tag 341394 patch thanks webmin (1.180-3sarge0) stable-security; urgency=high
* [SECURITY] CVE-2005-3912 Fix syslog format string vulnerability in miniserv.pl (Closes: #341394) This string vulnerability could be used to gain access to the account running miniserv.pl by creating a specialy crafted username. This vulnerability does not affect machines which are running Sys::Syslog >= 0.07. -- Don Armstrong <[EMAIL PROTECTED]> Tue, 27 Dec 2005 04:08:16 -0800 dsc and diff.gz are available if necessary at http://rzlab.ucr.edu/debian/webmin/ (Note again that this vulernability does not affect testing or unstable, as Sys::Syslog properly handles two argument syslog calls in modern versions) Don Armstrong -- "I was thinking seven figures," he said, "but I would have taken a hundred grand. I'm not a greedy person." [All for a moldy bottle of tropicana.] -- Sammi Hadzovic [in Andy Newman's 2003/02/14 NYT article.] http://www.nytimes.com/2003/02/14/nyregion/14EYEB.html http://www.donarmstrong.com http://rzlab.ucr.edu
diff -u webmin-1.180/debian/changelog webmin-1.180/debian/changelog --- webmin-1.180/debian/changelog +++ webmin-1.180/debian/changelog @@ -1,3 +1,13 @@ +webmin (1.180-3sarge0) stable-security; urgency=high + + * [SECURITY] CVE-2005-3912 Fix syslog format string vulnerability in + miniserv.pl (Closes: #341394) This string vulnerability could be used + to gain access to the account running miniserv.pl by creating a + specialy crafted username. This vulnerability does not affect machines + which are running Sys::Syslog >= 0.07. + + -- Don Armstrong <[EMAIL PROTECTED]> Tue, 27 Dec 2005 04:08:16 -0800 + webmin (1.180-3) unstable; urgency=high * The ability to install third-party modules safely has been added. only in patch2: unchanged: --- webmin-1.180.orig/miniserv.pl +++ webmin-1.180/miniserv.pl @@ -220,11 +220,11 @@ } else { local $msg = ucfirst($config{'pam'})." starting"; - eval { syslog("info", $msg); }; + eval { syslog("info", '%s', $msg); }; if ($@) { eval { setlogsock("inet"); - syslog("info", $msg); + syslog("info", '%s', $msg); }; if ($@) { # All attempts to use syslog have failed.. @@ -546,7 +546,7 @@ &run_logout_script($s, $sdb[0]); delete($sessiondb{$s}); if ($use_syslog) { - syslog("info", "Timeout of $sdb[0]"); + syslog("info", '%s', "Timeout of $sdb[0]"); } } } @@ -712,7 +712,7 @@ local $logtext = "Security alert: Host $2 ". "blocked after $config{'blockhost_failures'} ". "failed logins for user $1"; - syslog("crit", $logtext); + syslog("crit", '%s', $logtext); } } else { @@ -1046,12 +1046,12 @@ if ($certs{$u} eq $peername) { $authuser = $u; $validated = 2; - #syslog("info", "SSL login as $authuser from $acpthost") if ($use_syslog); + #syslog("info", '%s', "SSL login as $authuser from $acpthost") if ($use_syslog); last; } } if ($use_syslog && !$validated) { - syslog("crit", + syslog("crit", '%s', "Unknown SSL certificate $peername"); } } @@ -1084,7 +1084,7 @@ $validated = 0; } if ($use_syslog && !$validated) { - syslog("crit", + syslog("crit", '%s', ($nonexist ? "Non-existent" : $expired ? "Expired" : "Invalid"). " login as $authuser from $acpthost"); @@ -1121,7 +1121,7 @@ $authuser = $baseauthuser = undef; if ($louser) { if ($use_syslog) { - syslog("info", "Logout by $louser from $acpthost"); + syslog("info", '%s', "Logout by $louser from $acpthost"); } &run_logout_script($louser, $sid, $acptip, $localip); @@ -1211,7 +1211,7 @@ &write_keep_alive(0); &write_data("\r\n"); &log_request($acpthost, $authuser, $reqline, 302, 0); - syslog("info", "Successful login as $authuser from $acpthost") if ($use_syslog); + syslog("info", '%s', "Successful login as $authuser from $acpthost") if ($use_syslog); return 0; } elsif ($ok && $expired && @@ -1227,7 +1227,7 @@ $page = $config{'password_form'}; $logged_code = 401; $miniserv_internal = 2; - syslog("crit", + syslog("crit", '%s', "Expired login as $in{'user'} ". "from $acpthost") if ($use_syslog); } @@ -1239,7 +1239,7 @@ $already_session_id = undef; $method = "GET"; $authuser = $baseauthuser = undef; - syslog("crit", + syslog("crit", '%s', ($nonexist ? "Non-existent" : $expired ? "Expired" : "Invalid"). " login as $in{'user'} from $acpthost") @@ -1292,13 +1292,13 @@ # Local user exists in webmin users file $validated = 1; $authuser = $localauth_user; - # syslog("info", "Local login as $authuser from $acpthost") if ($use_syslog); + # syslog("info", '%s', "Local login as $authuser from $acpthost") if ($use_syslog); } elsif ($config{'unixauth'}) { # Local user must exist $validated = 2; $authuser = $localauth_user; - # syslog("info", "Local login as $authuser from $acpthost") if ($use_syslog); + # syslog("info", '%s', "Local login as $authuser from $acpthost") if ($use_syslog); } else { $localauth_user = undef;
signature.asc
Description: Digital signature