Launchpad has imported 8 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=471952.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
** Branch linked: lp:ubuntu/karmic/htop
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
https://bugs.launchpad.net/bugs/299627
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/htop/hardy-security
** Branch linked: lp:ubuntu/intrepid-updates/htop
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
https://bugs.launchpad.net/bugs/299627
You received this bug notification because you are a
This bug was fixed in the package htop - 0.6.6+svn20070915-1ubuntu0.2
---
htop (0.6.6+svn20070915-1ubuntu0.2) hardy-security; urgency=low
* SECURITY UPDATE: Insufficient character filters in htop when displaying
commands allowed programs that rewrite their program name to
This bug was fixed in the package htop - 0.8-0ubuntu1.1
---
htop (0.8-0ubuntu1.1) intrepid-security; urgency=low
* SECURITY UPDATE: Insufficient character filters in htop when displaying
commands allowed programs that rewrite their program name to inject
escape sequences.
Andreas-- the patch for hardy is not correct (FTBFS). Specifically:
- this-chstr[i] = data[j] | attrs;
+ this-chstr[i] = (isprint(data_c[j]) ? data_c[j] : '?') | attrs;
Your changed from data[] to data_c[]. AFAICT data_c doesn't exist in
Hardy's code. Please resubmit after testing,
** Attachment removed: htop_0.6.6+svn20070915-1ubuntu0.1.debdiff
http://launchpadlibrarian.net/25002025/htop_0.6.6%2Bsvn20070915-1ubuntu0.1.debdiff
** Attachment removed: htop_0.6.6+svn20070915-1ubuntu0.1.dsc
http://launchpadlibrarian.net/24965212/htop_0.6.6%2Bsvn20070915-1ubuntu0.1.dsc
I'm terribly sorry; seems the debdiff juggling did not go well for me
this time at all!
Here is the correct debdiff that you should have gotten in the first
place. I've started from scratch in a new directory with this debdiff to
check that everyting is correct now.
The testing has been
** Also affects: htop (Ubuntu Jaunty)
Importance: Undecided
Status: Confirmed
** Also affects: htop (Ubuntu Intrepid)
Importance: Undecided
Status: New
** Also affects: htop (Ubuntu Hardy)
Importance: Undecided
Status: New
** Also affects: htop (Ubuntu Dapper)
Here is a debdiff for intrepid fixing this.
** Attachment added: htop_0.8-0ubuntu1.1.debdiff
http://launchpadlibrarian.net/24965196/htop_0.8-0ubuntu1.1.debdiff
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
https://bugs.launchpad.net/bugs/299627
You
And for hardy.
** Attachment added: htop_0.6.6+svn20070915-1ubuntu0.1.dsc
http://launchpadlibrarian.net/24965212/htop_0.6.6%2Bsvn20070915-1ubuntu0.1.dsc
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
https://bugs.launchpad.net/bugs/299627
You received this
gutsy goes EOL shortly, not worth fixing it there.
Fixing it for dapper will require a little more invasive fix; so i'm not
completely sure how to proceed with that one.
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
https://bugs.launchpad.net/bugs/299627
You
Both of the above debdiffs are of course build on that release; and
tested.
** Changed in: htop (Ubuntu Hardy)
Assignee: Andreas Wenning (andreas-wenning) = (unassigned)
** Changed in: htop (Ubuntu Intrepid)
Assignee: Andreas Wenning (andreas-wenning) = (unassigned)
--
I forgot to mention: please change the status to 'In Progress' after
uploading the hardy debdiff.
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
https://bugs.launchpad.net/bugs/299627
You received this bug notification because you are a member of Ubuntu
Bugs,
Andreas, thanks for your help on this! :) You uploaded a dsc file for
Hardy and not a debdiff. Can you upload the debdiff?
** Changed in: htop (Ubuntu Hardy)
Status: In Progress = Triaged
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
This one should be better :)
** Attachment added: htop_0.6.6+svn20070915-1ubuntu0.1.debdiff
http://launchpadlibrarian.net/25002025/htop_0.6.6%2Bsvn20070915-1ubuntu0.1.debdiff
** Changed in: htop (Ubuntu Hardy)
Status: Triaged = In Progress
--
[CVE-2008-5076] htop does not filter
** Changed in: htop (Debian)
Status: Unknown = Fix Released
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
https://bugs.launchpad.net/bugs/299627
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
** Bug watch added: SourceForge.net Tracker #2311373
http://sourceforge.net/support/tracker.php?aid=2311373
** Also affects: htop via
http://sourceforge.net/support/tracker.php?aid=2311373
Importance: Unknown
Status: Unknown
--
[CVE-2008-5076] htop does not filter non-printable
Currently do not have the time to fix this bug. I will pass it on to
someone who knows more about security processes in Ubuntu.
** Changed in: htop (Ubuntu)
Assignee: David Futcher (bobbo) = (unassigned)
Status: In Progress = Confirmed
--
[CVE-2008-5076] htop does not filter
After reading the code for the last few releases of Htop, all Ubuntu
releases all the way back to Dapper are affected by this bug.
** Changed in: htop (Ubuntu)
Assignee: (unassigned) = David Futcher (bobbo)
Status: Fix Released = In Progress
--
[CVE-2008-5076] htop does not filter
How is this applied patch supposed to be working with Unicode
characters?
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
https://bugs.launchpad.net/bugs/299627
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct
** Visibility changed to: Public
--
[CVE-2008-5076] htop does not filter non-printable characters in process names
https://bugs.launchpad.net/bugs/299627
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
This bug was fixed in the package htop - 0.8.1-0ubuntu2
---
htop (0.8.1-0ubuntu2) jaunty; urgency=low
* Add patch (inline) to filter non-printable characters in process names.
Thanks to Andrew O. Shadoura for the patch. (LP: #299627)
- This bug could be used by an attacker
23 matches
Mail list logo