Debian Bug report logs - #307852
CAN-2005-1391: buffer overflow in add_port function

version graph

Package: pound; Maintainer for pound is Brett Parker <iDunno@sommitrealweird.co.uk>; Source for pound is src:pound.

Reported by: FX <gentoo@sbcglobal.net>

Date: Wed, 27 Apr 2005 20:33:13 UTC

Severity: important

Tags: fixed, patch, security

Fixed in version pound/1.9-1

Done: Joerg Wendland <joergland@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#306649; Package pound. Full text and rfc822 format available.

Acknowledgement sent to FX <gentoo@sbcglobal.net>:
New Bug report received and forwarded. Copy sent to Sam Johnston <samj@aos.net.au>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: FX <gentoo@sbcglobal.net>
To: submit@bugs.debian.org
Subject: New upstream version 1.8.3
Date: Wed, 27 Apr 2005 15:27:50 -0500
package: pound
severity: important
tags: security

New upstream version 1.8.3 is a bug-fix interim release that includes a fix for sprintf buffer overflow.

Changes include:

- fixed a potential buffer overflow problem (thanks to Steven Van Acker
for bringing it to my attention). Hopefully this is the last sprintf we
have missed.

- RewriteRedirect 2 ignores port value for host matching (suggested by
Frank Schmirle)

- Minor "cosmetic" fixes (suggested by Frank Schmirler)





Bug 306649 cloned as bug 307852. Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>:
Bug#307852; Package pound. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@aos.net.au>. Full text and rfc822 format available.

Message #14 received at 307852@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: 307852@bugs.debian.org
Subject: Patch - NMU?
Date: Thu, 5 May 2005 23:01:19 +0200
Hi.

I prepared a patch for the security problem in pound:

diff -Naur pound-1.8.2.bak/debian/changelog pound-1.8.2/debian/changelog
--- pound-1.8.2.bak/debian/changelog	2005-05-05 22:22:44.190098920 +0200
+++ pound-1.8.2/debian/changelog	2005-05-05 22:55:11.950994256 +0200
@@ -1,3 +1,12 @@
+pound (1.8.2-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * CAN-2005-1391: Fix possible buffer overflow in the add_port
+    function which could be triggered by a long Host: header
+    from a remote host (Closes: #307852)
+
+ -- Frank Lichtenheld <djpig@debian.org>  Thu,  5 May 2005 22:32:12 +0200
+
 pound (1.8.2-1) unstable; urgency=low
 
   * New upstream version, closes: #285357
diff -Naur pound-1.8.2.bak/svc.c pound-1.8.2/svc.c
--- pound-1.8.2.bak/svc.c	2005-03-07 19:09:35.000000000 +0100
+++ pound-1.8.2/svc.c	2005-05-05 22:37:32.368075344 +0200
@@ -690,7 +690,7 @@
     if(strchr(host, ':') != NULL)
         /* the host already contains a port */
         return NULL;
-    sprintf(res, "Host: %s:%hd", host, ntohs(to_host->sin_port));
+    snprintf(res, MAXBUF - 1, "Host: %s:%hd", host, ntohs(to_host->sin_port));
     return strdup(res);
 }
 

I can do a NMU for this problem if wanted.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Tags added: patch Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Joerg Wendland <joergland@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to FX <gentoo@sbcglobal.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #23 received at 307852-close@bugs.debian.org (full text, mbox):

From: Joerg Wendland <joergland@debian.org>
To: 307852-close@bugs.debian.org
Subject: Bug#307852: fixed in pound 1.9-1
Date: Mon, 11 Jul 2005 04:23:06 -0400
Source: pound
Source-Version: 1.9-1

We believe that the bug you reported is fixed in the latest version of
pound, which is due to be installed in the Debian FTP archive:

pound_1.9-1.diff.gz
  to pool/main/p/pound/pound_1.9-1.diff.gz
pound_1.9-1.dsc
  to pool/main/p/pound/pound_1.9-1.dsc
pound_1.9-1_i386.deb
  to pool/main/p/pound/pound_1.9-1_i386.deb
pound_1.9.orig.tar.gz
  to pool/main/p/pound/pound_1.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 307852@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joerg Wendland <joergland@debian.org> (supplier of updated pound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 11 Jul 2005 09:16:30 +0200
Source: pound
Binary: pound
Architecture: source i386
Version: 1.9-1
Distribution: unstable
Urgency: low
Maintainer: Sam Johnston <samj@aos.net.au>
Changed-By: Joerg Wendland <joergland@debian.org>
Description: 
 pound      - reverse proxy, load balancer and https front-end for web-servers
Closes: 306649 307852 310646 311548
Changes: 
 pound (1.9-1) unstable; urgency=low
 .
   * New upstream version, closes: #310646, #311548, #306649
   * Ack security NMU, the fix is included upstream, closes: #307852
   * Add myself to uploaders with ok from Sam.
   * Clean up debian/:
     - remove rules.old
     - remove bogus comments and commands from rules
     - remove config, debconf is not used
   * debian/init.d:
     - use pid file
     - remove commented lines
Files: 
 38abfb5c7902fcbf5e5134d5911e5d99 664 net extra pound_1.9-1.dsc
 09e208e844da1121943289e71911366c 143306 net extra pound_1.9.orig.tar.gz
 6f05259e7e2081f31777ff7f0bff4c8d 10634 net extra pound_1.9-1.diff.gz
 3a0d783961f5c339ecb2e3484e3a3ab1 69220 net extra pound_1.9-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFC0iTbV6N/vVHPhBcRAjE1AJoCu/ua6fRgmqOC6LuouKn9KFHMSACeOJBN
SDMMPPJvw5b3N7D6k0lfR+A=
=lh/h
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 20:21:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:09:01 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.