Re: Request a security audit for my xiterm+thai package.

2008-04-22 Thread Neutron Soutmun 
Forwarding to the list:
 Hi Neutron,
 * Neutron Soutmun [EMAIL PROTECTED] [2008-04-21 02:58]:
  According to
  http://lists.debian.org/debian-mentors/2008/04/msg00251.html
  which Paul Wise advice me to contact to the security audit team to
  review
  my package xiterm+thai (http://packages.qa.debian.org/x/xiterm%
  2Bthai.html)
 
 [...] 
 I have no time auditing this bug one thing came to my mind 
 when I had a look in main.c:
 1655   if ((display_name = getenv (DISPLAY)) == NULL)
 1656 display_name = :0;
 
 Please fix that code to print an error, see:
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1692 and
 http://article.gmane.org/gmane.comp.security.oss.general/122
 
 Kind regards
 Nico
 -- 
 Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG:
 0x73647CFF
 For security reasons, all text in this mail is double-rot13 encrypted.
 
เมื่อ จ. 2008-04-21 เวลา 13:05 +0200, Nico Golde เขียนว่า:
 Hi Neutron,
 * Neutron Soutmun [EMAIL PROTECTED] [2008-04-21 02:58]:
  According to
  http://lists.debian.org/debian-mentors/2008/04/msg00251.html
  which Paul Wise advice me to contact to the security audit team to
  review
  my package xiterm+thai (http://packages.qa.debian.org/x/xiterm%
  2Bthai.html)
 
 [...] 
 I have no time auditing this bug one thing came to my mind 
 when I had a look in main.c:
 1655   if ((display_name = getenv (DISPLAY)) == NULL)
 1656 display_name = :0;
 
 Please fix that code to print an error, see:
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1692 and
 http://article.gmane.org/gmane.comp.security.oss.general/122
 
 Kind regards
 Nico
 -- 
 Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG:
 0x73647CFF
 For security reasons, all text in this mail is double-rot13 encrypted.


signature.asc
Description: 	นี่คือ	ส่วนข้	อความท	ี่มีลา	ยเซ็นด	ิจิทัล	กำกับ

Re: Request a security audit for my xiterm+thai package.

2008-04-22 Thread Neutron Soutmun 
 I have no time auditing this bug one thing came to my mind 
 when I had a look in main.c:
 1655   if ((display_name = getenv (DISPLAY)) == NULL)
 1656 display_name = :0;
 
 Please fix that code to print an error, see:
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1692 and
 http://article.gmane.org/gmane.comp.security.oss.general/122

Just review the CVE-2008-1692 and send the initial patch to the upstrem.
Now, the adjusted patch by the upstream developer is commited in the
upstream source. It will be in the next upstream release.

In the meantime, I will review another vulnerabilities.

Regards,
Neutron Soutmun


signature.asc
Description: 	นี่คือ	ส่วนข้	อความท	ี่มีลา	ยเซ็นด	ิจิทัล	กำกับ

Request a security audit for my xiterm+thai package.

2008-04-20 Thread Neutron Soutmun 
According to
http://lists.debian.org/debian-mentors/2008/04/msg00251.html
which Paul Wise advice me to contact to the security audit team to
review
my package xiterm+thai (http://packages.qa.debian.org/x/xiterm%
2Bthai.html)

The issue is setuid/setgid that used in this package for the properly
fuction which now the latest xiterm+thai_1.07-1 already migrated to
testing and if it have the vulnerabilities, must fix it.

For the fixing process, I can try to fix or contact to the upstream, but
the problem that I don't know where to start for this issue.
Could anyone advice me?

Best Regards,
Neutron Soutmun


signature.asc
Description: 	นี่คือ	ส่วนข้	อความท	ี่มีลา	ยเซ็นด	ิจิทัล	กำกับ