Debian Bug report logs - #340959
centericq: Buffer overflow in embedded ktools library

version graph

Package: centericq; Maintainer for centericq is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Sun, 27 Nov 2005 12:18:04 UTC

Severity: grave

Tags: security

Fixed in version centericq/4.21.0-6

Done: Julien Lemoine <speedblue@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Julien LEMOINE <speedblue@debian.org>:
Bug#340959; Package centericq. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Julien LEMOINE <speedblue@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: centericq: Buffer overflow in embedded ktools library
Date: Sun, 27 Nov 2005 13:08:41 +0100
Package: centericq
Severity: grave
Tags: security

A buffer overflow has been found in the VGETSTRING function of
the ktools library included in centericq, which judging from the
description, sounds remotely exploitable. Please see
http://www.zone-h.org/en/advisories/read/id=8480/ for details.

As the mentioned library is used in two other Debian source packages
(motor and orpheus) as well, you should check whether it's feasible
to package it as a separate package and link dynamically.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Julien LEMOINE <speedblue@debian.org>:
Bug#340959; Package centericq. Full text and rfc822 format available.

Acknowledgement sent to Julien Lemoine <speedblue@happycoders.org>:
Extra info received and forwarded to list. Copy sent to Julien LEMOINE <speedblue@debian.org>. Full text and rfc822 format available.

Message #10 received at 340959@bugs.debian.org (full text, mbox):

From: Julien Lemoine <speedblue@happycoders.org>
To: 340959@bugs.debian.org, 340959-submitter@bugs.debian.org
Subject: Ktools buffer overflow
Date: Wed, 30 Nov 2005 08:50:22 +0100
[Message part 1 (text/plain, inline)]
Hello,

   I decided to apply the following patch (attached) to ktools in order 
to avoid security
problem in centericq. I am waiting for better patch from upstream and 
will include it
as soon as it will be available.

Best Regards.
Julien Lemoine.
[vgetstring.dpatch (text/plain, inline)]
#! /bin/sh -e
## vgetstring.dpatch by Julien LEMOINE <speedblue@debian.org>
##
## DP: fix buffer overflow in VGETSTRING macro by replacing vsprintf by vsnprintf

[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
patch_opts="${patch_opts:--f --no-backup-if-mismatch}"

if [ $# -ne 1 ]; then
    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
    exit 1
fi
case "$1" in
       -patch) patch $patch_opts -p1 < $0;;
       -unpatch) patch $patch_opts -p1 -R < $0;;
        *)
                echo >&2 "`basename $0`: script expects -patch|-unpatch as argum
ent"
                exit 1;;
esac

exit 0
diff -bBdNrw -U5 centericq-4.21.0/kkstrtext-0.1/kkstrtext.h centericq-4.21.0.modif/kkstrtext-0.1/kkstrtext.h
--- centericq-4.21.0/kkstrtext-0.1/kkstrtext.h	2004-11-18 00:00:38.000000000 +0100
+++ centericq-4.21.0.modif/kkstrtext-0.1/kkstrtext.h	2005-11-30 08:41:58.000000000 +0100
@@ -85,11 +85,11 @@
 
 #define VGETSTRING(c, fmt) \
     { \
 	va_list vgs__ap; char vgs__buf[1024]; \
 	va_start(vgs__ap, fmt); \
-	vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
+	vsnprintf(vgs__buf, 1024, fmt, vgs__ap); c = vgs__buf; \
 	va_end(vgs__ap); \
     }
 
 string justfname(const string &fname);
 string justpathname(const string &fname);

Message sent on to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#340959. Full text and rfc822 format available.

Reply sent to Julien Lemoine <speedblue@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #18 received at 340959-close@bugs.debian.org (full text, mbox):

From: Julien Lemoine <speedblue@debian.org>
To: 340959-close@bugs.debian.org
Subject: Bug#340959: fixed in centericq 4.21.0-6
Date: Wed, 30 Nov 2005 01:02:11 -0800
Source: centericq
Source-Version: 4.21.0-6

We believe that the bug you reported is fixed in the latest version of
centericq, which is due to be installed in the Debian FTP archive:

centericq-common_4.21.0-6_i386.deb
  to pool/main/c/centericq/centericq-common_4.21.0-6_i386.deb
centericq-fribidi_4.21.0-6_i386.deb
  to pool/main/c/centericq/centericq-fribidi_4.21.0-6_i386.deb
centericq-utf8_4.21.0-6_i386.deb
  to pool/main/c/centericq/centericq-utf8_4.21.0-6_i386.deb
centericq_4.21.0-6.diff.gz
  to pool/main/c/centericq/centericq_4.21.0-6.diff.gz
centericq_4.21.0-6.dsc
  to pool/main/c/centericq/centericq_4.21.0-6.dsc
centericq_4.21.0-6_i386.deb
  to pool/main/c/centericq/centericq_4.21.0-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340959@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Lemoine <speedblue@debian.org> (supplier of updated centericq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 30 Nov 2005 08:43:49 +0100
Source: centericq
Binary: centericq-common centericq-utf8 centericq-fribidi centericq
Architecture: source i386
Version: 4.21.0-6
Distribution: unstable
Urgency: high
Maintainer: Julien LEMOINE <speedblue@debian.org>
Changed-By: Julien Lemoine <speedblue@debian.org>
Description: 
 centericq  - A text-mode multi-protocol instant messenger client
 centericq-common - A text-mode multi-protocol instant messenger client (data files)
 centericq-fribidi - A text-mode multi-protocol instant messenger client (Hebrew)
 centericq-utf8 - A text-mode multi-protocol instant messenger client
Closes: 340790 340959
Changes: 
 centericq (4.21.0-6) unstable; urgency=high
 .
   * Fixed compilation error (assume that libc is used to avoid static
     redefinition of stpcpy, memcpy, ...)
     (Closes: 340790)
   * SECURITY: Fixed buffer overflow in embedded ktools library by replacing
     vsprintf by vsnprintf (Waiting for a better patch from upstream)
     (Closes: #340959)
Files: 
 3a9b76a137233fb1dcc722942bd9f05e 861 net optional centericq_4.21.0-6.dsc
 2679691d59de9fbfe45140c2572c4406 118220 net optional centericq_4.21.0-6.diff.gz
 127da049aed30193546b3b0b6cb18c7c 345602 net optional centericq-common_4.21.0-6_i386.deb
 fbf6186bf52b5c909f8982be9fa1824e 1233390 net optional centericq_4.21.0-6_i386.deb
 e9dbd087d42181cf88e16f2d58ba4002 1233452 net optional centericq-utf8_4.21.0-6_i386.deb
 2a926652b80b37a9a529a28d791d131d 1233834 net optional centericq-fribidi_4.21.0-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDjWXNc29c8N2YKnURAvsBAKC7RH6afHtGP02RiINyS4kg41CWGQCgiqhK
gUO1sNlyAYfetECurIwosL4=
=XRoh
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Julien LEMOINE <speedblue@debian.org>:
Bug#340959; Package centericq. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Julien LEMOINE <speedblue@debian.org>. Full text and rfc822 format available.

Message #23 received at 340959@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Julien Lemoine <speedblue@happycoders.org>
Cc: 340959@bugs.debian.org
Subject: Re: Bug#340959: Ktools buffer overflow
Date: Wed, 30 Nov 2005 10:18:10 +0100
Julien Lemoine wrote:
>    I decided to apply the following patch (attached) to ktools in order 
> to avoid security
> problem in centericq. I am waiting for better patch from upstream and 
> will include it
> as soon as it will be available.

This vulnerability has been assigned CVE-2005-3863 by MITRE, please mention
it in the changelog.

Cheers,
        Moritz



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 01:57:22 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:28:15 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.