Debian Bug report logs - #649322
clearsilver: FTBFS with -Werror=format-security

version graph

Package: clearsilver; Maintainer for clearsilver is Jesus Climent <jesus.climent@hispalinux.es>;

Reported by: Leo Iannacone <l3on@ubuntu.com>

Date: Sat, 19 Nov 2011 22:21:06 UTC

Severity: grave

Tags: patch, security

Fixed in version clearsilver/0.10.5-1.3

Done: Luk Claes <luk@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#649322; Package clearsilver. (Sat, 19 Nov 2011 22:21:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Iannacone <l3on@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (Sat, 19 Nov 2011 22:21:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Leo Iannacone <l3on@ubuntu.com>
To: submit@bugs.debian.org
Date: Sat, 19 Nov 2011 23:19:48 +0100
[Message part 1 (text/plain, inline)]
Subject: clearsilver: FTBFS with -Werror=format-security
Package: clearsilver
Severity: normal

The package clearsilver fails to compile with the new hardened compiler
flags dpkg-buildflag outputs [0].
The problematic flag is: -Werror=format-security
See the ubuntu buildlog:
https://launchpadlibrarian.net/85252523/buildlog_ubuntu-precise-i386.clearsilver_0.10.5-1.2_FAILEDTOBUILD.txt.gz

Snippet:
 neo_cgi.c: In function 'p_cgi_error':
 neo_cgi.c:181:3: error: format not a string literal and no format
arguments [-Werror=format-security]
 cc1: some warnings being treated as errors


The problem bould be solved with:

--- a/python/neo_cgi.c
+++ b/python/neo_cgi.c
@@ -178,7 +178,7 @@
   if (!PyArg_ParseTuple(args, "s:error(str)", &s))
     return NULL;

-  cgi_error (cgi, s);
+  cgi_error (cgi, "%s", s);
   rv = Py_None;
   Py_INCREF(rv);
   return rv;


Please, apply this patch as soon as possible.


Best regards,
Leo Iannacone



[0] http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html


-- System Information:
Debian Release: wheezy/sid
  APT prefers oneiric
  APT policy: (500, 'oneiric')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-12-generic (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[fix-cgi-error-format-security.patch (text/x-patch, attachment)]

Set Bug title to 'clearsilver: FTBFS with -Werror=format-security'. Request was from Leo Iannacone <l3on@ubuntu.com> to control@bugs.debian.org. (Sat, 19 Nov 2011 23:09:09 GMT) Full text and rfc822 format available.

Added tag(s) patch. Request was from Leo Iannacone <l3on@ubuntu.com> to control@bugs.debian.org. (Sat, 19 Nov 2011 23:09:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#649322; Package clearsilver. (Sun, 27 Nov 2011 15:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (Sun, 27 Nov 2011 15:15:07 GMT) Full text and rfc822 format available.

Message #14 received at 649322@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Leo Iannacone <l3on@ubuntu.com>, 649322@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#649322:
Date: Sun, 27 Nov 2011 15:10:57 +0000
tags 649322 security
severity 649322 grave
thanks

On Sat, Nov 19, 2011 at 11:19:48PM +0100, Leo Iannacone wrote:
> The package clearsilver fails to compile with the new hardened compiler
> flags dpkg-buildflag outputs [0].
> The problematic flag is: -Werror=format-security
> See the ubuntu buildlog:
> https://launchpadlibrarian.net/85252523/buildlog_ubuntu-precise-i386.clearsilver_0.10.5-1.2_FAILEDTOBUILD.txt.gz
> 
> Snippet:
>  neo_cgi.c: In function 'p_cgi_error':
>  neo_cgi.c:181:3: error: format not a string literal and no format
> arguments [-Werror=format-security]
>  cc1: some warnings being treated as errors

This may very well be exploitable; I sent an example to security@ a
little while back, and CCed clearsilver@packages.debian.org.  Please
apply Leo's patch ASAP.

-- 
Colin Watson                                       [cjwatson@debian.org]




Added tag(s) security. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Sun, 27 Nov 2011 15:15:09 GMT) Full text and rfc822 format available.

Severity set to 'grave' from 'normal' Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Sun, 27 Nov 2011 15:15:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#649322; Package clearsilver. (Sun, 27 Nov 2011 17:27:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Lieskovsky <jlieskov@redhat.com>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (Sun, 27 Nov 2011 17:27:08 GMT) Full text and rfc822 format available.

Message #23 received at 649322@bugs.debian.org (full text, mbox):

From: Jan Lieskovsky <jlieskov@redhat.com>
To: 649322@bugs.debian.org
Subject: Re: Bug#649322
Date: Sun, 27 Nov 2011 18:25:57 +0100

The CVE identifier for this issue has been requested here:
[1] http://www.openwall.com/lists/oss-security/2011/11/27/1

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team




Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#649322; Package clearsilver. (Tue, 29 Nov 2011 09:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Lieskovsky <jlieskov@redhat.com>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (Tue, 29 Nov 2011 09:21:05 GMT) Full text and rfc822 format available.

Message #28 received at 649322@bugs.debian.org (full text, mbox):

From: Jan Lieskovsky <jlieskov@redhat.com>
To: 649322@bugs.debian.org
Subject: Re: Bug#649322
Date: Tue, 29 Nov 2011 10:18:42 +0100
The CVE identifier of CVE-2011-4357 has been assigned to this issue:
[2] http://www.openwall.com/lists/oss-security/2011/11/28/6

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team




Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#649322; Package clearsilver. (Wed, 30 Nov 2011 18:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (Wed, 30 Nov 2011 18:12:06 GMT) Full text and rfc822 format available.

Message #33 received at 649322@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Leo Iannacone <l3on@ubuntu.com>, 649322@bugs.debian.org, security@debian.org
Subject: Re: Bug#649322:
Date: Wed, 30 Nov 2011 19:11:49 +0100
On Sun, Nov 27, 2011 at 03:10:57PM +0000, Colin Watson wrote:
> tags 649322 security
> severity 649322 grave
> thanks
> 
> On Sat, Nov 19, 2011 at 11:19:48PM +0100, Leo Iannacone wrote:
> > The package clearsilver fails to compile with the new hardened compiler
> > flags dpkg-buildflag outputs [0].
> > The problematic flag is: -Werror=format-security
> > See the ubuntu buildlog:
> > https://launchpadlibrarian.net/85252523/buildlog_ubuntu-precise-i386.clearsilver_0.10.5-1.2_FAILEDTOBUILD.txt.gz
> > 
> > Snippet:
> >  neo_cgi.c: In function 'p_cgi_error':
> >  neo_cgi.c:181:3: error: format not a string literal and no format
> > arguments [-Werror=format-security]
> >  cc1: some warnings being treated as errors
> 
> This may very well be exploitable; I sent an example to security@ a
> little while back, and CCed clearsilver@packages.debian.org.  Please
> apply Leo's patch ASAP.

I've been preparing a DSA, which will be released soon.

Clearsilver maintainers, when fixing this, please ensure that you enable
the hardening build flags for clearsilver:
http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#649322; Package clearsilver. (Sun, 11 Dec 2011 10:51:23 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (Sun, 11 Dec 2011 10:51:28 GMT) Full text and rfc822 format available.

Message #38 received at 649322@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: Jesus Climent <jesus.climent@hispalinux.es>, Otavio Salvador <otavio@debian.org>, Lars Kruse <devel@sumpfralle.de>
Cc: 649322@bugs.debian.org
Subject: Open security issue in clearsilver
Date: Sun, 11 Dec 2011 11:47:53 +0100
Hi,

clearsilver has an open security issue[1] in testing/unstable with no
maintainer reaction in the last weeks; the security team has released a
DSA[2] for squeeze.

I am wondering if you are still looking after the package or are no
longer interested in it.

Regards,
Ansgar

[1] <http://bugs.debian.org/649322>
[2] <http://www.debian.org/security/2011/dsa-2355>




Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#649322; Package clearsilver. (Sun, 11 Dec 2011 17:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Otavio Salvador <otavio@ossystems.com.br>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (Sun, 11 Dec 2011 17:30:03 GMT) Full text and rfc822 format available.

Message #43 received at 649322@bugs.debian.org (full text, mbox):

From: Otavio Salvador <otavio@ossystems.com.br>
To: Ansgar Burchardt <ansgar@debian.org>
Cc: Jesus Climent <jesus.climent@hispalinux.es>, Lars Kruse <devel@sumpfralle.de>, 649322@bugs.debian.org
Subject: Re: Open security issue in clearsilver
Date: Sun, 11 Dec 2011 15:27:38 -0200
[Message part 1 (text/plain, inline)]
On Sun, Dec 11, 2011 at 08:47, Ansgar Burchardt <ansgar@debian.org> wrote:

> I am wondering if you are still looking after the package or are no
> longer interested in it.
>

Personally I am not involved with the package and all the little free time
I have I focus on Debian Installer. If you want, please take over the
package.

-- 
Otavio Salvador                             O.S. Systems
E-mail: otavio@ossystems.com.br  http://www.ossystems.com.br
Mobile: +55 53 9981-7854              http://projetos.ossystems.com.br
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#649322; Package clearsilver. (Sun, 25 Dec 2011 12:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (Sun, 25 Dec 2011 12:21:06 GMT) Full text and rfc822 format available.

Message #48 received at 649322@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: strongswan@packages.qa.debian.org
Cc: Otavio Salvador <otavio@ossystems.com.br>, Jesus Climent <jesus.climent@hispalinux.es>, Lars Kruse <devel@sumpfralle.de>, 649322@bugs.debian.org
Subject: Re: Open security issue in clearsilver
Date: Sun, 25 Dec 2011 13:10:29 +0100
Otavio Salvador <otavio@ossystems.com.br> writes:
> On Sun, Dec 11, 2011 at 08:47, Ansgar Burchardt <ansgar@debian.org> wrote:
>
>     I am wondering if you are still looking after the package or are no
>     longer interested in it.
>
> Personally I am not involved with the package and all the little free
> time I have I focus on Debian Installer. If you want, please take over
> the package.

I was just looking at the list of open RC bugs and have no particular
interest in clearsilver as well.  Maybe the strongswan maintainers are
interested in keeping the package? (It is a build dependency for
strongswan.)

Regards,
Ansgar





Information forwarded to debian-bugs-dist@lists.debian.org, Jesus Climent <jesus.climent@hispalinux.es>:
Bug#649322; Package clearsilver. (Thu, 29 Dec 2011 21:06:37 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesus Climent <jesus.climent@hispalinux.es>. (Thu, 29 Dec 2011 21:06:42 GMT) Full text and rfc822 format available.

Message #53 received at 649322@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 649322@bugs.debian.org
Subject: clearsilver: diff for NMU version 0.10.5-1.3
Date: Thu, 29 Dec 2011 22:04:00 +0100
[Message part 1 (text/plain, inline)]
tags 649322 + pending
thanks

Dear Jesus,

I've prepared an NMU for clearsilver (versioned as 0.10.5-1.3) and
uploaded it to DELAYED/02 to fix the security issue. Please feel 
free to tell me if I should delay it longer.

Cheers

Luk
[clearsilver-0.10.5-1.3-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Thu, 29 Dec 2011 21:07:01 GMT) Full text and rfc822 format available.

Reply sent to Luk Claes <luk@debian.org>:
You have taken responsibility. (Sat, 31 Dec 2011 21:36:03 GMT) Full text and rfc822 format available.

Notification sent to Leo Iannacone <l3on@ubuntu.com>:
Bug acknowledged by developer. (Sat, 31 Dec 2011 21:36:04 GMT) Full text and rfc822 format available.

Message #60 received at 649322-close@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 649322-close@bugs.debian.org
Subject: Bug#649322: fixed in clearsilver 0.10.5-1.3
Date: Sat, 31 Dec 2011 21:32:12 +0000
Source: clearsilver
Source-Version: 0.10.5-1.3

We believe that the bug you reported is fixed in the latest version of
clearsilver, which is due to be installed in the Debian FTP archive:

clearsilver-dev_0.10.5-1.3_i386.deb
  to main/c/clearsilver/clearsilver-dev_0.10.5-1.3_i386.deb
clearsilver_0.10.5-1.3.debian.tar.gz
  to main/c/clearsilver/clearsilver_0.10.5-1.3.debian.tar.gz
clearsilver_0.10.5-1.3.dsc
  to main/c/clearsilver/clearsilver_0.10.5-1.3.dsc
libclearsilver-perl_0.10.5-1.3_i386.deb
  to main/c/clearsilver/libclearsilver-perl_0.10.5-1.3_i386.deb
python-clearsilver_0.10.5-1.3_i386.deb
  to main/c/clearsilver/python-clearsilver_0.10.5-1.3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 649322@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated clearsilver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Dec 2011 21:57:11 +0100
Source: clearsilver
Binary: clearsilver-dev python-clearsilver libclearsilver-perl
Architecture: source i386
Version: 0.10.5-1.3
Distribution: unstable
Urgency: high
Maintainer: Jesus Climent <jesus.climent@hispalinux.es>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 clearsilver-dev - headers and static library for clearsilver
 libclearsilver-perl - Perl bindings for clearsilver
 python-clearsilver - Python bindings for clearsilver
Closes: 649322
Changes: 
 clearsilver (0.10.5-1.3) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix format string vulnerability CVE-2011-4357 (Closes: #649322).
Checksums-Sha1: 
 ddba403f5476e5b9a9a9420e777e9eafad78aa55 1445 clearsilver_0.10.5-1.3.dsc
 ebb4e4ad672f9f1ffd3568c75a44975ea996adf4 7698 clearsilver_0.10.5-1.3.debian.tar.gz
 afc87db732c4b9b043cb4201a827b07524493432 281976 clearsilver-dev_0.10.5-1.3_i386.deb
 49df0438440a1c51ca677bda7057cba8f7bc347c 190628 python-clearsilver_0.10.5-1.3_i386.deb
 98c32cd0ae9aa16ce1bbe8ed397854221f62b781 95490 libclearsilver-perl_0.10.5-1.3_i386.deb
Checksums-Sha256: 
 122cbf716e2fcad88f8f60a75eb0e4b463fb25c839ac8e7c3ff2c49fe9f2b92c 1445 clearsilver_0.10.5-1.3.dsc
 5241d4816a0ecc73d801d3744980879bf467eb2e421c1a7b88db4710ed993574 7698 clearsilver_0.10.5-1.3.debian.tar.gz
 9897e5ad98d24ebc92d781472cdca8d90903d327efc48619ccd604259990531c 281976 clearsilver-dev_0.10.5-1.3_i386.deb
 65b34106a0940e04e9fa5d9679c89b8e7cb4d8510130aa46e6f3afe9752a6ea4 190628 python-clearsilver_0.10.5-1.3_i386.deb
 b03a4a991c1feff76cb9760fdf68cadd9de03a33791557dbdf792cc5d342c963 95490 libclearsilver-perl_0.10.5-1.3_i386.deb
Files: 
 4b91d9dd3360fb94178d62c958144c10 1445 devel optional clearsilver_0.10.5-1.3.dsc
 48e91d5b5745a9cf30e928a6f2fac9c0 7698 devel optional clearsilver_0.10.5-1.3.debian.tar.gz
 c3f979eb57d40660822e8b5e1ca9a894 281976 python optional clearsilver-dev_0.10.5-1.3_i386.deb
 5181507b138b02bd06b89ae07a6debed 190628 python optional python-clearsilver_0.10.5-1.3_i386.deb
 c050a9591dcf55f9ecbf595159236d50 95490 perl optional libclearsilver-perl_0.10.5-1.3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk781dUACgkQ5UTeB5t8Mo1aLQCeMD4hJ/kFGmJ1qcGNGnlDjxeh
oukAoLS9KHGGNkDld5Goai4/DJo2w6uD
=fws0
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 31 Jan 2012 07:37:24 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 14:28:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.