.
This was reported to upstream a few months ago:
o http://issues.apache.org/bugzilla/show_bug.cgi?id=40733
// Ulf Harnhammar
metaur:~# fgrep ftpspecial /etc/services
ftpspecial 1096/tcp
ftpspecial 1096/udp
metaur:~# tail -n2 /etc/inetd.conf
ftp stream tcp nowait root /usr
tags 292264 patch
thanks
Here's a patch for this bug. It may not be a very important one, but I like
to reduce the number of ways that computer programs can crash.
// Ulf
--- src/options.c.old 2005-03-13 15:52:46.0 +0100
+++ src/options.c 2006-12-12 22:47:35.0 +0100
@@ -11,7
/advisories/18124/
o http://secunia.com/advisories/22057/
Regards, Ulf Harnhammar
--- src/elogd.c.old 2006-11-28 12:25:59.0 +0100
+++ src/elogd.c 2006-12-02 20:37:44.0 +0100
@@ -9685,7 +9685,7 @@ void show_edit_form(LOGBOOK * lbs, int m
rsprintf(option value
I've just verified that elog in stable is vulnerable to
all issues mentioned in bug #392016.
// Ulf
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
as in the upstream ELOG-2.6.2 version. I haven't checked
any other versions (but the upstream SVN trunk looks like it also
has these bugs).
// Ulf Harnhammar, Debian Security Audit Project
http://www.debian.org/security/audit/
--
___
Surf the Web
I'll see what I can do.
// Ulf
--
___
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com
Powered by Outblaze
.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages nsca
, in do_setrev
print Error setting the revision to ' + str(rev) + '.
UnboundLocalError: local variable 'rev' referenced before assignment
[EMAIL PROTECTED]:~$
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386
Subject: zabbix-server-mysql: remote security problems
Package: zabbix-server-mysql
Version: 1:1.1.2-2
Severity: grave
Justification: user security hole
Tags: security patch
Hello,
Max Vozeler and Ulf Harnhammar from the Debian Security Audit Project
have found a number of format string bugs
Segmentation fault
[EMAIL PROTECTED]:~/ulf$
One solution would be to keep track of included files in a function, and
not include them again.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell
overflow.xml
[EMAIL PROTECTED]:~/recently$ /usr/bin/rrdtool restore overflow.xml overflow.rrd
Segmentation fault
[EMAIL PROTECTED]:~/recently$
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell
.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages
Hello,
if you apply this patch to the upstream IlohaMail-0.8.14-rc3 version,
it should display ilohamail1.msg correctly even when Show HTML messages
is on.
// Ulf Harnhammar
--- include/read_message_print.inc.old 2005-04-15 08:30:52.0 +0200
+++ include/read_message_print.inc 2006
However you said that not all xss bugs were fixed in the new version.
Could you please send a patch that fixes the remaining issue ?
Sure, I'll look into that this weekend.
// Ulf
--
___
Surf the Web in a faster, safer and easier way:
Download
Hello,
I thought I'd better improve the XSS patch for ilohamail now,
before we have to celebrate birthdays for that bug..
// Ulf
--- source/read_message.php.old 2004-04-08 23:16:37.0 +0200
+++ source/read_message.php 2005-04-13 20:55:40.610910256 +0200
@@ -275,9 +275,9 @@
The bug appears to still apply to the version of the package in unstable,
and is marked as such.
The bug looks closed to me.
It still looks closed (in all versions) to me. Are you sure that that is what
you want, instead of - say - fixing it?
// Ulf
--
This bug was fixed in a security upload to stable; marking as closed in that
version.
The bug appears to still apply to the version of the package in unstable,
and is marked as such.
The bug looks closed to me.
// Ulf
--
___
Surf the Web in a
and the buffer overflow that I found
quite a while ago could be in order?
// Ulf Harnhammar
--
___
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com
Powered by Outblaze
that the stdout from the commands can be sent back to the user?
// Ulf Harnhammar
--
___
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com
Powered by Outblaze
suggest the following, instead:
This version also supports subversion repositories.
// Ulf Harnhammar
--
___
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com
Powered by Outblaze
://seclists.org/lists/fulldisclosure/2006/Feb/0572.html
The full-disclosure post includes a patch.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12
This is CVE-2006-0709 now.
Additionally, Red Hat sound confident that this is exploitable:
This issue is a pretty standard heap based buffer overflow.
-- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181665
They have issued a security advisory with severity set to important:
by the system administrator who is trusted.
I have attached a patch that corrects this problem. I have Cc'ed upstream, as
the latest upstream version is affected as well.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing
)
Segmentation fault
[EMAIL PROTECTED]:~/recently$
I have attached a patch and a test message.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing
BTW, what is in ./metamail, rather than ./src/metamail/??
I don't know. I noticed that the source is included twice, but I haven't looked
into why that is the case. FWIW, if you just patch the source in src and not in
., the resulting binaries seem to be fixed.
I have found that metamail
:
[EMAIL PROTECTED]:~$ /usr/bin/metamail metamail.txt
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: metamail crash bug
*** glibc detected *** free(): invalid next size (normal): 0x0805fc30 ***
Aborted
[EMAIL PROTECTED]:~$
I have attached a test message, as well as a patch.
// Ulf
$ ./rservice a b c | cat -A
[EMAIL PROTECTED]@[EMAIL PROTECTED]@$
[EMAIL PROTECTED]:~/netcat.data$ ./rservice `perl -e 'print U x 1995;'` a b
Segmentation fault
[EMAIL PROTECTED]:~/netcat.data$
Feel free to patch it, remove the file from the package, or ignore this bug.
// Ulf Harnhammar, Debian
server, if you want to test it.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO
Subject: webalizer: various buffer overflows
Package: webalizer
Version: 2.01.10-27
Severity: important
Tags: patch
Hello,
I have found some more buffer overflows in webalizer. People from Debian seem to
have worked on this earlier on, and here are some more bugs to fix. None of them
seem to
information
oflow333.alz
Description: Binary data
oflow1621.alz
Description: Binary data
#!/usr/bin/perl --
# alzgen
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.
die usage: $0 length filename\n unless @ARGV == 2;
$len = shift;
$lenhi = int($len / 256);
$lenlo
No, you don't need to set up a rogue CDDB server, as CDDB servers
let anyone add or modify information about records.
But according to the freedb.org FAQs every submission is reviewed before being
applied to the database. So it seems quite unlikely submissions of
crafted entries
to
No, you don't need to set up a rogue CDDB server, as CDDB servers let anyone
add or modify information about records.
http://www.freedb.org/modules.php?name=Sectionssop=viewarticleartid=26
// Ulf
--
___
Surf the Web in a faster, safer and easier
Subject: supertux: New upstream version
Package: supertux
Version: 0.1.2-4
Severity: wishlist
Hello,
there's a new upstream version (0.1.3) of supertux at their new homepage:
o http://developer.berlios.de/project/showfiles.php?group_id=3467
Please consider packaging it.
// Ulf Harnhammar
to the DFSG, so these
files must be removed from main.
As an aside, the debian/copyright file for wget only lists the license for the
wget program and not the license for the wget documentation.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy
If you don't want to upgrade to 2.3.7, which is unstable, you
can use our unofficial patch:
o http://www.sitic.se/dokument/evolution.formatstring.patch
// Ulf
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
On Sat, Jul 23, 2005 at 10:02:39PM +0200, Petter Reinholdtsen wrote:
Why do you make it so complex? I would believe it was sufficient to
add this line to /etc/popularity-contest.conf if you wanted to send
email both to the normal MAILTO address and the MAILFROM address.
that sends a copy of
the e-mails to the From address, if COPYTOFROMADDRESS is set to yes.
Please consider including this patch in the program.
// Ulf Harnhammar
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686
I'm still not sure if the user of basename()
instead of base_name() is the correct thing to do here.
It's the same function, so it should be correct.
// Ulf
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
(Sorry for not doing this as a real reply with the correct mail headers,
but I'm not subscribed to debian-security, I only read it on the web.)
| + $text = preg_replace('#(script|about|applet|activex|chrome):#is',
\\1#058;, $text);
It looks like this is about preventing URL's like img
I have tested the *upstream* 0.8.14-rc3, and it fixes almost
all issues mentioned in this bug report.
If you select Show HTML messages under Options and then view the
message ilohamail1.msg, there will still be an XSS bug.
// Ulf Harnhammar
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED
Hello,
here is a better patch. It removes the directory part of the
filename when it is read from the .gz file, and not when opening
it, so the earlier side effects should disappear now.
// Ulf
--- gzip.c.old 2005-04-28 01:45:23.405819616 +0200
+++ gzip.c 2005-04-28 02:10:35.386963544
Subject: unzoo: directory traversal security bug
Package: unzoo
Version: 4.4-2
Severity: important
Tags: security
Hello,
unzoo suffers from an old security bug that hasn't been patched. When unpacking
.zoo archives, there's no check for ../.. constructs in the file names, which
makes it possible
Subject: bitchx: local buffer overflow
Package: bitchx
Version: 1:1.0-0c19.20030512-2
Severity: normal
Some guy on the Full-Disclosure mailing list posted this local buffer overflow
exploit:
http://www.g-0.org/code/bx-xp.c (also attached)
The exploit works on my machine in that it gives a
Subject: chkrootkit: new version available
Package: chkrootkit
Version: 0.44-2
Severity: wishlist
Hello,
there's a 0.45 version out now since February 2005. Please consider packaging
that.
It's important to keep this type of program updated.
// Ulf Härnhammar
-- System Information:
Debian
Pawel, would it help if I changed the patch so it only
does this when decompressing?
// Ulf Härnhammar
Subject: rats: doesn't escape HTML tags found in the C code
Package: rats
Version: 2.1-3
Severity: normal
Tags: patch
When using the options --context and --html, rats doesn't escape HTML code
found in
the C code when creating HTML reports. Here is an example:
[EMAIL PROTECTED]:~/rats-test$
Subject: gzip: dir traversal bug when using gunzip -N
Package: gzip
Version: 1.3.5-9
Severity: important
Tags: security patch
A directory traversal bug exists in multiple versions of gzip. When
compressing a file, gzip saves its original name but not its path inside
the compressed file. When
Subject: ilohamail: XSS security bugs
Package: ilohamail
Version: 0.8.14-0rc3
Severity: important
Tags: security patch
Hello,
I have found a bunch of XSS (cross-site scripting) security problems in
ilohamail.
If a victim opens an e-mail message from an attacker in ilohamail, the attacker
may
~/.trackballs
$ ln -s /var/games/gnometris.scores ~/.trackballs/metaur.gmr
$ ln -s /tmp/testing ~/.trackballs/settings
$ ls -al /tmp/testing
ls: /tmp/testing: No such file or directory
$ cat /var/games/gnometris.scores
31.00 1105059399 Ulf Harnhammar
$ ls -al ~/.trackballs/
total 12
drwxr-xr-x 2
Subject: bumprace: 290706 isn't really closed
Package: bumprace
Version: 1.4.6-3
Severity: normal
1.4.6-3 doesn't fix bug #290706, which is archived by now. Try the perl command
and the attached .bumprace file and you'll see that it still crashes in both
cases.
// Ulf Härnhammar
-- System
reopen 297646
thanks
The 1.0.0-8 version doesn't fix the bug.
// Ulf Härnhammar
Subject: icebreaker: crashes when high score names contain %n%n%n%n
Package: icebreaker
Version: 1.21-9
Severity: normal
Tags: patch
Hello,
icebreaker crashes when high score names contain strings like %n%n%n%n. It
is caused by a bunch of bad snprintf() calls in hiscore.c. You can test the bug
Subject: trackballs: crashes when $USER contains %n%n%n%n%n%n
Package: trackballs
Version: 1.0.0-7
Severity: normal
Tags: patch
Hello,
trackballs crashes when the USER environment variable contains strings like
%n%n%n%n%n%n. It is caused by a bad snprintf() call. I have attached a patch.
[EMAIL
earlier buffer overflows in
xshisen
that Steve Kemp found in 2003: http://bugs.debian.org/213957
// Ulf Harnhammar for the Debian Security Audit Project
http://www.debian.org/security/audit/
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing
54 matches
Mail list logo
