Debian Bug report logs - #397875
ELOG Web Logbook Remote Denial of Service Vulnerability

version graph

Package: elog; Maintainer for elog is (unknown);

Reported by: "OS2A BTO" <os2a.bto@gmail.com>

Date: Fri, 10 Nov 2006 06:48:07 UTC

Severity: normal

Found in version 2.6.2

Fixed in version elog/2.6.2+r1754-1

Done: Recai Oktaş <roktas@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#397875; Package elog. (full text, mbox, link).


Acknowledgement sent to "OS2A BTO" <os2a.bto@gmail.com>:
New Bug report received and forwarded. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "OS2A BTO" <os2a.bto@gmail.com>
To: roktas@debian.org, submit@bugs.debian.org
Subject: ELOG Web Logbook Remote Denial of Service Vulnerability
Date: Fri, 10 Nov 2006 11:29:28 +0530
Package: elog
Version: 2.6.2

We recently came across a Denial of Service vulnerability in ELOG's
elogd server which allows attackers to crash the service, thereby preventing
legitimate access.

We worked with Mr. Stefan Ritt of midas.psi.ch to fix the issue and
the fix has been made available in the website,
http://savannah.psi.ch/websvn/log.php?repname=elog&path=%2Ftrunk%2F&rev=0&sc=0&isdir=1

Attached is our security advisory which describes the vulnerability in detail.

We noticed that debian package of elog is also vulnerable. We would
like to go public with the advisory. Please let us know when you can
have the fix incorporated in your package.

A quick and positive response from your side would be highly appreciated.

Thanks,
OS2A



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#397875; Package elog. (full text, mbox, link).


Acknowledgement sent to "OS2A BTO" <os2a.bto@gmail.com>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #10 received at 397875@bugs.debian.org (full text, mbox, reply):

From: "OS2A BTO" <os2a.bto@gmail.com>
To: 397875@bugs.debian.org
Subject: Re: Bug#397875: (ELOG Web Logbook Remote Denial of Service Vulnerability)
Date: Fri, 10 Nov 2006 23:05:27 +0530
[Message part 1 (text/plain, inline)]
Details of the vulnerability is described in the advisory
(os2a_1008.txt) attached with this mail.

Thanks,
OS2A
[os2a_1008.txt (text/plain, attachment)]

Reply sent to Recai Oktaş <roktas@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "OS2A BTO" <os2a.bto@gmail.com>:
Bug acknowledged by developer. (full text, mbox, link).


Message #15 received at 397875-close@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@debian.org>
To: 397875-close@bugs.debian.org
Subject: Bug#397875: fixed in elog 2.6.2+r1754-1
Date: Sat, 11 Nov 2006 10:17:12 -0800
Source: elog
Source-Version: 2.6.2+r1754-1

We believe that the bug you reported is fixed in the latest version of
elog, which is due to be installed in the Debian FTP archive:

elog_2.6.2+r1754-1.diff.gz
  to pool/main/e/elog/elog_2.6.2+r1754-1.diff.gz
elog_2.6.2+r1754-1.dsc
  to pool/main/e/elog/elog_2.6.2+r1754-1.dsc
elog_2.6.2+r1754-1_i386.deb
  to pool/main/e/elog/elog_2.6.2+r1754-1_i386.deb
elog_2.6.2+r1754.orig.tar.gz
  to pool/main/e/elog/elog_2.6.2+r1754.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 397875@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Recai Oktaş <roktas@debian.org> (supplier of updated elog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 11 Nov 2006 19:47:39 +0200
Source: elog
Binary: elog
Architecture: source i386
Version: 2.6.2+r1754-1
Distribution: unstable
Urgency: low
Maintainer: Recai Oktaş <roktas@debian.org>
Changed-By: Recai Oktaş <roktas@debian.org>
Description: 
 elog       - Logbook system to manage notes through a Web interface
Closes: 397875
Changes: 
 elog (2.6.2+r1754-1) unstable; urgency=low
 .
   * New upstream release grabbed from Subversion (r1754), includes
     fixes for a bunch of security issues[1]:
     + Fixes from Ulf Harnhammar (Debian Security Audit Project):
       - There are some incorrect handling of *printf() calls and format
         strings. They lead to ELOG crashing completely, with the potential
         of executing arbitrary machine code programs, when a user uploads
         and submits as the first attachment in an entry a file called
         "%n%n%n%n" - or similar - which must not be empty.
       - There is a Cross-site Scripting issue when requesting correctly
         named but non-existant files for downloading.
       - There are also Cross-site Scripting issues when creating new
         entries with New. If a document sends data to ELOG where the fields
         Type and Category contain invalid entries with HTML code, the
         resulting error document will print the Type or Category data as-is
         with no quoting.
     + Fixes from OS2A team (credits go to Jayesh KS and Arun Kethipelly):
       - Remote exploitation of a denial of service vulnerability in ELOG's
         elogd server allows attackers to crash the service, thereby
         preventing legitimate access.  (Closes: #397875)
     [1] Leaving #392016 open for the reasons stated in that report.
Files: 
 217fd559b3d1020fe33c581a5a4a25bb 571 web optional elog_2.6.2+r1754-1.dsc
 9f954f72bd281c598e22b1ba129c967f 763534 web optional elog_2.6.2+r1754.orig.tar.gz
 e8c7f56087353d645ba35ff311024a9a 12892 web optional elog_2.6.2+r1754-1.diff.gz
 d4050f06d569c92fd9d94e7ef6bb5e36 757584 web optional elog_2.6.2+r1754-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFVhGRnA44mz/SXIQRAviOAJ4uz2Lgn+gkBlu2VO2ytei4DhPbyQCfbmeW
R1zkjlq874uPwW+LTbFIfE0=
=PrW7
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#397875; Package elog. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #20 received at 397875@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: 397875@bugs.debian.org
Subject: CVE assignment
Date: Wed, 27 Dec 2006 19:27:23 +0100
Please use CVE-2006-6318 when referring to this NULL pointer dereference.

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 14:25:23 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Aug 2 00:07:16 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.