 2002
@@ -1,4 +1,7 @@
 usr/include/dce/*
+usr/bin/dceidl
+usr/bin/idl
+usr/bin/uuid
 usr/lib/libdcerpc.a
 usr/lib/libdcerpc.la
 usr/lib/libdcerpc.so
diff -urN debian.orig/libfreedce-dev.undocumented 
debian/libfreedce-dev.undocumented
--- debian.orig/libfreedce-dev.undocumented Wed Dec 31 18:00:00 1969
+++ debian/libfreedce-dev.undocumented  Mon Apr  8 01:22:10 2002
@@ -0,0 +1,3 @@
+dceidl.1
+idl.1
+uuid.8
diff -urN debian.orig/libfreedce.dirs debian/libfreedce.dirs
--- debian.orig/libfreedce.dirs Sun Apr  7 07:40:41 2002
+++ debian/libfreedce.dirs  Wed Dec 31 18:00:00 1969
@@ -1,2 +0,0 @@
-usr/
-usr/lib
diff -urN debian.orig/rules debian/rules
--- debian.orig/rules   Sun Apr  7 07:40:41 2002
+++ debian/rulesMon Apr  8 01:51:34 2002
@@ -55,7 +55,6 @@
 
mkdir $(CURDIR)/debian/freedce/usr/sbin
mv $(CURDIR)/debian/freedce/usr/bin/rpcd 
$(CURDIR)/debian/freedce/usr/sbin/rpcd 
-   mv $(CURDIR)/debian/freedce/usr/bin/uuid 
$(CURDIR)/debian/freedce/usr/sbin/uuid 
mv $(CURDIR)/debian/freedce/usr/bin/echo* 
$(CURDIR)/debian/freedce-doc/usr/share/doc/freedce-doc/examples/
dh_movefiles --sourcedir=debian/freedce
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Processed: [patch] freedce: package dependencies

[Debian Bug Tracking System]

Processing commands for [EMAIL PROTECTED]:

> tags 141613 patch
Bug#141613: freedce: idl compiler needs devel environment
Tags added: patch

> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#141613: freedce: package dependencies

[Peter Samuelson]

[I wrote]
> The DCE IDL compiler won't do much without its include files.  Thus I
> would recommend combining freedce-dceidl and libfreedce-dev into one
> package, or at least making the former depend on the latter.

Also, libfreedce-dev needs to depend on libdcethreads-dev.  The include
files include each other.

Peter


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]