Debian Bug report logs -
#431336
CVE-2007-2835 : Buffer overflow.
Reported by: Steve Kemp <skx@debian.org>
Date: Sun, 1 Jul 2007 19:18:01 UTC
Severity: grave
Tags: patch, security
Found in version unicon/3.0.4-11
Fixed in versions 3.0.4-11etch4, unicon/3.0.4-12
Done: Yu Guanghui <ygh@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Yu Guanghui <ygh@debian.org>
:
Bug#431336
; Package unicon-imc2
.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>
:
New Bug report received and forwarded. Copy sent to Yu Guanghui <ygh@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: unicon-imc2
Version: 3.0.4-11
Severity: grave
Usertags: sourcescan
*** Please type your report below this line ***
CVE-2007-2835 : Allows local root compromise via zhcon.
Anyway, the setuid(0) zhcon application links to this library,
which contains a buffer overflow which may be used to gain root.
(Actually any application using this library can be exploited;
this is the only setuid one I could spot.)
The source of this problem is ./unicon/ImmModules/cce/CCE_pinyin.c:
static int
IMM_Flush ()
{
char name[256];
sprintf(name,"%s/.pyinput/usrphrase.tab",getenv("HOME"));
SaveUsrPhrase(name);
sprintf(name,"%s/.pyinput/sysfrequency.tab",getenv("HOME"));
SavePhraseFrequency(name);
return 1;
}
There are similar problems in the file /unicon/ImmModules/cce/xl_pinyin.c
too.
Steve
--
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/
Information forwarded to debian-bugs-dist@lists.debian.org, Yu Guanghui <ygh@debian.org>
:
Bug#431336
; Package unicon-imc2
.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>
:
Extra info received and forwarded to list. Copy sent to Yu Guanghui <ygh@debian.org>
.
(full text, mbox, link).
Message #10 received at 431336@bugs.debian.org (full text, mbox, reply):
Patch we used for the DSA.
diff -u unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
--- unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
+++ unicon-3.0.4/unicon/ImmModules/cce/CCE_pinyin.c
@@ -159,9 +159,9 @@
IMM_Flush ()
{
char name[256];
- sprintf(name,"%s/.pyinput/usrphrase.tab",getenv("HOME"));
+ snprintf(name,sizeof(name)-1,"%s/.pyinput/usrphrase.tab",getenv("HOME"));
SaveUsrPhrase(name);
- sprintf(name,"%s/.pyinput/sysfrequency.tab",getenv("HOME"));
+ snprintf(name,sizeof(name)-1,"%s/.pyinput/sysfrequency.tab",getenv("HOME"));
SavePhraseFrequency(name);
return 1;
diff -u unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
--- unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
+++ unicon-3.0.4/unicon/ImmModules/cce/xl_pinyin.c
@@ -138,21 +138,21 @@
//Rat: modified for processing user-defined dictionaries
if ((usrhome = getenv ("HOME")) != NULL)
{
- sprintf (buf, "%s/%s", usrhome, ".pyinput");
+ snprintf (buf,sizeof(buf)-1, "%s/%s", usrhome, ".pyinput");
retval = stat (buf, &statbuf);
if ((retval == 0))
{
if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
{
- sprintf (buf, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
if ( (retval = stat(buf, &statbuf)) == 0)
{
if ( statbuf.st_size < MIN_USRPHR_SIZE || LoadUsrPhrase (buf) == -1)
{
printf ("Couldn't load %s. Please fix it. size or load error\n", buf);
- sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
if ((retval = access (buf, R_OK)) == 0)
{
if (LoadUsrPhrase (buf) == -1)
@@ -164,7 +164,7 @@
else
{
creat (buf, 0600);
- sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
if ((retval = access (buf, R_OK)) == 0)
{
if (LoadUsrPhrase (buf) == -1)
@@ -181,10 +181,10 @@
else
{
mkdir (buf, 0700); //Rat: making $HOME/.pyinput
- sprintf (buf, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
creat (buf, 0600); //Rat: making $HOME/.pyinput/usrphrase.tab
- sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
if ((retval = access (buf, R_OK)) == 0)
{
if (LoadUsrPhrase (buf) == -1)
@@ -197,7 +197,7 @@
else
{
printf ("Sorry, I couldn't find your $HOME.\n");
- sprintf (buf, "%s/%s", szPath, "usrphrase.tab");
+ snprintf (buf, sizeof(buf)-1, "%s/%s", szPath, "usrphrase.tab");
printf ("Turn to access %s", buf);
if ((retval = access (buf, R_OK)) != 0)
@@ -210,7 +210,7 @@
}
- sprintf(buf,"%s/%s/%s",usrhome,".pyinput","sysfrequency.tab");
+ snprintf(buf,sizeof(buf)-1,"%s/%s/%s",usrhome,".pyinput","sysfrequency.tab");
if(LoadPhraseFrequency(buf) == -1)
{
creat(buf,0700);
@@ -229,7 +229,7 @@
AdjustPhraseFreq (); // lower the freq to [0,50)
if (usrhome != NULL)
{
- sprintf (szFileName, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
+ snprintf (szFileName, sizeof(szFileName)-1, "%s/%s/%s", usrhome, ".pyinput", "usrphrase.tab");
SaveUsrPhrase (szFileName);
}
else
diff -u unicon-3.0.4/debian/changelog unicon-3.0.4/debian/changelog
--- unicon-3.0.4/debian/changelog
+++ unicon-3.0.4/debian/changelog
@@ -1,3 +1,11 @@
+unicon (3.0.4-11etch4) stable-security; urgency=high
+
+ * Non-maintainer upload by The Security Team.
+ * Fix the unsafe use of environmental variables.
+ [CVE-2007-2835]
+
+ -- Steve Kemp <skx@debian.org> Sun, 24 Jul 2007 15:02:42 +0000
+
unicon (3.0.4-11) unstable; urgency=low
* Changed TLS_PthSocket ::read ::write to Read, Write.
Steve
--
http://www.steve.org.uk/
Tags added: security
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org
.
(Sun, 01 Jul 2007 21:06:05 GMT) (full text, mbox, link).
Tags added: patch
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org
.
(Sun, 01 Jul 2007 21:06:06 GMT) (full text, mbox, link).
Bug marked as fixed in version 3.0.4-11etch4.
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org
.
(Fri, 20 Jul 2007 23:09:02 GMT) (full text, mbox, link).
Reply sent to Yu Guanghui <ygh@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steve Kemp <skx@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #21 received at 431336-close@bugs.debian.org (full text, mbox, reply):
Source: unicon
Source-Version: 3.0.4-12
We believe that the bug you reported is fixed in the latest version of
unicon, which is due to be installed in the Debian FTP archive:
unicon-imc2_3.0.4-12_i386.deb
to pool/main/u/unicon/unicon-imc2_3.0.4-12_i386.deb
unicon_3.0.4-12.diff.gz
to pool/main/u/unicon/unicon_3.0.4-12.diff.gz
unicon_3.0.4-12.dsc
to pool/main/u/unicon/unicon_3.0.4-12.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 431336@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yu Guanghui <ygh@debian.org> (supplier of updated unicon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 06 Aug 2007 13:50:51 +0800
Source: unicon
Binary: unicon-imc2
Architecture: source i386
Version: 3.0.4-12
Distribution: unstable
Urgency: low
Maintainer: Yu Guanghui <ygh@debian.org>
Changed-By: Yu Guanghui <ygh@debian.org>
Description:
unicon-imc2 - Chinese Input Method Library
Closes: 431336
Changes:
unicon (3.0.4-12) unstable; urgency=low
.
* Merged CVE-2007-2835 to unstable. (Closes:Bug#431336)
Files:
208ba9b1abe26852dbe8e016ff4f2504 593 utils optional unicon_3.0.4-12.dsc
5615bce4b7c9544764d2e9bae7b9a6df 15934 utils optional unicon_3.0.4-12.diff.gz
42c5f502a17a93394a7f0ebffbb3cf0f 4151994 utils optional unicon-imc2_3.0.4-12_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGtriaKNPoKRflcycRAojoAJ9230xGlLWPFHcvXJoRZE6zaGcR+gCfXZ+C
Kpb9rIyItTqXtuCP+PsljuU=
=VQWt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 27 Dec 2007 07:28:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:15:24 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.