Debian Bug report logs -
#397875
ELOG Web Logbook Remote Denial of Service Vulnerability
Reported by: "OS2A BTO" <os2a.bto@gmail.com>
Date: Fri, 10 Nov 2006 06:48:07 UTC
Severity: normal
Found in version 2.6.2
Fixed in version elog/2.6.2+r1754-1
Done: Recai Oktaş <roktas@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#397875; Package elog.
(full text, mbox, link).
Acknowledgement sent to "OS2A BTO" <os2a.bto@gmail.com>:
New Bug report received and forwarded. Copy sent to Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: elog
Version: 2.6.2
We recently came across a Denial of Service vulnerability in ELOG's
elogd server which allows attackers to crash the service, thereby preventing
legitimate access.
We worked with Mr. Stefan Ritt of midas.psi.ch to fix the issue and
the fix has been made available in the website,
http://savannah.psi.ch/websvn/log.php?repname=elog&path=%2Ftrunk%2F&rev=0&sc=0&isdir=1
Attached is our security advisory which describes the vulnerability in detail.
We noticed that debian package of elog is also vulnerable. We would
like to go public with the advisory. Please let us know when you can
have the fix incorporated in your package.
A quick and positive response from your side would be highly appreciated.
Thanks,
OS2A
Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#397875; Package elog.
(full text, mbox, link).
Acknowledgement sent to "OS2A BTO" <os2a.bto@gmail.com>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
Message #10 received at 397875@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Details of the vulnerability is described in the advisory
(os2a_1008.txt) attached with this mail.
Thanks,
OS2A
[os2a_1008.txt (text/plain, attachment)]
Reply sent to Recai Oktaş <roktas@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "OS2A BTO" <os2a.bto@gmail.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 397875-close@bugs.debian.org (full text, mbox, reply):
Source: elog
Source-Version: 2.6.2+r1754-1
We believe that the bug you reported is fixed in the latest version of
elog, which is due to be installed in the Debian FTP archive:
elog_2.6.2+r1754-1.diff.gz
to pool/main/e/elog/elog_2.6.2+r1754-1.diff.gz
elog_2.6.2+r1754-1.dsc
to pool/main/e/elog/elog_2.6.2+r1754-1.dsc
elog_2.6.2+r1754-1_i386.deb
to pool/main/e/elog/elog_2.6.2+r1754-1_i386.deb
elog_2.6.2+r1754.orig.tar.gz
to pool/main/e/elog/elog_2.6.2+r1754.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 397875@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Recai Oktaş <roktas@debian.org> (supplier of updated elog package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 11 Nov 2006 19:47:39 +0200
Source: elog
Binary: elog
Architecture: source i386
Version: 2.6.2+r1754-1
Distribution: unstable
Urgency: low
Maintainer: Recai Oktaş <roktas@debian.org>
Changed-By: Recai Oktaş <roktas@debian.org>
Description:
elog - Logbook system to manage notes through a Web interface
Closes: 397875
Changes:
elog (2.6.2+r1754-1) unstable; urgency=low
.
* New upstream release grabbed from Subversion (r1754), includes
fixes for a bunch of security issues[1]:
+ Fixes from Ulf Harnhammar (Debian Security Audit Project):
- There are some incorrect handling of *printf() calls and format
strings. They lead to ELOG crashing completely, with the potential
of executing arbitrary machine code programs, when a user uploads
and submits as the first attachment in an entry a file called
"%n%n%n%n" - or similar - which must not be empty.
- There is a Cross-site Scripting issue when requesting correctly
named but non-existant files for downloading.
- There are also Cross-site Scripting issues when creating new
entries with New. If a document sends data to ELOG where the fields
Type and Category contain invalid entries with HTML code, the
resulting error document will print the Type or Category data as-is
with no quoting.
+ Fixes from OS2A team (credits go to Jayesh KS and Arun Kethipelly):
- Remote exploitation of a denial of service vulnerability in ELOG's
elogd server allows attackers to crash the service, thereby
preventing legitimate access. (Closes: #397875)
[1] Leaving #392016 open for the reasons stated in that report.
Files:
217fd559b3d1020fe33c581a5a4a25bb 571 web optional elog_2.6.2+r1754-1.dsc
9f954f72bd281c598e22b1ba129c967f 763534 web optional elog_2.6.2+r1754.orig.tar.gz
e8c7f56087353d645ba35ff311024a9a 12892 web optional elog_2.6.2+r1754-1.diff.gz
d4050f06d569c92fd9d94e7ef6bb5e36 757584 web optional elog_2.6.2+r1754-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFVhGRnA44mz/SXIQRAviOAJ4uz2Lgn+gkBlu2VO2ytei4DhPbyQCfbmeW
R1zkjlq874uPwW+LTbFIfE0=
=PrW7
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#397875; Package elog.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
Message #20 received at 397875@bugs.debian.org (full text, mbox, reply):
Please use CVE-2006-6318 when referring to this NULL pointer dereference.
Regards,
Joey
--
If nothing changes, everything will remain the same. -- Barne's Law
Please always Cc to me when replying to me on the lists.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 14:25:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 00:07:16 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.