Debian Bug report logs - #476603
acon: multiple buffer overflows

version graph

Package: acon; Maintainer for acon is (unknown);

Reported by: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>

Date: Thu, 17 Apr 2008 20:57:02 UTC

Severity: grave

Tags: patch, security

Merged with 475733

Found in versions acon/1.0.5-5, acon/1.0.5-6

Fixed in version acon/1.0.5-6.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: acon: multiple buffer overflows
Date: Thu, 17 Apr 2008 20:53:14 +0000
[Message part 1 (text/plain, inline)]
Package: acon
Version: 1.0.5-7
Severity: critical
Tags: security

In addition to the security bug mentioned in #475733, there are four 
buffer overflows that I have found.

acon.c:53 (already reported) and child.c:104
  A very large value of $HOME can create a buffer overflow with sprintf.  
  Use snprintf instead.
 
menu.c:100, menu.c:221, menu.c:243
  On terminals with greater than 211 columns (like some framebuffers), 
  the buffer line will be overflowed, since it only has 400 bytes of 
  space.  ((getmaxx()-10)*2)-2 > 400

These are critical due to the local root exploit contained in #475733.  
Once the setuid bug is fixed, these will become grave.

There may be more.  I have gone through the code as thoroughly as I 
could, but the code is barely legible and uses lots of fixed-sized 
buffers.  For these reasons, it is my recommendation that acon not be 
included in a stable release.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-rc8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #10 received at 476603@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, 476603@bugs.debian.org
Subject: Re: Bug#476603: acon: multiple buffer overflows
Date: Thu, 17 Apr 2008 23:05:25 +0200
brian m. carlson wrote:
> Package: acon
> Version: 1.0.5-7
> Severity: critical
> Tags: security
>
> In addition to the security bug mentioned in #475733, there are four  
> buffer overflows that I have found.
>
> acon.c:53 (already reported) and child.c:104
>   A very large value of $HOME can create a buffer overflow with sprintf.  
>   Use snprintf instead.
>  menu.c:100, menu.c:221, menu.c:243
>   On terminals with greater than 211 columns (like some framebuffers),   
> the buffer line will be overflowed, since it only has 400 bytes of   
> space.  ((getmaxx()-10)*2)-2 > 400
>
> These are critical due to the local root exploit contained in #475733.   
> Once the setuid bug is fixed, these will become grave.
>
> There may be more.  I have gone through the code as thoroughly as I  
> could, but the code is barely legible and uses lots of fixed-sized  
> buffers.  For these reasons, it is my recommendation that acon not be  
> included in a stable release.

Ack, this package should only be included in Lenny after a complete
review by a member of the Debian audit team and communication with
upstream to make sure such errors won't be re-introduced in later
development.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #15 received at 476603@bugs.debian.org (full text, mbox, reply):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 476603@bugs.debian.org
Subject: Re: Bug#476603: acon: multiple buffer overflows
Date: Thu, 17 Apr 2008 21:17:19 +0000
[Message part 1 (text/plain, inline)]
On Thu, Apr 17, 2008 at 11:05:25PM +0200, Moritz Muehlenhoff wrote:
>brian m. carlson wrote:
>> There may be more.  I have gone through the code as thoroughly as I  
>> could, but the code is barely legible and uses lots of fixed-sized  
>> buffers.  For these reasons, it is my recommendation that acon not be  
>> included in a stable release.
>
>Ack, this package should only be included in Lenny after a complete
>review by a member of the Debian audit team and communication with
>upstream to make sure such errors won't be re-introduced in later
>development.

I am subscribed to debian-audit, and we were requested to provide an 
audit, which I did.  My recommendation stands.  It's very difficult to 
audit the code, which is why I can't be sure I haven't missed something.

The fixed size buffers used in one part of the code are passed around to 
other parts of the code, and it seems that nobody but upstream has 
memorized all the constants.  I saw very few uses of sizeof(buf) where 
that would have been appropriate, magic numbers (some buffer sizes) 
sprinkled throughout the code, and heavy use of strcpy and sprintf.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #20 received at 476603@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Cc: 476603@bugs.debian.org
Subject: Re: Bug#476603: acon: multiple buffer overflows
Date: Thu, 17 Apr 2008 23:42:32 +0200
On Thu, Apr 17, 2008 at 09:17:19PM +0000, brian m. carlson wrote:
> On Thu, Apr 17, 2008 at 11:05:25PM +0200, Moritz Muehlenhoff wrote:
>> brian m. carlson wrote:
>>> There may be more.  I have gone through the code as thoroughly as I   
>>> could, but the code is barely legible and uses lots of fixed-sized   
>>> buffers.  For these reasons, it is my recommendation that acon not be 
>>>  included in a stable release.
>>
>> Ack, this package should only be included in Lenny after a complete
>> review by a member of the Debian audit team and communication with
>> upstream to make sure such errors won't be re-introduced in later
>> development.
>
> I am subscribed to debian-audit, and we were requested to provide an  
> audit, which I did.  My recommendation stands.  It's very difficult to  
> audit the code, which is why I can't be sure I haven't missed something.

Ok, I wasn't aware you'd done a complete audit already.

> The fixed size buffers used in one part of the code are passed around to  
> other parts of the code, and it seems that nobody but upstream has  
> memorized all the constants.  I saw very few uses of sizeof(buf) where  
> that would have been appropriate, magic numbers (some buffer sizes)  
> sprinkled throughout the code, and heavy use of strcpy and sprintf.

Sounds like it indeed shouldn't be included in Lenny, then.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #25 received at 476603@bugs.debian.org (full text, mbox, reply):

From: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, 476603@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#476603: acon: multiple buffer overflows
Date: Fri, 18 Apr 2008 06:54:01 +0200
Hello,

  Should I make acon in experimental then ?

-- 
 أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
  SySDSoft, Inc.
 GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
 GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C  156E D325 C3C8 9DCA 0B27




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #30 received at 476603@bugs.debian.org (full text, mbox, reply):

From: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, 476603@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#476603: acon: multiple buffer overflows
Date: Fri, 18 Apr 2008 10:05:19 +0200
Hello,

  I updated the 05_overflow.diff patch (please review the file 
  attached).

  I have uploaded the new package for experimental at:
  http://mentors.debian.net/debian/pool/main/a/acon/acon_1.0.5-7.dsc

-- 
 أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
  SySDSoft, Inc.
 GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
 GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C  156E D325 C3C8 9DCA 0B27




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #35 received at 476603@bugs.debian.org (full text, mbox, reply):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>
Cc: 476603@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#476603: acon: multiple buffer overflows
Date: Fri, 18 Apr 2008 12:02:03 +0000
[Message part 1 (text/plain, inline)]
On Fri, Apr 18, 2008 at 10:05:19AM +0200, أحمد المحمودي wrote:
>Hello,
>
>  I updated the 05_overflow.diff patch (please review the file 
>  attached).

You forgot the attachment.  Also, I don't think that you need to upload 
it to experimental instead, just fix the bugs in unstable.  I believe 
the security team will ask debian-release to remove the package from 
testing.  If anything I said is incorrect, I'm sure Moritz will correct 
me. :-)

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #40 received at 476603@bugs.debian.org (full text, mbox, reply):

From: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Cc: 476603@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#476603: acon: multiple buffer overflows
Date: Fri, 18 Apr 2008 16:17:53 +0200
[Message part 1 (text/plain, inline)]
  Yes, sorry, please find it attached this time.

On Fri, Apr 18, 2008 at 12:02:03PM +0000, brian m. carlson wrote:
> On Fri, Apr 18, 2008 at 10:05:19AM +0200, أحمد المحمودي wrote:
>> Hello,
>>
>>  I updated the 05_overflow.diff patch (please review the file  
>> attached).
>
> You forgot the attachment.  Also, I don't think that you need to upload  
> it to experimental instead, just fix the bugs in unstable.  I believe  
> the security team will ask debian-release to remove the package from  
> testing.  If anything I said is incorrect, I'm sure Moritz will correct  
> me. :-)
---end quoted text---

-- 
 أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
  SySDSoft, Inc.
 GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
 GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C  156E D325 C3C8 9DCA 0B27
[05_overflow.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #45 received at 476603@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>
To: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>, 476603@bugs.debian.org
Cc: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#476603: acon: multiple buffer overflows
Date: Fri, 18 Apr 2008 16:51:17 +0200
Hi,

some comments on your patch below.

On Fri, Apr 18, 2008 at 16:17:53 +0200, أحمد المحمودي wrote:

> Index: acon-1.0.5/menu.c
> ===================================================================
> --- acon-1.0.5.orig/menu.c	2008-04-18 08:45:45.000000000 +0200
> +++ acon-1.0.5/menu.c	2008-04-18 08:45:48.000000000 +0200
> @@ -55,10 +55,11 @@
>  int drawmenuxy(int vcsa,int x,int y,int xwidth,int ywidth,char **menu,int num)
>  {
>  	int i,z,starty=0,select=0;
> -	unsigned char line[400];
> +	unsigned char *line;
>  	int ch;
>  	int currentconsole;
>  
> +  line=(unsigned char *) malloc(((xwidth*2)+3)*sizeof(unsigned char));

whitespace damage.  also, useless cast, and sizeof(unsigned char) is
always 1.  and you don't check whether malloc() succeeded.
and, where does 'xwidth' come from (are you sure xwidth*2+3 isn't going
to overflow?).

>  	currentconsole=getactive();
>  
>  	while(1)
> @@ -120,9 +121,11 @@
>  					break;
>  				case 13:	/*Enter*/
>  				case ' ':
> +          free(line);

whitespace damage again (and again later).

>  					return select;
>  				case 'r':
>  				case 3:
> +          free(line);
>  					return -1;
>  			}
>  
> @@ -130,6 +133,7 @@
>  			if(	currentconsole!=getactive())
>  			{
>  				consoleswitched=1;
> +        free(line);
>  				return -1;
>  			}
>  
> @@ -138,6 +142,7 @@
>  		if(select>starty+ywidth-1)starty++;
>  		if(select<starty)starty--;
>  	}
> +  free(line);
>  }
>  
>  char *getfile(int vcsa,char *path)
> @@ -204,7 +209,7 @@
>  
>  char *getuserinput(int vcsa,const char *p,char *str)
>  {
> -	unsigned char line[400];
> +	unsigned char *line;
>  	int ypos;
>  	int xwidth;
>  	int ch,i,startpos;
> @@ -214,6 +219,7 @@
>  	str[0]=0;
>  	ypos=getmaxy()/2-2;
>  	xwidth=getmaxx()-10;
> +  line=(unsigned char *) malloc(((xwidth*2)-2)*sizeof(unsigned char));

same as above.

>  	
>  	line[0]=0x86;
>  	line[1]=COLORN;
> @@ -251,8 +257,10 @@
>  			switch(ch)
>  			{
>  				case 13:	/*Enter*/
> +          free(line);
>  					return str;
>  				case 3:
> +          free(line);
>  					return NULL;
>  				case 127:
>  					if(*str)
> @@ -267,11 +275,13 @@
>  			if(	currentconsole!=getactive())
>  			{
>  				consoleswitched=1;
> +        free(line);
>  				return NULL;
>  			}
>  
>  		}while(ch==256);
>  	}
> +  free(line);
>  }
>  
>  void options(int vcsa)
> Index: acon-1.0.5/render.c
> ===================================================================
> --- acon-1.0.5.orig/render.c	2008-04-18 08:47:21.000000000 +0200
> +++ acon-1.0.5/render.c	2008-04-18 08:51:29.000000000 +0200
> @@ -112,9 +112,10 @@
>  void processlineLTR(unsigned char *line,int len)
>  {
>  	int i,z,loc=0,change=0,tochange=0,locn,tmp,startofline=1;
> -	char buf[400];
> +	char *buf;
>  	unsigned char curloc[200];
>  	int lang=0;	/*0=english 1=arabic*/
> +  buf=(char *) malloc(sizeof(line));

sizeof(line) is the size of a pointer, that's not going to work.

>  
>  	for(i=0;i<len;i+=2)
>  	{
> @@ -195,15 +196,18 @@
>  			if(curloc[i]==scrn.x)
>  				{scrn.x=i;break;}
>  
> +  free(buf);
>  }
>  
>  void processlineRTL(unsigned char *line,int len)
>  {
>     int i,z,loc=0,tmp,startofline=1,tochange=0,change=0;
> -   char buf[400];
> +   char *buf;
>     char curloc[200];
>     int lang=1;	/*0=english 1=arabic*/
>  
> +   buf=(char *) malloc(sizeof(line));
> +

see above.

>  	for(i=0;i<len;i+=2)
>  	{
>  		newline[i/2]=isotocp(line[i]);
> @@ -266,6 +270,7 @@
>     		for(i=len/2;i>=0;i--)
>     			if(curloc[i]==scrn.x)
>     				{scrn.x=i;break;}
> +   free(buf);
>  }
>  
>  unsigned char lastchr;
> @@ -325,7 +330,7 @@
>  {
>  	unsigned int i;
>  	static unsigned char oldx=255,oldy;
> -	char line[400];
> +	char *line;
>     
>  	lseek(consolevc,0,SEEK_SET);
>  	lseek(ttyvc,4,SEEK_SET);
> @@ -335,6 +340,8 @@
>  		return 1;
>  	}
>  		
> +  line=(char *) malloc(((scrn.cols*2)+3)*sizeof(char));
> +
>  	line[0]=0,line[scrn.cols*2]=0,line[scrn.cols*2+2]=0;
>  	if(oldx==255)oldx=scrn.x,oldy=scrn.y;
>  	
> @@ -359,5 +366,6 @@
>  	lseek(ttyvc,0,SEEK_SET);
>  	write(ttyvc,&scrn,4);
>  	oldx=scrn.x,oldy=scrn.y;
> +  free(line);
>  	return 0;
>  }

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #50 received at 476603@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 476603@bugs.debian.org
Subject: Re: Bug#476603: acon: multiple buffer overflows
Date: Fri, 18 Apr 2008 17:20:23 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Julien Cristau <jcristau@debian.org> [2008-04-18 16:59]:
[...] 
> >  	int i,z,loc=0,change=0,tochange=0,locn,tmp,startofline=1;
> > -	char buf[400];
> > +	char *buf;
> >  	unsigned char curloc[200];
> >  	int lang=0;	/*0=english 1=arabic*/
> > +  buf=(char *) malloc(sizeof(line));
> 
> sizeof(line) is the size of a pointer, that's not going to work.

Errm, when I said you should use sizeof(buf) I meant this for 
the already existing arrays not for pointers.
Please stop writing patches and thus creating more workload 
for people that need to check your patches. If you can't program
in C please wait for someone to write a patch.
[...] 

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Merged 475733 476603. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 19 Apr 2008 13:21:07 GMT) (full text, mbox, link).


Severity set to `grave' from `critical' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 19 Apr 2008 13:21:10 GMT) (full text, mbox, link).


Bug no longer marked as found in version 1.0.5-7. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 30 Apr 2008 14:39:10 GMT) (full text, mbox, link).


Bug no longer marked as found in version 1.0.5-7. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 30 Apr 2008 14:39:14 GMT) (full text, mbox, link).


Severity set to `grave' from `grave' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 24 May 2008 19:30:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #65 received at 476603@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 476603@bugs.debian.org, 475733@bugs.debian.org
Cc: helmut@subdivi.de, sandals@crustytoothpaste.ath.cx, msameer@debian.org
Subject: acon patch
Date: Sat, 24 May 2008 22:20:56 +0200
[Message part 1 (text/plain, inline)]
tags 475733 + patch
tags 476603 + patch
thanks

Hi,
attached is a patch for acon which I can't test. Since this 
involves quite a few changes it would be nice if someone 
could review and/or test this patch.

Kind regards
Nico


-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[acon-1.0.5-6_1.0.5-6.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 24 May 2008 20:24:07 GMT) (full text, mbox, link).


Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 24 May 2008 20:24:08 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#476603; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #74 received at 476603@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 475733@bugs.debian.org, 476603@bugs.debian.org
Subject: intent to NMU
Date: Tue, 27 May 2008 10:53:21 +0200
[Message part 1 (text/plain, inline)]
Hi,
I'm going to upload this patch as an NMU.

As a sponsor please make sure these changes are not lost 
with the next upload. Please also forward those changes to 
the upstream developer.

The patch will be also archived on:
http://people.debian.org/~nion/nmu-diff/acon-1.0.5-6_1.0.5-6.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[acon-1.0.5-6_1.0.5-6.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Bug acknowledged by developer. (full text, mbox, link).


Message #79 received at 476603-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 476603-close@bugs.debian.org
Subject: Bug#476603: fixed in acon 1.0.5-6.1
Date: Tue, 27 May 2008 09:17:03 +0000
Source: acon
Source-Version: 1.0.5-6.1

We believe that the bug you reported is fixed in the latest version of
acon, which is due to be installed in the Debian FTP archive:

acon_1.0.5-6.1.diff.gz
  to pool/main/a/acon/acon_1.0.5-6.1.diff.gz
acon_1.0.5-6.1.dsc
  to pool/main/a/acon/acon_1.0.5-6.1.dsc
acon_1.0.5-6.1_amd64.deb
  to pool/main/a/acon/acon_1.0.5-6.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 476603@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated acon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 24 May 2008 22:10:40 +0200
Source: acon
Binary: acon
Architecture: source amd64
Version: 1.0.5-6.1
Distribution: unstable
Urgency: high
Maintainer: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 acon       - Text console arabization
Closes: 475733 476603
Changes: 
 acon (1.0.5-6.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix various buffer overflows by doing proper bounds checking
     that could be exploited to get root access
     (CVE-2008-1994; Closes: #476603, #475733).
Checksums-Sha1: 
 4ce51b4f5b7f1e0f9bf2ce49cd6c9fa26e47820c 979 acon_1.0.5-6.1.dsc
 6efa907f422d5c31f54e215a724b91cb852dec09 7523 acon_1.0.5-6.1.diff.gz
 224b409735878939d11e00e0bbfeaa42a1e4a9f9 37534 acon_1.0.5-6.1_amd64.deb
Checksums-Sha256: 
 223a0c545214b0a59345141270f7448c2ac410a85df1ccb23822c8598a00af83 979 acon_1.0.5-6.1.dsc
 c6e75baf9185c064410de367844332b429bef1f9649ff727c15f221f9128cc84 7523 acon_1.0.5-6.1.diff.gz
 81f8b864474ca05675f2841afe20a1b70cffc977a94a0161938b0c853ce7dcc1 37534 acon_1.0.5-6.1_amd64.deb
Files: 
 74879b613bbe65a46f7a881223c743fa 979 misc optional acon_1.0.5-6.1.dsc
 60427635c5e7daadf80ed537a600fb06 7523 misc optional acon_1.0.5-6.1.diff.gz
 f22adbdacbd9736816d94fb40e1d2925 37534 misc optional acon_1.0.5-6.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIO8wKHYflSXNkfP8RAlG8AJwMD13igCZlrqodjuo6vOnUXxC1JQCglUAJ
5XJVV9UGMClMlFQelXhhOp0=
=sN1e
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 06 Jul 2008 07:25:45 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 11:03:23 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.