Report forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>: Bug#484572; Package motion.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Juan Angulo Moreno <juan@apuntale.com>.
(full text, mbox, link).
Package: motion
Version: 3.2.9-2
Severity: minor
Hi,
there is an off-by-one programming error in webhttpd:
From webhttpd.c:
1950 static int read_client(int client_socket, void *userdata, char *auth)
....
1954 char buffer[1024] = {'\0'};
1955 int length = 1024;
....
1963 int nread = 0, readb = -1;
1964·
1965 nread = read (client_socket, buffer, length);
1966·
1967 if (nread <= 0) {
1968 motion_log(LOG_ERR, 1, "httpd First read");
1969 pthread_mutex_unlock(&httpd_mutex);
1970 return -1;
1971 }
1972 else {
1973 char method[sizeof (buffer)];
1974 char url[sizeof (buffer)];
1975 char protocol[sizeof (buffer)];
1976 char *authentication=NULL;
1977·
1978 buffer[nread] = '\0';
This function reads an HTTP request by a client connecting to the administration port of motion.·
If the client send exactly or more than 1024 as an HTTP request line 1978
will write one byte too far, to buffer[1024] as read in line 1965 will
return 1024 bytes.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>: Bug#484572; Package motion.
(full text, mbox, link).
Acknowledgement sent to ack@telefonica.net:
Extra info received and forwarded to list. Copy sent to Juan Angulo Moreno <juan@apuntale.com>.
(full text, mbox, link).
Severity set to `important' from `minor'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Fri, 06 Jun 2008 06:57:05 GMT) (full text, mbox, link).
Tags added: security
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Fri, 06 Jun 2008 06:57:07 GMT) (full text, mbox, link).
Reply sent to Juan Angulo Moreno <juan@apuntale.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: motion
Source-Version: 3.2.9-3
We believe that the bug you reported is fixed in the latest version of
motion, which is due to be installed in the Debian FTP archive:
motion_3.2.9-3.diff.gz
to pool/main/m/motion/motion_3.2.9-3.diff.gz
motion_3.2.9-3.dsc
to pool/main/m/motion/motion_3.2.9-3.dsc
motion_3.2.9-3_amd64.deb
to pool/main/m/motion/motion_3.2.9-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 484572@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Juan Angulo Moreno <juan@apuntale.com> (supplier of updated motion package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 06 Jun 2008 23:29:02 -0430
Source: motion
Binary: motion
Architecture: source amd64
Version: 3.2.9-3
Distribution: unstable
Urgency: low
Maintainer: Juan Angulo Moreno <juan@apuntale.com>
Changed-By: Juan Angulo Moreno <juan@apuntale.com>
Description:
motion - V4L capture program supporting motion detection
Closes: 419158484148484410484566484570484572
Changes:
motion (3.2.9-3) unstable; urgency=low
.
* Debconf translation: Galician (Closes: #484148).
Thanks Jacobo Tarrio.
* Fixed: Document removal of motion-control (Closes: #419158).
* Fixed: Bashism in debian/rules (Closes: #484410).
* Fixed: Off-by-one in webhttpd.c (Closes: #484572).
Thanks Angel Carpintero.
* Fixed: Motion crashes after some time of running
(Closes: #484566). Thanks Angel Carpintero.
* Fixed: motion.conf world readable and thus writable through web
interface by default (Closes: #484570).
Checksums-Sha1:
c8ddb940da379521e549188fd7ef22c3a4a54821 1088 motion_3.2.9-3.dsc
ae6bc7ba19d3045a03c03588979bad44901d1671 32337 motion_3.2.9-3.diff.gz
360695a99151d8b30731d733e6b9d60e12b4ed53 276226 motion_3.2.9-3_amd64.deb
Checksums-Sha256:
305a4c93ca4f9552faf41281a7a09c22068d9b08c0bae7f455edb80917c2c8b7 1088 motion_3.2.9-3.dsc
6bf1d3f85327c74b6a26add1611fbf01afabc2df6616b68cce5a67b88444f953 32337 motion_3.2.9-3.diff.gz
e82af6379207561b1cde1887f6e7149f50eaffc6fdb26691e47d966b2d4ebb3b 276226 motion_3.2.9-3_amd64.deb
Files:
719b48db77f743d22135c496706032b0 1088 graphics optional motion_3.2.9-3.dsc
1263211501b214bc98339f19d45b3260 32337 graphics optional motion_3.2.9-3.diff.gz
04930970bf1f1d55cc1b2c899397e1b0 276226 graphics optional motion_3.2.9-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhKKowACgkQgY5NIXPNpFVDUgCdFOINCkt/Cy+xcKN0OLOl18wK
a54AoJW3M4jImPnXR+FvZwfczpL6YXes
=3b1a
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>: Bug#484572; Package motion.
(full text, mbox, link).
Acknowledgement sent to ack@telefonica.net:
Extra info received and forwarded to list. Copy sent to Juan Angulo Moreno <juan@apuntale.com>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>: Bug#484572; Package motion.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Juan Angulo Moreno <juan@apuntale.com>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>: Bug#484572; Package motion.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Juan Angulo Moreno <juan@apuntale.com>.
(full text, mbox, link).
retitle 484572 CVE-2008-2654: motion off-by-one in webhttpd.c
thanks
Hi,
Just to let you know, CVE-2008-2654 was assigned to this
issue.
Kind regards
NIco
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Changed Bug title to `CVE-2008-2654: motion off-by-one in webhttpd.c' from `[motion] off-by-one in webhttpd.c'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 11 Jun 2008 01:15:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 18 Jul 2008 07:41:07 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.