various unfixed security bugs

Related Vulnerabilities: CVE-2005-4439   CVE-2006-0347  

Debian Bug report logs - #349528
various unfixed security bugs

version graph

Package: elog; Maintainer for elog is Roger Kalt <roger.kalt@gmail.com>; Source for elog is src:elog (PTS, buildd, popcon).

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Mon, 23 Jan 2006 15:48:16 UTC

Severity: grave

Tags: fixed, fixed-upstream, security, upstream

Found in version elog/2.6.0beta2+r1716-1

Fixed in version 2.6.1+r1638-1

Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: various unfixed security bugs
Date: Mon, 23 Jan 2006 16:42:16 +0100
Package: elog
Version: 2.6.0beta2+r1716-1
Tags: security upstream fixed-upstream
Severity: grave

First a little version cross-reference, based on the src/elog{,d}.c
files.

  Debian              CVS (elogd.c)    Subversion
  2.6.0beta2+r1716-1  1.717*           r1445
  2.5.7+r1558-3       1.558 + 1.648    r1202 + r1347

* Part of the upstream are contained in the .diff.gz file, so the
  embedded version number is not quite correct.

The following issues are unfixed upstream:

  - CVE-2005-4439: buffer overflow through long URL parameters
    <http://marc.theaimsgroup.com/?m=113498708213563>

  - If host names are resolved, no forward lookup is performed to
    verify the PTR RR.  (This does not affect the sarge version
    because it unconditionally uses addresses, not host names.)

  - There are still some format string issues when things are written
    to the logfile.

Apparently, upstream is not aware of those three issues.
    
The following potential security issues have been fixed upstream, but
not in the sid version (there are some more issues apparently, but
those bugs were introduced past the sid version AFAICS):

------------------------------------------------------------------------
r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line
Changed paths:
   M /trunk/src/elogd.c

Fixed bug with fprintf and buffer containing "%"

------------------------------------------------------------------------
r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines
Changed paths:
   M /trunk/src/elog.c
   M /trunk/src/elogd.c

Do not distinguish between invalid user name and invalid password for security reasons



On top of that, the following issues affect the sarge version only:

------------------------------------------------------------------------
r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines
Changed paths:
   M /trunk/src/elogd.c

Applied patch from Emiliano to fix possible buffer overflow

------------------------------------------------------------------------
r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines
Changed paths:
   M /trunk/src/elogd.c

Fixed crashes with very long (revisions) attributes


I've back-ported all four issues to the sarge version, but they
haven't received any testing yet.  If anybody has got a sarge elog
installation, please speak up.

I'm going to ask upstream about the following issue:

------------------------------------------------------------------------
r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines
Changed paths:
   M /trunk/src/elogd.c

Fixed infinite redirection with ?fail=1



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@debian.org>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #10 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>, 349528@bugs.debian.org
Cc: Stefan Ritt <stefan.ritt@psi.ch>
Subject: Re: Bug#349528: various unfixed security bugs
Date: Tue, 24 Jan 2006 00:39:00 +0200
[Message part 1 (text/plain, inline)]
First of all thanks for the detailed analysis!  I haven't been able to work
on elog much, due to heavy work load these days.

* Florian Weimer [2006-01-23 16:42:16+0100]
> Package: elog
> Version: 2.6.0beta2+r1716-1
> Tags: security upstream fixed-upstream
> Severity: grave
> 
> First a little version cross-reference, based on the src/elog{,d}.c
> files.
> 
>   Debian              CVS (elogd.c)    Subversion
>   2.6.0beta2+r1716-1  1.717*           r1445
>   2.5.7+r1558-3       1.558 + 1.648    r1202 + r1347
> 
> * Part of the upstream are contained in the .diff.gz file, so the
>   embedded version number is not quite correct.
> 
> The following issues are unfixed upstream:
> 
>   - CVE-2005-4439: buffer overflow through long URL parameters
>     <http://marc.theaimsgroup.com/?m=113498708213563>
> 
>   - If host names are resolved, no forward lookup is performed to
>     verify the PTR RR.  (This does not affect the sarge version
>     because it unconditionally uses addresses, not host names.)
> 
>   - There are still some format string issues when things are written
>     to the logfile.
> 
> Apparently, upstream is not aware of those three issues.
>     
> The following potential security issues have been fixed upstream, but
> not in the sid version (there are some more issues apparently, but
> those bugs were introduced past the sid version AFAICS):

I'm going to prepare an urgent sid upload for those bugs.

>
> ------------------------------------------------------------------------
> r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line
> Changed paths:
>    M /trunk/src/elogd.c
> 
> Fixed bug with fprintf and buffer containing "%"
> 
> ------------------------------------------------------------------------
> r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines
> Changed paths:
>    M /trunk/src/elog.c
>    M /trunk/src/elogd.c
> 
> Do not distinguish between invalid user name and invalid password for security reasons
> 
> 
> 
> On top of that, the following issues affect the sarge version only:
> 
> ------------------------------------------------------------------------
> r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines
> Changed paths:
>    M /trunk/src/elogd.c
> 
> Applied patch from Emiliano to fix possible buffer overflow
> 
> ------------------------------------------------------------------------
> r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines
> Changed paths:
>    M /trunk/src/elogd.c
> 
> Fixed crashes with very long (revisions) attributes
> 
> 
> I've back-ported all four issues to the sarge version, but they
> haven't received any testing yet.  If anybody has got a sarge elog
> installation, please speak up.

Thanks for the backport, unfortunately I don't have a Sarge box at the
moment, but will try to find one.  Could you please supply the url of
backported patch so that I can also work on it?

> I'm going to ask upstream about the following issue:
> 
> ------------------------------------------------------------------------
> r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines
> Changed paths:
>    M /trunk/src/elogd.c
> 
> Fixed infinite redirection with ?fail=1

CCing to Stefan.

[Stefan: Please keep the discussion CCed to the bug report]

Regards,

-- 
roktas
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #15 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: Recai Oktaş <roktas@debian.org>
Cc: 349528@bugs.debian.org, Stefan Ritt <stefan.ritt@psi.ch>
Subject: Re: Bug#349528: various unfixed security bugs
Date: Tue, 24 Jan 2006 00:07:35 +0100
[Message part 1 (text/plain, inline)]
* Recai Oktaş:

> Thanks for the backport, unfortunately I don't have a Sarge box at the
> moment, but will try to find one.

A sarge chroot is probably good enough for this kind of package.

>> The following potential security issues have been fixed upstream, but
>> not in the sid version (there are some more issues apparently, but
>> those bugs were introduced past the sid version AFAICS):
>
> I'm going to prepare an urgent sid upload for those bugs.

I'm not sure if it is worth the effort, until we have all other issues
sorted out.

> Thanks for the backport, unfortunately I don't have a Sarge box at the
> moment, but will try to find one.  Could you please supply the url of
> backported patch so that I can also work on it?

Okay, the four patches for sarge I've got so far are included below.
Patch five and six address a few issues I spotted while backporting.
Everything is completely untested.

[0001-r1333-Fixed-crashes-with-very-long-revisions-attributes.txt (text/plain, attachment)]
[0002-r1335-Applied-patch-from-Emiliano-to-fix-possible-buffer-overflow.txt (text/plain, attachment)]
[0003-r1472-Do-not-distinguish-between-invalid-user-name-and-invalid-password.txt (text/plain, attachment)]
[0004-r1529-Fixed-bug-with-fprintf-and-buffer-containing.txt (text/plain, attachment)]
[0005-Fix-potential-format-string-issues-when-calling-write_logfile.txt (text/plain, attachment)]
[0006-Fix-potential-buffer-overflow-in-write_logfile.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Stefan Ritt <stefan.ritt@psi.ch>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #20 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Stefan Ritt <stefan.ritt@psi.ch>
To: Recai Oktaş <roktas@debian.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, 349528@bugs.debian.org
Subject: Re: Bug#349528: various unfixed security bugs
Date: Tue, 24 Jan 2006 08:23:39 +0100
Dear all,

thanks for reporting these issues. I was completely unaware of them 
until today. I will fix all things in the next days and let you know.

Best regards,

  Stefan

Recai Oktaş wrote:
> First of all thanks for the detailed analysis!  I haven't been able to work
> on elog much, due to heavy work load these days.
> 
> * Florian Weimer [2006-01-23 16:42:16+0100]
>> Package: elog
>> Version: 2.6.0beta2+r1716-1
>> Tags: security upstream fixed-upstream
>> Severity: grave
>>
>> First a little version cross-reference, based on the src/elog{,d}.c
>> files.
>>
>>   Debian              CVS (elogd.c)    Subversion
>>   2.6.0beta2+r1716-1  1.717*           r1445
>>   2.5.7+r1558-3       1.558 + 1.648    r1202 + r1347
>>
>> * Part of the upstream are contained in the .diff.gz file, so the
>>   embedded version number is not quite correct.
>>
>> The following issues are unfixed upstream:
>>
>>   - CVE-2005-4439: buffer overflow through long URL parameters
>>     <http://marc.theaimsgroup.com/?m=113498708213563>
>>
>>   - If host names are resolved, no forward lookup is performed to
>>     verify the PTR RR.  (This does not affect the sarge version
>>     because it unconditionally uses addresses, not host names.)
>>
>>   - There are still some format string issues when things are written
>>     to the logfile.
>>
>> Apparently, upstream is not aware of those three issues.
>>     
>> The following potential security issues have been fixed upstream, but
>> not in the sid version (there are some more issues apparently, but
>> those bugs were introduced past the sid version AFAICS):
> 
> I'm going to prepare an urgent sid upload for those bugs.
> 
>> ------------------------------------------------------------------------
>> r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line
>> Changed paths:
>>    M /trunk/src/elogd.c
>>
>> Fixed bug with fprintf and buffer containing "%"
>>
>> ------------------------------------------------------------------------
>> r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines
>> Changed paths:
>>    M /trunk/src/elog.c
>>    M /trunk/src/elogd.c
>>
>> Do not distinguish between invalid user name and invalid password for security reasons
>>
>>
>>
>> On top of that, the following issues affect the sarge version only:
>>
>> ------------------------------------------------------------------------
>> r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines
>> Changed paths:
>>    M /trunk/src/elogd.c
>>
>> Applied patch from Emiliano to fix possible buffer overflow
>>
>> ------------------------------------------------------------------------
>> r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines
>> Changed paths:
>>    M /trunk/src/elogd.c
>>
>> Fixed crashes with very long (revisions) attributes
>>
>>
>> I've back-ported all four issues to the sarge version, but they
>> haven't received any testing yet.  If anybody has got a sarge elog
>> installation, please speak up.
> 
> Thanks for the backport, unfortunately I don't have a Sarge box at the
> moment, but will try to find one.  Could you please supply the url of
> backported patch so that I can also work on it?
> 
>> I'm going to ask upstream about the following issue:
>>
>> ------------------------------------------------------------------------
>> r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines
>> Changed paths:
>>    M /trunk/src/elogd.c
>>
>> Fixed infinite redirection with ?fail=1
> 
> CCing to Stefan.
> 
> [Stefan: Please keep the discussion CCed to the bug report]
> 
> Regards,
> 


-- 
Dr. Stefan Ritt           Phone: +41 56 310 3728
Paul Scherrer Institute   FAX: +41 56 310 2199
OLGA/021                  mailto:stefan.ritt@psi.ch
CH-5232 Villigen PSI      http://midas.psi.ch/~stefan



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@omu.edu.tr>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #25 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@omu.edu.tr>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 349528@bugs.debian.org
Subject: Re: Bug#349528: various unfixed security bugs
Date: Tue, 24 Jan 2006 09:25:21 +0200
[Message part 1 (text/plain, inline)]
Hi,

* Florian Weimer [2006-01-24 00:07:35+0100]
> * Recai Oktaş:
> 
> > I'm going to prepare an urgent sid upload for those bugs.
> 
> I'm not sure if it is worth the effort, until we have all other issues
> sorted out.

Agreed.  I would be glad if you add yourself in "Uploaders" field.  You're
totally free to make any upload.

-- 
roktas
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #30 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: Recai Oktaş <roktas@omu.edu.tr>
Cc: 349528@bugs.debian.org
Subject: Re: Bug#349528: various unfixed security bugs
Date: Tue, 24 Jan 2006 12:56:03 +0100
* Recai Oktaş:

>> I'm not sure if it is worth the effort, until we have all other issues
>> sorted out.
>
> Agreed.  I would be glad if you add yourself in "Uploaders" field.
> You're totally free to make any upload.

Uhm, I don't use elog myself and have zero interest in that package
beyond that there are several unfixed high-severity security bugs in
it.



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Stefan Ritt <stefan.ritt@psi.ch>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #35 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Stefan Ritt <stefan.ritt@psi.ch>
To: Florian Weimer <fw@deneb.enyo.de>, roktas@debian.org, 349528@bugs.debian.org
Subject: Re: Security bugs in elog
Date: Tue, 24 Jan 2006 21:26:20 +0100
Hi,

I fixed the issues reported in 
http://marc.theaimsgroup.com/?m=113498708213563 in ELOG revision r1635. 
I encourage you to update as soon as possible.

>   - If host names are resolved, no forward lookup is performed to
>     verify the PTR RR.  (This does not affect the sarge version
>     because it unconditionally uses addresses, not host names.)

Can you specify what you mean by that exactly?

>   - There are still some format string issues when things are written
>     to the logfile.

I thought I have fixed these things already some time ago. Can you 
recheck revison 1635?

> Apart from that, I discovered the following recent security fixes in
> the subversion repository:
> 
> r1529: Fixed bug with fprintf and buffer containing "%"
> r1472: Do not distinguish between invalid user name and invalid password
> r1335: Applied patch from Emiliano to fix possible buffer overflow
> r1333: Fixed crashes with very long (revisions) attributes

I believe so.

> Is this list complete as far as fixes past r1202 are concerned?  What
> about r1487, is it a significant DoS condition?

Yes.

Best regards,

  Stefan

-- 
Dr. Stefan Ritt           Phone: +41 56 310 3728
Paul Scherrer Institute   FAX: +41 56 310 2199
OLGA/021                  mailto:stefan.ritt@psi.ch
CH-5232 Villigen PSI      http://midas.psi.ch/~stefan



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #40 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: Stefan Ritt <stefan.ritt@psi.ch>
Cc: roktas@debian.org, 349528@bugs.debian.org
Subject: Re: Security bugs in elog
Date: Tue, 24 Jan 2006 21:51:00 +0100
* Stefan Ritt:

>>   - If host names are resolved, no forward lookup is performed to
>>     verify the PTR RR.  (This does not affect the sarge version
>>     because it unconditionally uses addresses, not host names.)
>
> Can you specify what you mean by that exactly?

If I read the code correctly, it just requests the PTR record from
DNS, and logs the host name that is returned.

Suppose that I added

171.189.9.212.in-addr.arpa. 172800 IN PTR    deneb.debian.org.

to the 189.9.212.in-addr.arpa zone (which I technically control
because it's IP address space).  Now deneb.debian.org does not belong
to me, so this is forgery.  In order to detect such things, you have
to perform a forward lookup as well (which would fail in this case
because deneb.debian.org is not an official host name used by Debian)
and check that the returned IP addresses, if any, include the IP
address you started with.  Since DNS is quite dynamic, it's also a
good idea to include IP address information in the log file in all
cases, even if a proper host name was found in DNS.

>>   - There are still some format string issues when things are written
>>     to the logfile.
>
> I thought I have fixed these things already some time ago. Can you 
> recheck revison 1635?

There are still many lines that read:

   write_logfile(lbs, str);

However, the second argument of write_logfile is passed to vsprintf
(which should be turned into vsnprintf, by the way), so it should be a
real format string, and not some user input.  The 0005 patch I sent
tries to address that (but for the version in Debian stable).

>> Is this list complete as far as fixes past r1202 are concerned?  What
>> about r1487, is it a significant DoS condition?
>
> Yes.

Okay, this patch shouldn't be too hard to extract.  Recai, could you
backport that one and the fixes from r1635 to stable?



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@omu.edu.tr>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #45 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@omu.edu.tr>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 349528@bugs.debian.org
Subject: Re: Security bugs in elog
Date: Wed, 25 Jan 2006 09:34:15 +0200
[Message part 1 (text/plain, inline)]
* Florian Weimer [2006-01-24 21:51:00+0100]
> * Stefan Ritt:
> >> Is this list complete as far as fixes past r1202 are concerned?  What
> >> about r1487, is it a significant DoS condition?
> >
> > Yes.
> 
> Okay, this patch shouldn't be too hard to extract.  Recai, could you
> backport that one and the fixes from r1635 to stable?

OK.  I'm sending three separate patches attached for your review:

    * 0007-r1635-Fix-CVE-2005-4439.txt
      Backport r1635: targets to fix CVE-2005-4439

    * 0008-r1487-Fix-DoS-condition.txt
      Backport r1487: fixes infinite redirection

    * 0009-r1636-Add-IP-address-to-logfile.txt [optional]
      Backport r1636: adds IP address to log file

All three patches + your previous six patches were applied and compiled
successfully.  I've also tested the fixed package in my system without any
glitches.  Now, I'm going to build and test it in a Sarge chroot jail.

Hope I haven't missed anything.

Regards,

-- 
roktas
[0007-r1635-Fix-CVE-2005-4439.txt (text/plain, attachment)]
[0008-r1487-Fix-DoS-condition.txt (text/plain, attachment)]
[0009-r1636-Add-IP-address-to-logfile.txt (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #50 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: Stefan Ritt <stefan.ritt@psi.ch>
Cc: 349528@bugs.debian.org
Subject: Re: Security bugs in elog
Date: Wed, 25 Jan 2006 11:55:59 +0100
* Stefan Ritt:

> Florian Weimer wrote:
>> address you started with.  Since DNS is quite dynamic, it's also a
>> good idea to include IP address information in the log file in all
>> cases, even if a proper host name was found in DNS.
>
> So I put the IP address there in any case, committed in revision 1636.

Thanks.

>> However, the second argument of write_logfile is passed to vsprintf
>> (which should be turned into vsnprintf, by the way), so it should be a
>> real format string, and not some user input.  The 0005 patch I sent
>> tries to address that (but for the version in Debian stable).
>
> That's not true anymore. Inside write_logfile, I do not use vsprintf any 
> more, instead I use strlcat() which should be safe.

Okay, the current version in your Subversion repository should be safe
indeed.  I missed the strlcat change, as I looked mostly at the Debian
versions.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@omu.edu.tr>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #55 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@omu.edu.tr>
To: 349528@bugs.debian.org
Cc: Florian Weimer <fw@deneb.enyo.de>, Stefan Ritt <stefan.ritt@psi.ch>
Subject: Re: Security bugs in elog
Date: Thu, 26 Jan 2006 11:00:39 +0200
[Message part 1 (text/plain, inline)]
* Recai Oktaş [2006-01-25 09:34:15+0200]
> All three patches + your previous six patches were applied and compiled
> successfully.  I've also tested the fixed package in my system without any
> glitches.  Now, I'm going to build and test it in a Sarge chroot jail.

I've just tested the _pbuilded_ Sarge package against the CVE-2005-4439
vulnerability and confirmed that elogd behaved normally (no core dump).

Florian: If you haven't any objections, I'll upload to stable-security
(with some final cosmetic touches).  Also, the new upstream package will
follow (for sid).

Stefan: Thank you very much for the urgent fix.

Regards,

-- 
roktas
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #60 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: Recai Oktaş <roktas@omu.edu.tr>
Cc: 349528@bugs.debian.org, Stefan Ritt <stefan.ritt@psi.ch>
Subject: Re: Bug#349528: Security bugs in elog
Date: Thu, 26 Jan 2006 13:41:53 +0100
* Recai Oktaş:

> * Recai Oktaş [2006-01-25 09:34:15+0200]
> Florian: If you haven't any objections, I'll upload to stable-security

You need to coordinate this with the stable-security team.  If you
could upload a new upstream version to unstable, this would be fine,
though.

So far, the patch for CVE-2006-0347 was missing. A tentative backport
of the upstream fix is included below.  I dropped the hunk which dealt
with "scripts" support because this functionality is not present in
the sarge version.

The changelog entry should look like this:

  Backport revision 1620 from upstream Subversion repository:
  "Prohibit '..' in URLs" [CVE-2006-0347]

diff --git a/src/elogd.c b/src/elogd.c
index a24f27e..dbf2101 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -20872,6 +20872,25 @@ void server_loop(void)
             setcfg_topgroup("");
 
             p = strchr(net_buffer, '/') + 1;
+
+            /* check for ../.. to avoid serving of files on top of the elog directory */
+            for (i = 0; p[i] && p[i] != ' ' && p[i] != '?'; i++)
+               url[i] = p[i];
+            url[i] = 0;
+
+            if (strstr(url, "../..")) {
+               sprintf(str, "Invalid URL: %s", url);
+               show_error(str);
+               send(_sock, return_buffer, strlen_retbuf + 1, 0);
+               keep_alive = 0;
+               if (verbose) {
+                  eprintf("==== Return ================================\n");
+                  eputs(return_buffer);
+                  eprintf("\n\n");
+               }
+               goto finished;
+            }
+
             logbook[0] = 0;
             for (i = 0; *p && *p != '/' && *p != '?' && *p != ' '; i++)
                logbook[i] = *p++;
@@ -20935,6 +20954,21 @@ void server_loop(void)
                 strstr(logbook, ".jpg") || strstr(logbook, ".png") ||
                 strstr(logbook, ".ico") || strstr(logbook, ".htm")
                 || strstr(logbook, ".css")) {
+
+               /* do not allow '..' in file name */
+               if (strstr(logbook, "..")) {
+                  sprintf(str, "Invalid URL: %s", logbook);
+                  show_error(str);
+                  send(_sock, return_buffer, strlen_retbuf + 1, 0);
+                  keep_alive = 0;
+                  if (verbose) {
+                     eprintf("==== Return ================================\n");
+                     eputs(return_buffer);
+                     eprintf("\n\n");
+                  }
+                  goto finished;
+               }
+
                /* check if file in resource directory */
                strlcpy(str, resource_dir, sizeof(str));
                strlcat(str, logbook, sizeof(str));




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@omu.edu.tr>:
Extra info received and forwarded to list.

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

(full text, mbox, link).


Message #65 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@omu.edu.tr>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, 349528@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 26 Jan 2006 20:44:14 +0200
[Message part 1 (text/plain, inline)]
[sorry for the delay, my internet connection is sketchy these days]

* Moritz Muehlenhoff [2006-01-26 10:57:53+0100]
> Florian, thanks a lot for sorting this out!
> I'll prepare the DSA; Recai, what cosmetic fixes do you intent
> to do? A security upload's changes you be strictly limited to the
> security issues. 

Only changes in debian/changelog (adopt my changelog style).

> Can you send me the debdiff between the Sarge version and your proposed
> upload to the security queue or the proposed update itself?

Debdiff is attached.  You can reach the proposed update at the following
uri:

    http://people.debian.org/~roktas/packages/elog_2.5.7+r1558-4+sarge1.diff.gz
    http://people.debian.org/~roktas/packages/elog_2.5.7+r1558-4+sarge1.dsc
    http://people.debian.org/~roktas/packages/elog_2.5.7+r1558-4+sarge1_i386.deb

And here is the relevant changelog entry for your inspection:

  elog (2.5.7+r1558-4+sarge1) stable-security; urgency=high
  
    * Major security update (big thanks to Florian Weimer)
      + Backport r1333 from upstream's Subversion repository:
        "Fixed crashes with very long (revisions) attributes"
      + Backport r1335 from upstream's Subversion repository:
        "Applied patch from Emiliano to fix possible buffer overflow"
      + Backport r1472 from upstream's Subversion repository:
        "Do not distinguish between invalid user name and invalid password
         for security reasons"
      + Backport r1487 from upstream's Subversion repository:
        "Fixed infinite redirection with ?fail=1"
      + Backport r1529 from upstream's Subversion repository:
        "Fixed bug with fprintf and buffer containing "%""
        [Our patch just eliminates the format string vulnerability.]
      + Backport r1620 from upstream's Subversion repository:
        "Prohibit '..' in URLs" [CVE-2006-0347]
      + Backport r1635 from upstream's Subversion repository:
        "Fixed potential buffer overflows" [CVE-2005-4439]
      + Backport r1636 from upstream's Subversion repository:
        "Added IP address to log file"

* Florian Weimer [2006-01-26 13:41:53+0100]
> So far, the patch for CVE-2006-0347 was missing. A tentative backport
> of the upstream fix is included below.  I dropped the hunk which dealt
> with "scripts" support because this functionality is not present in
> the sarge version.
> 
> The changelog entry should look like this:
> 
>   Backport revision 1620 from upstream Subversion repository:
>   "Prohibit '..' in URLs" [CVE-2006-0347]

Hmm, I should have checked the CVE database for other issues.  Thanks for 
doing it on behalf of me.  I have applied the above patch and tested it for 
a failure case explained in Elog forums:

    http://midas.psi.ch/elogs/Forum/1615

It seems fine here (Elog returns an "Invalid URL" message).

Regards,

-- 
roktas
[elog_2.5.7+r1558-3_2.5.7+r1558-4+sarge1.debdiff.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Recai Oktaş <roktas@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@omu.edu.tr>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@omu.edu.tr>. (full text, mbox, link).


Message #72 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Recai Okta? <roktas@omu.edu.tr>
Cc: team@security.debian.org, 349528@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: your mail
Date: Fri, 27 Jan 2006 15:28:00 +0100
Recai Okta? wrote:
>   elog (2.5.7+r1558-4+sarge1) stable-security; urgency=high
>   
>     * Major security update (big thanks to Florian Weimer)
>       + Backport r1333 from upstream's Subversion repository:
>         "Fixed crashes with very long (revisions) attributes"
>       + Backport r1335 from upstream's Subversion repository:
>         "Applied patch from Emiliano to fix possible buffer overflow"
>       + Backport r1472 from upstream's Subversion repository:
>         "Do not distinguish between invalid user name and invalid password
>          for security reasons"
>       + Backport r1487 from upstream's Subversion repository:
>         "Fixed infinite redirection with ?fail=1"
>       + Backport r1529 from upstream's Subversion repository:
>         "Fixed bug with fprintf and buffer containing "%""
>         [Our patch just eliminates the format string vulnerability.]
>       + Backport r1620 from upstream's Subversion repository:
>         "Prohibit '..' in URLs" [CVE-2006-0347]
>       + Backport r1635 from upstream's Subversion repository:
>         "Fixed potential buffer overflows" [CVE-2005-4439]
>       + Backport r1636 from upstream's Subversion repository:
>         "Added IP address to log file"

Why is r1636 necessary? This seems like a new feature (better logging
in case of an attack), but doesn't seem to fix a direct security problem
and could potentially break scripts that monitor the log file and expect
the current logfile file format.

The rest of the patch looks fine.
 
Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@omu.edu.tr>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #77 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@omu.edu.tr>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, 349528@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, Stefan Ritt <stefan.ritt@psi.ch>
Subject: Re: Security bugs in elog
Date: Sat, 28 Jan 2006 01:56:06 +0200
[Message part 1 (text/plain, inline)]
* Moritz Muehlenhoff [2006-01-27 15:28:00+0100]
> Recai Oktaş wrote:
> >       + Backport r1636 from upstream's Subversion repository:
> >         "Added IP address to log file"
> 
> Why is r1636 necessary? This seems like a new feature (better logging
> in case of an attack), but doesn't seem to fix a direct security problem
> and could potentially break scripts that monitor the log file and expect
> the current logfile file format.

I'll remove it.

> The rest of the patch looks fine.

Hmm, just found some other issues regarding this CVE-2005-4439.  Previous 
tests had seemed fine to me, but when I made more tests, the bug came up 
again.  I believe the attached patch should fix this completely.  Stefan, 
could you have a look at it please?

-- 
roktas
[0011-Real-Fix-CVE-2005-4439.txt (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@omu.edu.tr>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #82 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@omu.edu.tr>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, 349528@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Security bugs in elog
Date: Sat, 28 Jan 2006 15:18:07 +0200
[Message part 1 (text/plain, inline)]
* Recai Oktaş [2006-01-28 01:56:06+0200]
> Hmm, just found some other issues regarding this CVE-2005-4439.  Previous 
> tests had seemed fine to me, but when I made more tests, the bug came up 
> again.  I believe the attached patch should fix this completely.  Stefan, 
> could you have a look at it please?

Stefan has confirmed my patch and applied it in r1642.  So far, the 
following patches have been applied:

    http://people.debian.org/~roktas/elog-backport-patches/

I've created a new package and confirmed that it works:

    http://people.debian.org/~roktas/packages/elog_2.5.7+r1558-4+sarge1.diff.gz
    http://people.debian.org/~roktas/packages/elog_2.5.7+r1558-4+sarge1.dsc
    http://people.debian.org/~roktas/packages/elog_2.5.7+r1558-4+sarge1_i386.deb

Debdiff is attached and here is the new changelog for your convenience:

    elog (2.5.7+r1558-4+sarge1) stable-security; urgency=critical

    * Major security update (big thanks to Florian Weimer)
      + Backport r1333 from upstream's Subversion repository:
        "Fixed crashes with very long (revisions) attributes"
      + Backport r1335 from upstream's Subversion repository:
        "Applied patch from Emiliano to fix possible buffer overflow"
      + Backport r1472 from upstream's Subversion repository:
        "Do not distinguish between invalid user name and invalid password
         for security reasons"
      + Backport r1487 from upstream's Subversion repository:
        "Fixed infinite redirection with ?fail=1"
      + Backport r1529 from upstream's Subversion repository:
        "Fixed bug with fprintf and buffer containing "%""
        [Our patch just eliminates the format string vulnerability.]
      + Backport r1620 from upstream's Subversion repository:
        "Prohibit '..' in URLs" [CVE-2006-0347]
      + Backport r1635 and r1642 from upstream's Subversion repository:
        "Fixed potential buffer overflows" [CVE-2005-4439]

Let me know whether it is fine and I'll make the upload to stable-security
(right?).

Regards,

-- 
roktas
[elog_2.5.7+r1558-3_2.5.7+r1558-4+sarge1.debdiff.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #87 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Recai Okta? <roktas@omu.edu.tr>
Cc: team@security.debian.org, 349528@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Security bugs in elog
Date: Sat, 28 Jan 2006 17:22:27 +0100
Recai Okta? wrote:
> Debdiff is attached and here is the new changelog for your convenience:
> 
>     elog (2.5.7+r1558-4+sarge1) stable-security; urgency=critical
> 
>     * Major security update (big thanks to Florian Weimer)
>       + Backport r1333 from upstream's Subversion repository:
>         "Fixed crashes with very long (revisions) attributes"
>       + Backport r1335 from upstream's Subversion repository:
>         "Applied patch from Emiliano to fix possible buffer overflow"
>       + Backport r1472 from upstream's Subversion repository:
>         "Do not distinguish between invalid user name and invalid password
>          for security reasons"
>       + Backport r1487 from upstream's Subversion repository:
>         "Fixed infinite redirection with ?fail=1"
>       + Backport r1529 from upstream's Subversion repository:
>         "Fixed bug with fprintf and buffer containing "%""
>         [Our patch just eliminates the format string vulnerability.]
>       + Backport r1620 from upstream's Subversion repository:
>         "Prohibit '..' in URLs" [CVE-2006-0347]
>       + Backport r1635 and r1642 from upstream's Subversion repository:
>         "Fixed potential buffer overflows" [CVE-2005-4439]
> 
> Let me know whether it is fine and I'll make the upload to stable-security
> (right?).

Thanks, it looks good, please upload.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #92 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Recai Okta? <roktas@omu.edu.tr>
Cc: team@security.debian.org, 349528@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Security bugs in elog
Date: Sun, 5 Feb 2006 19:47:45 +0100
Recai Okta? wrote:
> Let me know whether it is fine and I'll make the upload to stable-security
> (right?).

Did you upload? I don't see any builds trickling in. If not, I'll do it.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#349528; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@omu.edu.tr>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #97 received at 349528@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@omu.edu.tr>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, 349528@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Security bugs in elog
Date: Sun, 5 Feb 2006 20:56:56 +0200
* Moritz Muehlenhoff [2006-02-05 19:47:45+0100]
> Recai Oktaş wrote:
> > Let me know whether it is fine and I'll make the upload to stable-security
> > (right?).
> 
> Did you upload? I don't see any builds trickling in. If not, I'll do it.

Yes, uploaded on 28 January:

    http://lists.debian.org/debian-changes/2006/01/msg00048.html

-- 
roktas



Bug marked as fixed in version 2.6.1+r1638-1, send any further explanations to Florian Weimer <fw@deneb.enyo.de> Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. (full text, mbox, link).


Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#349528. (full text, mbox, link).


Message #102 received at 349528-submitter@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 349528-submitter@bugs.debian.org
Subject: Debian bug #349528
Date: Thu, 26 Oct 2006 20:33:33 +0100
Hi,

You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #349528 in the elog 
package, which you reported.

Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.

Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.

Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.

[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:

  - the bug was fixed in one version but subsequently found to exist
    in a later version

  - the bug existed in multiple distributions (for instance, "unstable"
    and "stable") and was thus fixed in a separate upload to each
    distribution
]

Regards,

Adam



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 00:59:05 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:00:25 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.