[CAN-2004-0777] Remote Format String Vulnerability

Automatically imported from Debian bug report #266723 http://bugs.debian.org/266723

Message-ID: <email address hidden>
Date: Wed, 18 Aug 2004 22:24:23 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: [CAN-2004-0777] Remote Format String Vulnerability

Package: courier-imap
Version: 3.0.5.20040712-1
Severity: grave
Tags: security upstream fixed-upstream sarge sid

There is an vulnerability in the authlib/debug.c's auth_debug function that
is exploitable when DEBUG_LOGIN isn't set to 0. Details are in
http://www.idefense.com/application/poi/display?id=131&type=vulnerabilities

The courier-imap version in woody does not appear to be vulnerable as it
does not have an auth_debug function.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (800, 'unstable'), (750, 'experimental'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1
--
Obsig: developing a new sig

Message-Id: <email address hidden>
Date: Thu, 19 Aug 2004 09:17:27 +0200
From: Stefan Hornburg <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: sarge+sid Courier versions already fixed

Hello,

I checked the 0.45.6.20040712-1 source code and noticed that the fix
is already in authlib/debug.c, therefore neither woody nor sarge or
sid are vulnerable AFAICT.

Thanks for the report

 Racke

--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

Message-ID: <email address hidden>
Date: Thu, 19 Aug 2004 09:31:41 +0200
From: Martin Schulze <email address hidden>
To: Stefan Hornburg <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: sarge+sid Courier versions already fixed

Stefan Hornburg wrote:
> Hello,
>
> I checked the 0.45.6.20040712-1 source code and noticed that the fix
> is already in authlib/debug.c, therefore neither woody nor sarge or
> sid are vulnerable AFAICT.

Thanks, added to nonvulns-woody.

Regards,

 Joey

--
Have you ever noticed that "General Public Licence" contains the word "Pub"?

Our version contains the fix as well

Message-ID: <email address hidden>
Date: Thu, 9 Sep 2004 20:24:35 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: This bug does not seem to be fixed

--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

reopen 266723
thanks

Hi Stefan!

How did you check that this bug is fixed in courier-0.45.6.20040712?
the file authlib/debug.c is identical to courier-0.45.6 and the
function in both versions is identical to the one shown in the
security advisory [1].

The advisory says that this bug is fixed in 3.0.7.

Please evaluate this again.

Thanks,

Martin

[1] http://www.idefense.com/application/poi/display?id=3D131&type=3Dvulnera=
bilities

--=20
Martin Pitt Debian GNU/Linux Developer
<email address hidden> <email address hidden>
http://www.piware.de http://www.debian.org

--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQJ/jDecnbV4Fd/IRAm6uAJ9msn4D06Zi3snnJeimD80jBimGMgCeP7Og
fDrx4/i4PJZ0l7tj5FAhddo=
=eACd
-----END PGP SIGNATURE-----

--gBBFr7Ir9EOA20Yy--

Message-Id: <email address hidden>
Date: Thu, 9 Sep 2004 23:42:25 +0200
From: Stefan Hornburg <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed

On Thu, 9 Sep 2004 20:24:35 +0200
Martin Pitt <email address hidden> wrote:

> reopen 266723
> thanks
>
> Hi Stefan!
>
> How did you check that this bug is fixed in courier-0.45.6.20040712?
> the file authlib/debug.c is identical to courier-0.45.6

This is correct. Brian Candler rewrote the debug stuff for 0.45.5.

> and the
> function in both versions is identical to the one shown in the
> security advisory [1].

This is not correct. From authlib/debug.c:

static int auth_debug( const char *ofmt, const char *fmt, va_list ap )
{

 char buf[DEBUG_MESSAGE_SIZE];
 int i;
 int len;

 /* print into buffer to be able to replace control and other unwanted chars. */
 vsnprintf( buf, DEBUG_MESSAGE_SIZE, fmt, ap );
 len = strlen( buf );

 /* replace nonprintable chars by dot */
 for( i=0 ; i<len ; i++ )
  if( !isprint(buf[i]) )
   buf[i] = '.';

 /* emit it */

 return fprintf( stderr, ofmt , buf );
}

This function is different from the one mentioned in the advisory.

>
> The advisory says that this bug is fixed in 3.0.7.
>

This is not correct, either the bug is still present or it has
been fixed before 3.0.5.

> Please evaluate this again.

Done.

Bye
 Racke

--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

Message-ID: <email address hidden>
Date: Fri, 10 Sep 2004 12:12:53 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed

--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Stefan!

Thanks for your fast reply.

On 2004-09-09 23:42 +0200, Stefan Hornburg wrote:
> > How did you check that this bug is fixed in courier-0.45.6.20040712?
> > the file authlib/debug.c is identical to courier-0.45.6=20
>=20
> This is correct. Brian Candler rewrote the debug stuff for 0.45.5.

Did that already contain the security fix?

>=20
> > and the
> > function in both versions is identical to the one shown in the
> > security advisory [1].
>=20
> This is not correct. From authlib/debug.c:
> [...]
> This function is different from the one mentioned in the advisory.

Indeed, sorry for that.

> > The advisory says that this bug is fixed in 3.0.7.
> >=20
>=20
> This is not correct, either the bug is still present or it has
> been fixed before 3.0.5.

And which alternative is the right one? In any case the advisory is
erroneous wrt the version numbers. If the bug is fixed, then please
close this bug again (I reopened it in my previous mail).

Thanks in advance and have a nice day!

Martin

--=20
Martin Pitt Debian GNU/Linux Developer
<email address hidden> <email address hidden>
http://www.piware.de http://www.debian.org

--X1bOJ3K7DJ5YkBrT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQX4lDecnbV4Fd/IRAj2RAKDLgdz3f/XBsbBcV88ugVkgzG9BOACffC5c
od7ATjQ6BmbYC0/2pWyaUF4=
=bS0q
-----END PGP SIGNATURE-----

--X1bOJ3K7DJ5YkBrT--

Message-Id: <email address hidden>
Date: Fri, 10 Sep 2004 12:29:48 +0200
From: Stefan Hornburg <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed

On Fri, 10 Sep 2004 12:12:53 +0200
Martin Pitt <email address hidden> wrote:

> Hi Stefan!
>
> Thanks for your fast reply.
>
> On 2004-09-09 23:42 +0200, Stefan Hornburg wrote:
> > > How did you check that this bug is fixed in courier-0.45.6.20040712?
> > > the file authlib/debug.c is identical to courier-0.45.6
> >
> > This is correct. Brian Candler rewrote the debug stuff for 0.45.5.
>
> Did that already contain the security fix?

It looks like he fixed it before the vulnerability was detected.
However, I'm no security expert and cannot tell for sure if this
code is correct now.

>
> >
> > > and the
> > > function in both versions is identical to the one shown in the
> > > security advisory [1].
> >
> > This is not correct. From authlib/debug.c:
> > [...]
> > This function is different from the one mentioned in the advisory.
>
> Indeed, sorry for that.

Everyone makes mistakes. No problem.

>
> > > The advisory says that this bug is fixed in 3.0.7.
> > >
> >
> > This is not correct, either the bug is still present or it has
> > been fixed before 3.0.5.
>
> And which alternative is the right one? In any case the advisory is
> erroneous wrt the version numbers. If the bug is fixed, then please
> close this bug again (I reopened it in my previous mail).
>
> Thanks in advance and have a nice day!

With regards

 Racke

--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

Message-ID: <email address hidden>
Date: Fri, 10 Sep 2004 12:56:51 +0200
From: Florian Weimer <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed

* Martin Pitt:

> [1] http://www.idefense.com/application/poi/display?id=131&type=vulnerabilities

ISTR that this advisory contained a lot of misinformation. I would
consider it an authoritative source for the vulnerability.

Message-Id: <email address hidden>
Date: Fri, 10 Sep 2004 13:12:02 +0200
From: Stefan Hornburg <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed

On Fri, 10 Sep 2004 12:56:51 +0200
Florian Weimer <email address hidden> wrote:

> * Martin Pitt:
>
> > [1] http://www.idefense.com/application/poi/display?id=131&type=vulnerabilities
>
> ISTR that this advisory contained a lot of misinformation.

Seconded.

> I would consider it an authoritative source for the vulnerability.

Isn't that a contradiction to your first statement ?

Bye
 Racke

--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

Message-ID: <email address hidden>
Date: Fri, 10 Sep 2004 13:34:38 +0200
From: Florian Weimer <email address hidden>
To: Stefan Hornburg <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed

* Stefan Hornburg:

> On Fri, 10 Sep 2004 12:56:51 +0200
> Florian Weimer <email address hidden> wrote:
>
>> * Martin Pitt:
>>
>> > [1] http://www.idefense.com/application/poi/display?id=131&type=vulnerabilities
>>
>> ISTR that this advisory contained a lot of misinformation.
>
> Seconded.
>
>> I would consider it an authoritative source for the vulnerability.
>
> Isn't that a contradiction to your first statement ?

Oops, sorry. "I would *not* consider it..."