Debian Bug report logs -
#270485
libgksu1.2-0: contains several buffer overflows
Reported by: Martin Pitt <martin.pitt@canonical.com>
Date: Tue, 7 Sep 2004 15:48:05 UTC
Severity: important
Tags: patch
Found in version 1.2.3-1
Fixed in version libgksu1.2/1.2.4-1
Done: Gustavo Noronha Silva <kov@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#270485; Package libgksu1.2-0.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
New Bug report received and forwarded. Copy sent to Gustavo Noronha Silva <kov@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libgksu1.2-0
Version: 1.2.3-1
Severity: important
Tags: patch
Hi Gustavo, hi Allan!
I discovered several buffer overflows and a non-zero-terminated printf
in libgksu which cause gksudo to segfault (see changelog and patch for
details). I don't think that this error has major security
implications, therefore I leave the severity at important.
I put the patch (against our company's version 1.2.2) to
http://sqash.this.segfault.no-name-yet.com/patches/libgksu1.2.bufoverflow.diff
Applying it to the unstable version will fail at the Debian changelog
(because of the different version numbers), but the source patch
applies cleanly.
Please push this change upstream.
Changelog:
|libgksu1.2 (1.2.2-1ubuntu1) warty; urgency=low
|
| * libgksu/gksu-context.c:gksu_context_sudo_run():
| - char buf[16] was repeatedly overflowed by reading/writing 256 bytes,
| causing segfaults and improper status messages; having two buffers 'buf'
| and 'buffer' with different lengths does not really avoid errors, so 'buf'
| was eliminated completely
| - properly zero-terminated buffer before printf()'ing it
| (Closes: Warty bug #1060)
|
| -- Martin Pitt <mpitt@debian.org> Tue, 7 Sep 2004 16:50:28 +0200
Thanks and have a nice day!
Martin
--
Martin Pitt Debian GNU/Linux Developer
martin@piware.de mpitt@debian.org
http://www.piware.de http://www.debian.org
[signature.asc (application/pgp-signature, inline)]
Reply sent to Gustavo Noronha Silva <kov@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Pitt <martin.pitt@canonical.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 270485-close@bugs.debian.org (full text, mbox, reply):
Source: libgksu1.2
Source-Version: 1.2.4-1
We believe that the bug you reported is fixed in the latest version of
libgksu1.2, which is due to be installed in the Debian FTP archive:
libgksu1.2-0_1.2.4-1_i386.deb
to pool/main/libg/libgksu1.2/libgksu1.2-0_1.2.4-1_i386.deb
libgksu1.2-dev_1.2.4-1_i386.deb
to pool/main/libg/libgksu1.2/libgksu1.2-dev_1.2.4-1_i386.deb
libgksu1.2_1.2.4-1.diff.gz
to pool/main/libg/libgksu1.2/libgksu1.2_1.2.4-1.diff.gz
libgksu1.2_1.2.4-1.dsc
to pool/main/libg/libgksu1.2/libgksu1.2_1.2.4-1.dsc
libgksu1.2_1.2.4.orig.tar.gz
to pool/main/libg/libgksu1.2/libgksu1.2_1.2.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 270485@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gustavo Noronha Silva <kov@debian.org> (supplier of updated libgksu1.2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 7 Sep 2004 23:04:07 -0300
Source: libgksu1.2
Binary: libgksu1.2-dev libgksu1.2-0
Architecture: source i386
Version: 1.2.4-1
Distribution: unstable
Urgency: high
Maintainer: Gustavo Noronha Silva <kov@debian.org>
Changed-By: Gustavo Noronha Silva <kov@debian.org>
Description:
libgksu1.2-0 - library providing su and sudo functionality
libgksu1.2-dev - library providing su and sudo functionality (development files)
Closes: 270485
Changes:
libgksu1.2 (1.2.4-1) unstable; urgency=high
.
* New upstream release
- includes patch by Martin Pitt <martin.pitt@canonical.com>
to fix buffer overflows (Closes: #270485)
- seting priority to high to make this change go into sarge
asap
Files:
7038b10d4b70cf6335e2cef9505bd27f 668 admin optional libgksu1.2_1.2.4-1.dsc
7a7449d649ea7012c958e4372a9db88a 559121 admin optional libgksu1.2_1.2.4.orig.tar.gz
17b26db6b2dd42333333a1cdf1e2e558 6110 admin optional libgksu1.2_1.2.4-1.diff.gz
14150795238e14f61b69c0350014a2a9 26242 libs optional libgksu1.2-0_1.2.4-1_i386.deb
ef4d8440b82aebe81ef32947c48f1345 21454 libdevel optional libgksu1.2-dev_1.2.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBPmoct1anjIgqbEsRAnrJAJ9sk2UxnNweGfNqd50v8plHUbAnigCgrrIn
8lB7LTAwpSV9JElodZouo+8=
=GE1B
-----END PGP SIGNATURE-----
Bug unarchived.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 08:43:56 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2011 07:49:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 11 12:07:59 2017;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.