Debian Bug report logs - #378640
libnet-server-perl: [CVE-2005-1127] format string vulnerability in log() function

version graph

Package: libnet-server-perl; Maintainer for libnet-server-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libnet-server-perl is src:libnet-server-perl.

Reported by: Stephen Gran <sgran@debian.org>

Date: Tue, 18 Jul 2006 00:03:06 UTC

Severity: critical

Tags: patch, security

Found in versions libnet-server-perl/0.87-3, 0.87-3

Fixed in version 0.89-1

Done: Adeodato Simó <dato@net.com.org.es>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Carsten Wolff <carsten@wolffcarsten.de>:
Bug#378640; Package libnet-server-perl. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
New Bug report received and forwarded. Copy sent to Carsten Wolff <carsten@wolffcarsten.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libnet-server-perl: [CVE-2005-1127] format string vulnerability in log() function
Date: Tue, 18 Jul 2006 00:40:24 +0100
[Message part 1 (text/plain, inline)]
Package: libnet-server-perl
Version: 0.87-3
Severity: critical
Tags: security patch

Hello Carsten,

It appears that this is still a problem for stable, and no bug was ever
opened.  I have pinged the security team about it, and sent a rough
patch (below).  Can you verify that it is complete, and work with
team@security to make sure this gets fixed for sarge as well?

Thanks,

diff -Nru /tmp/Ahc2P0oPki/libnet-server-perl-0.87/lib/Net/Server.pm /tmp/4HT6qXR2pz/libnet-server-perl-0.90/lib/Net/Server.pm
--- /tmp/Ahc2P0oPki/libnet-server-perl-0.87/lib/Net/Server.pm   2003-11-06 22:49:05.000000000 +0000
+++ /tmp/4HT6qXR2pz/libnet-server-perl-0.90/lib/Net/Server.pm   2005-12-05 21:13:04.000000000 +0000
@@ -1036,41 +1116,38 @@

 ### record output
 sub log {
-  my $self  = shift;
+  my ($self, $level, $msg) = @_;
   my $prop = $self->{server};
-  my $level = shift;

   return unless $prop->{log_level};
   return unless $level <= $prop->{log_level};

   ### log only to syslog if setup to do syslog
   if( $prop->{log_file} eq 'Sys::Syslog' ){
     $level = $level!~/^\d+$/ ? $level : $Net::Server::syslog_map->{$level} ;
-    Sys::Syslog::syslog($level,@_);
+    Sys::Syslog::syslog($level, '%s', $msg);
     return;
   }

-  $self->write_to_log_hook($level,@_);
+  $self->write_to_log_hook($level, $msg);
 }


 ### standard log routine, this could very easily be
 ### overridden with a syslog call
 sub write_to_log_hook {
-  my $self  = shift;
+  my ($self, $level, $msg) = @_;
   my $prop = $self->{server};
-  my $level = shift;
-  local $_  = shift || '';
-  chomp;
-  s/([^\n\ -\~])/sprintf("%%%02X",ord($1))/eg;
+  chomp $msg;
+  $msg =~ s/([^\n\ -\~])/sprintf("%%%02X",ord($1))/eg;

   if( $prop->{log_file} ){
-    print _SERVER_LOG $_, "\n";
+    print _SERVER_LOG $msg, "\n";
   }elsif( defined($prop->{setsid}) ){
     # do nothing
   }else{
     my $old = select(STDERR);
-    print $_. "\n";
+    print $msg. "\n";
     select($old);
   }


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-3-686-smp
Locale: LANG=en_US.ISO-8859-1, LC_CTYPE=en_US.ISO-8859-1 (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US.ISO-8859-1)

Versions of packages libnet-server-perl depends on:
ii  libio-multiplex-perl       1.08-1        object-oriented interface to selec
ii  perl                       5.8.4-8sarge4 Larry Wall's Practical Extraction 

-- no debconf information

-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 0.87-3. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 0.89-1. Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#378640; Package libnet-server-perl. Full text and rfc822 format available.

Acknowledgement sent to Carsten Wolff <carsten@wolffcarsten.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #14 received at 378640@bugs.debian.org (full text, mbox):

From: Carsten Wolff <carsten@wolffcarsten.de>
To: Stephen Gran <sgran@debian.org>, 378640@bugs.debian.org
Subject: Re: Bug#378640: libnet-server-perl: [CVE-2005-1127] format string vulnerability in log() function
Date: Mon, 24 Jul 2006 16:04:53 +0200
Hello Stephen,

I sent a suitable security-package with basically the same patch in it to the 
team in November 2005, immediately got a "nice, will do this later today" and 
nothing ever happened. Maybe it's because the patch potentially breaks logs 
of some servers using the lib, or because it's in question, if the hole is 
even exploitable. Well, zobel asked for the package now, I guess he will take 
care of it.

Carsten



Reply sent to Adeodato Simó <dato@net.com.org.es>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stephen Gran <sgran@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 378640-done@bugs.debian.org (full text, mbox):

From: Adeodato Simó <dato@net.com.org.es>
To: 378640-done@bugs.debian.org
Subject: Re: Bug#378640: libnet-server-perl: [CVE-2005-1127] format string vulnerability in log() function
Date: Mon, 24 Jul 2006 18:32:26 +0200
Version: 0.89-1

* Stephen Gran [Tue, 18 Jul 2006 00:40:24 +0100]:

> Package: libnet-server-perl
> Version: 0.87-3
> Severity: critical
> Tags: security patch

Marking as fixed in testing.

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
One way to make your old car run better is to look up the price of a new model.




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 08:10:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:05:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.