Debian Bug report logs -
#287044
CAN-2004-1282 Buffer overflow in the strexpand function
Reported by: Joey Hess <joeyh@debian.org>
Date: Thu, 23 Dec 2004 21:18:03 UTC
Severity: grave
Tags: security
Found in version 1.2.0-6
Fixed in version linpopup/1.2.0-7
Done: Paul Slootman <paul@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#287044; Package linpopup.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: linpopup
Version: 1.2.0-6
Severity: grave
Tags: security
Linpopup seems to be vuonerable to CAN-2004-1282:
Buffer overflow in the strexpand function in string.c for LinPopUp 1.2.0
allows remote attackers to execute arbitrary code via a crafted message
that is not properly handled during a Reply operation.
Details here: http://tigger.uic.edu/~jlongs2/holes/linpopup.txt
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages linpopup depends on:
ii debconf 1.4.41 Debian configuration management sy
ii libc6 2.3.2.ds1-19 GNU C Library: Shared libraries an
ii libglib1.2 1.2.10-9 The GLib library of C routines
ii libgtk1.2 1.2.10-17 The GIMP Toolkit set of widgets fo
ii libice6 4.3.0.dfsg.1-10 Inter-Client Exchange library
ii libsm6 4.3.0.dfsg.1-10 X Window System Session Management
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii libxi6 4.3.0.dfsg.1-10 X Window System Input extension li
ii libxmu6 4.3.0.dfsg.1-10 X Window System miscellaneous util
ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics
pn samba Not found.
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
--
see shy jo
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#287044; Package linpopup.
(full text, mbox, link).
Acknowledgement sent to Paul Slootman <paul@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 287044@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu 23 Dec 2004, Joey Hess wrote:
>
> Buffer overflow in the strexpand function in string.c for LinPopUp 1.2.0
> allows remote attackers to execute arbitrary code via a crafted message
> that is not properly handled during a Reply operation.
OK, quick fix for string.c, I'll look into whether a redesign of the
whole thing might be useful tomorrow...
Opinions? I'll upload in about 30 minutes.
Paul Slootman
[string.c.diff (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#287044; Package linpopup.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #15 received at 287044@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Paul Slootman wrote:
> OK, quick fix for string.c, I'll look into whether a redesign of the
> whole thing might be useful tomorrow...
> Opinions? I'll upload in about 30 minutes.
I'm too brain-dead to have a trustable opinion after going over all
these security holes. :-) I think there was an exploit (may work better
on freebsd), if you want to try to test it.
--
see shy jo
[signature.asc (application/pgp-signature, inline)]
Reply sent to Paul Slootman <paul@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #20 received at 287044-close@bugs.debian.org (full text, mbox, reply):
Source: linpopup
Source-Version: 1.2.0-7
We believe that the bug you reported is fixed in the latest version of
linpopup, which is due to be installed in the Debian FTP archive:
linpopup_1.2.0-7.diff.gz
to pool/main/l/linpopup/linpopup_1.2.0-7.diff.gz
linpopup_1.2.0-7.dsc
to pool/main/l/linpopup/linpopup_1.2.0-7.dsc
linpopup_1.2.0-7_i386.deb
to pool/main/l/linpopup/linpopup_1.2.0-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 287044@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Slootman <paul@debian.org> (supplier of updated linpopup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 23 Dec 2004 22:46:30 +0100
Source: linpopup
Binary: linpopup
Architecture: source i386
Version: 1.2.0-7
Distribution: unstable
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Paul Slootman <paul@debian.org>
Description:
linpopup - X Window System port of Winpopup, running over Samba
Closes: 268556 270791 276903 280345 287044
Changes:
linpopup (1.2.0-7) unstable; urgency=high
.
* Fixed vulnerability CAN-2004-1282
closes:#287044
* Updated German debconf translation, thanks to Jens Nachtigall.
closes:#276903
* Updated Dutch debconf translation, thanks to Luk Claes / cobaco
(As cobaco's version is later and also vetted by the debian-l10n-dutch
team, I'm using that one. Thanks to Luk Claes anyway!)
closes:#270791,#280345
* Replaced "Xwindow" in the description with "X Window System".
closes:#268556
* Samba changed again... find out the installed samba version differently.
Files:
f43d23ad15bfe9ecf2c2fcf90cc889c9 587 net optional linpopup_1.2.0-7.dsc
b3e87f70753239933749c18c8fef9fc6 19416 net optional linpopup_1.2.0-7.diff.gz
21453c449f5680811518e86f5bffc1e1 77828 net optional linpopup_1.2.0-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBy0KbutvvqbTW3hMRAg8iAJ91Pp4wGc4qbxfhiEYDzr5AuRoJmQCdF3dE
d22B/pN4J3dkBw+97qNguGI=
=+e+W
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#287044; Package linpopup.
(full text, mbox, link).
Acknowledgement sent to Paul Slootman <paul@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #25 received at 287044@bugs.debian.org (full text, mbox, reply):
On Thu 23 Dec 2004, Joey Hess wrote:
> Paul Slootman wrote:
> > OK, quick fix for string.c, I'll look into whether a redesign of the
> > whole thing might be useful tomorrow...
> > Opinions? I'll upload in about 30 minutes.
>
> I'm too brain-dead to have a trustable opinion after going over all
> these security holes. :-) I think there was an exploit (may work better
> on freebsd), if you want to try to test it.
I'll try to contact the exploit discoverer; I've tried to google for the
example message that demonstrates the exploit on freebsd, but haven't
found it yet.
In the meantime I've uploaded a version with my fix in it.
Thanks,
Paul Slootman
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#287044; Package linpopup.
(full text, mbox, link).
Acknowledgement sent to Gerrit Pape <pape@dbnbgs.smarden.org>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #30 received at 287044@bugs.debian.org (full text, mbox, reply):
On Thu, Dec 23, 2004 at 11:50:35PM +0100, Paul Slootman wrote:
> I'll try to contact the exploit discoverer; I've tried to google for the
> example message that demonstrates the exploit on freebsd, but haven't
> found it yet.
It's on the securesoftware mailing list
http://securesoftware.list.cr.yp.to/archive/0/12
See
http://securesoftware.list.cr.yp.to/archive/0/09
http://securesoftware.list.cr.yp.to/archive/0/10
...
http://securesoftware.list.cr.yp.to/archive/0/53
Regards, Gerrit.
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#287044; Package linpopup.
(full text, mbox, link).
Acknowledgement sent to Paul Slootman <paul@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #35 received at 287044@bugs.debian.org (full text, mbox, reply):
On Thu 23 Dec 2004, Gerrit Pape wrote:
> On Thu, Dec 23, 2004 at 11:50:35PM +0100, Paul Slootman wrote:
> > I'll try to contact the exploit discoverer; I've tried to google for the
> > example message that demonstrates the exploit on freebsd, but haven't
> > found it yet.
>
> It's on the securesoftware mailing list
> http://securesoftware.list.cr.yp.to/archive/0/12
Thanks!
I've confirmed that my version doesn't do anything strange with that
prepared message.
Paul Slootman
Tags added: security
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jul 15 22:31:30 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.