Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Package: acon
Version: 1.0.5-7
Severity: critical
Tags: security
In addition to the security bug mentioned in #475733, there are four
buffer overflows that I have found.
acon.c:53 (already reported) and child.c:104
A very large value of $HOME can create a buffer overflow with sprintf.
Use snprintf instead.
menu.c:100, menu.c:221, menu.c:243
On terminals with greater than 211 columns (like some framebuffers),
the buffer line will be overflowed, since it only has 400 bytes of
space. ((getmaxx()-10)*2)-2 > 400
These are critical due to the local root exploit contained in #475733.
Once the setuid bug is fixed, these will become grave.
There may be more. I have gone through the code as thoroughly as I
could, but the code is barely legible and uses lots of fixed-sized
buffers. For these reasons, it is my recommendation that acon not be
included in a stable release.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.25-rc8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
brian m. carlson wrote:
> Package: acon
> Version: 1.0.5-7
> Severity: critical
> Tags: security
>
> In addition to the security bug mentioned in #475733, there are four
> buffer overflows that I have found.
>
> acon.c:53 (already reported) and child.c:104
> A very large value of $HOME can create a buffer overflow with sprintf.
> Use snprintf instead.
> menu.c:100, menu.c:221, menu.c:243
> On terminals with greater than 211 columns (like some framebuffers),
> the buffer line will be overflowed, since it only has 400 bytes of
> space. ((getmaxx()-10)*2)-2 > 400
>
> These are critical due to the local root exploit contained in #475733.
> Once the setuid bug is fixed, these will become grave.
>
> There may be more. I have gone through the code as thoroughly as I
> could, but the code is barely legible and uses lots of fixed-sized
> buffers. For these reasons, it is my recommendation that acon not be
> included in a stable release.
Ack, this package should only be included in Lenny after a complete
review by a member of the Debian audit team and communication with
upstream to make sure such errors won't be re-introduced in later
development.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
On Thu, Apr 17, 2008 at 11:05:25PM +0200, Moritz Muehlenhoff wrote:
>brian m. carlson wrote:
>> There may be more. I have gone through the code as thoroughly as I
>> could, but the code is barely legible and uses lots of fixed-sized
>> buffers. For these reasons, it is my recommendation that acon not be
>> included in a stable release.
>
>Ack, this package should only be included in Lenny after a complete
>review by a member of the Debian audit team and communication with
>upstream to make sure such errors won't be re-introduced in later
>development.
I am subscribed to debian-audit, and we were requested to provide an
audit, which I did. My recommendation stands. It's very difficult to
audit the code, which is why I can't be sure I haven't missed something.
The fixed size buffers used in one part of the code are passed around to
other parts of the code, and it seems that nobody but upstream has
memorized all the constants. I saw very few uses of sizeof(buf) where
that would have been appropriate, magic numbers (some buffer sizes)
sprinkled throughout the code, and heavy use of strcpy and sprintf.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
On Thu, Apr 17, 2008 at 09:17:19PM +0000, brian m. carlson wrote:
> On Thu, Apr 17, 2008 at 11:05:25PM +0200, Moritz Muehlenhoff wrote:
>> brian m. carlson wrote:
>>> There may be more. I have gone through the code as thoroughly as I
>>> could, but the code is barely legible and uses lots of fixed-sized
>>> buffers. For these reasons, it is my recommendation that acon not be
>>> included in a stable release.
>>
>> Ack, this package should only be included in Lenny after a complete
>> review by a member of the Debian audit team and communication with
>> upstream to make sure such errors won't be re-introduced in later
>> development.
>
> I am subscribed to debian-audit, and we were requested to provide an
> audit, which I did. My recommendation stands. It's very difficult to
> audit the code, which is why I can't be sure I haven't missed something.
Ok, I wasn't aware you'd done a complete audit already.
> The fixed size buffers used in one part of the code are passed around to
> other parts of the code, and it seems that nobody but upstream has
> memorized all the constants. I saw very few uses of sizeof(buf) where
> that would have been appropriate, magic numbers (some buffer sizes)
> sprinkled throughout the code, and heavy use of strcpy and sprintf.
Sounds like it indeed shouldn't be included in Lenny, then.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hello,
Should I make acon in experimental then ?
--
أحمد المحمودي (Ahmed El-Mahmoudy)
Digital design engineer
SySDSoft, Inc.
GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C 156E D325 C3C8 9DCA 0B27
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hello,
I updated the 05_overflow.diff patch (please review the file
attached).
I have uploaded the new package for experimental at:
http://mentors.debian.net/debian/pool/main/a/acon/acon_1.0.5-7.dsc
--
أحمد المحمودي (Ahmed El-Mahmoudy)
Digital design engineer
SySDSoft, Inc.
GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C 156E D325 C3C8 9DCA 0B27
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
On Fri, Apr 18, 2008 at 10:05:19AM +0200, أحمد المحمودي wrote:
>Hello,
>
> I updated the 05_overflow.diff patch (please review the file
> attached).
You forgot the attachment. Also, I don't think that you need to upload
it to experimental instead, just fix the bugs in unstable. I believe
the security team will ask debian-release to remove the package from
testing. If anything I said is incorrect, I'm sure Moritz will correct
me. :-)
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Yes, sorry, please find it attached this time.
On Fri, Apr 18, 2008 at 12:02:03PM +0000, brian m. carlson wrote:
> On Fri, Apr 18, 2008 at 10:05:19AM +0200, أحمد المحمودي wrote:
>> Hello,
>>
>> I updated the 05_overflow.diff patch (please review the file
>> attached).
>
> You forgot the attachment. Also, I don't think that you need to upload
> it to experimental instead, just fix the bugs in unstable. I believe
> the security team will ask debian-release to remove the package from
> testing. If anything I said is incorrect, I'm sure Moritz will correct
> me. :-)
---end quoted text---
--
أحمد المحمودي (Ahmed El-Mahmoudy)
Digital design engineer
SySDSoft, Inc.
GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C 156E D325 C3C8 9DCA 0B27
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi,
* Julien Cristau <jcristau@debian.org> [2008-04-18 16:59]:
[...]
> > int i,z,loc=0,change=0,tochange=0,locn,tmp,startofline=1;
> > - char buf[400];
> > + char *buf;
> > unsigned char curloc[200];
> > int lang=0; /*0=english 1=arabic*/
> > + buf=(char *) malloc(sizeof(line));
>
> sizeof(line) is the size of a pointer, that's not going to work.
Errm, when I said you should use sizeof(buf) I meant this for
the already existing arrays not for pointers.
Please stop writing patches and thus creating more workload
for people that need to check your patches. If you can't program
in C please wait for someone to write a patch.
[...]
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Merged 475733476603.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 19 Apr 2008 13:21:07 GMT) (full text, mbox, link).
Severity set to `grave' from `critical'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 19 Apr 2008 13:21:10 GMT) (full text, mbox, link).
Bug no longer marked as found in version 1.0.5-7.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 30 Apr 2008 14:39:10 GMT) (full text, mbox, link).
Bug no longer marked as found in version 1.0.5-7.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 30 Apr 2008 14:39:14 GMT) (full text, mbox, link).
Severity set to `grave' from `grave'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 24 May 2008 19:30:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
tags 475733 + patch
tags 476603 + patch
thanks
Hi,
attached is a patch for acon which I can't test. Since this
involves quite a few changes it would be nice if someone
could review and/or test this patch.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 24 May 2008 20:24:07 GMT) (full text, mbox, link).
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 24 May 2008 20:24:08 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#476603; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi,
I'm going to upload this patch as an NMU.
As a sponsor please make sure these changes are not lost
with the next upload. Please also forward those changes to
the upstream developer.
The patch will be also archived on:
http://people.debian.org/~nion/nmu-diff/acon-1.0.5-6_1.0.5-6.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Source: acon
Source-Version: 1.0.5-6.1
We believe that the bug you reported is fixed in the latest version of
acon, which is due to be installed in the Debian FTP archive:
acon_1.0.5-6.1.diff.gz
to pool/main/a/acon/acon_1.0.5-6.1.diff.gz
acon_1.0.5-6.1.dsc
to pool/main/a/acon/acon_1.0.5-6.1.dsc
acon_1.0.5-6.1_amd64.deb
to pool/main/a/acon/acon_1.0.5-6.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 476603@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated acon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 24 May 2008 22:10:40 +0200
Source: acon
Binary: acon
Architecture: source amd64
Version: 1.0.5-6.1
Distribution: unstable
Urgency: high
Maintainer: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
Changed-By: Nico Golde <nion@debian.org>
Description:
acon - Text console arabization
Closes: 475733476603
Changes:
acon (1.0.5-6.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix various buffer overflows by doing proper bounds checking
that could be exploited to get root access
(CVE-2008-1994; Closes: #476603, #475733).
Checksums-Sha1:
4ce51b4f5b7f1e0f9bf2ce49cd6c9fa26e47820c 979 acon_1.0.5-6.1.dsc
6efa907f422d5c31f54e215a724b91cb852dec09 7523 acon_1.0.5-6.1.diff.gz
224b409735878939d11e00e0bbfeaa42a1e4a9f9 37534 acon_1.0.5-6.1_amd64.deb
Checksums-Sha256:
223a0c545214b0a59345141270f7448c2ac410a85df1ccb23822c8598a00af83 979 acon_1.0.5-6.1.dsc
c6e75baf9185c064410de367844332b429bef1f9649ff727c15f221f9128cc84 7523 acon_1.0.5-6.1.diff.gz
81f8b864474ca05675f2841afe20a1b70cffc977a94a0161938b0c853ce7dcc1 37534 acon_1.0.5-6.1_amd64.deb
Files:
74879b613bbe65a46f7a881223c743fa 979 misc optional acon_1.0.5-6.1.dsc
60427635c5e7daadf80ed537a600fb06 7523 misc optional acon_1.0.5-6.1.diff.gz
f22adbdacbd9736816d94fb40e1d2925 37534 misc optional acon_1.0.5-6.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIO8wKHYflSXNkfP8RAlG8AJwMD13igCZlrqodjuo6vOnUXxC1JQCglUAJ
5XJVV9UGMClMlFQelXhhOp0=
=sN1e
-----END PGP SIGNATURE-----
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 06 Jul 2008 07:25:45 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.