[CAN-2004-0777] Remote Format String Vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
courier (Debian) |
Fix Released
|
Unknown
|
|||
courier (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #266723 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Wed, 18 Aug 2004 22:24:23 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: [CAN-2004-0777] Remote Format String Vulnerability
Package: courier-imap
Version: 3.0.5.20040712-1
Severity: grave
Tags: security upstream fixed-upstream sarge sid
There is an vulnerability in the authlib/debug.c's auth_debug function that
is exploitable when DEBUG_LOGIN isn't set to 0. Details are in
http://
The courier-imap version in woody does not appear to be vulnerable as it
does not have an auth_debug function.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (800, 'unstable'), (750, 'experimental'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=C, LC_CTYPE=
--
Obsig: developing a new sig
In Debian Bug tracker #266723, Stefan Hornburg (Racke) (racke) wrote : sarge+sid Courier versions already fixed | #3 |
Hello,
I checked the 0.45.6.20040712-1 source code and noticed that the fix
is already in authlib/debug.c, therefore neither woody nor sarge or
sid are vulnerable AFAICT.
Thanks for the report
Racke
--
LinuXia Systems => http://
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://
Interchange Development Team
In Debian Bug tracker #266723, Martin Schulze (joey-infodrom) wrote : | #4 |
Stefan Hornburg wrote:
> Hello,
>
> I checked the 0.45.6.20040712-1 source code and noticed that the fix
> is already in authlib/debug.c, therefore neither woody nor sarge or
> sid are vulnerable AFAICT.
Thanks, added to nonvulns-woody.
Regards,
Joey
--
Have you ever noticed that "General Public Licence" contains the word "Pub"?
Debian Bug Importer (debzilla) wrote : | #5 |
Message-Id: <email address hidden>
Date: Thu, 19 Aug 2004 09:17:27 +0200
From: Stefan Hornburg <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: sarge+sid Courier versions already fixed
Hello,
I checked the 0.45.6.20040712-1 source code and noticed that the fix
is already in authlib/debug.c, therefore neither woody nor sarge or
sid are vulnerable AFAICT.
Thanks for the report
Racke
--
LinuXia Systems => http://
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://
Interchange Development Team
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Thu, 19 Aug 2004 09:31:41 +0200
From: Martin Schulze <email address hidden>
To: Stefan Hornburg <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: sarge+sid Courier versions already fixed
Stefan Hornburg wrote:
> Hello,
>
> I checked the 0.45.6.20040712-1 source code and noticed that the fix
> is already in authlib/debug.c, therefore neither woody nor sarge or
> sid are vulnerable AFAICT.
Thanks, added to nonvulns-woody.
Regards,
Joey
--
Have you ever noticed that "General Public Licence" contains the word "Pub"?
Fabio Massimo Di Nitto (fabbione) wrote : | #7 |
Our version contains the fix as well
In Debian Bug tracker #266723, Martin Pitt (pitti) wrote : This bug does not seem to be fixed | #8 |
reopen 266723
thanks
Hi Stefan!
How did you check that this bug is fixed in courier-
the file authlib/debug.c is identical to courier-0.45.6 and the
function in both versions is identical to the one shown in the
security advisory [1].
The advisory says that this bug is fixed in 3.0.7.
Please evaluate this again.
Thanks,
Martin
[1] http://
--
Martin Pitt Debian GNU/Linux Developer
<email address hidden> <email address hidden>
http://
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Thu, 9 Sep 2004 20:24:35 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: This bug does not seem to be fixed
--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-
Content-
reopen 266723
thanks
Hi Stefan!
How did you check that this bug is fixed in courier-
the file authlib/debug.c is identical to courier-0.45.6 and the
function in both versions is identical to the one shown in the
security advisory [1].
The advisory says that this bug is fixed in 3.0.7.
Please evaluate this again.
Thanks,
Martin
[1] http://
bilities
--=20
Martin Pitt Debian GNU/Linux Developer
<email address hidden> <email address hidden>
http://
--gBBFr7Ir9EOA20Yy
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBQJ/
fDrx4/i4PJZ0l7t
=eACd
-----END PGP SIGNATURE-----
--gBBFr7Ir9EOA2
In Debian Bug tracker #266723, Stefan Hornburg (Racke) (racke) wrote : Re: Bug#266723: This bug does not seem to be fixed | #10 |
On Thu, 9 Sep 2004 20:24:35 +0200
Martin Pitt <email address hidden> wrote:
> reopen 266723
> thanks
>
> Hi Stefan!
>
> How did you check that this bug is fixed in courier-
> the file authlib/debug.c is identical to courier-0.45.6
This is correct. Brian Candler rewrote the debug stuff for 0.45.5.
> and the
> function in both versions is identical to the one shown in the
> security advisory [1].
This is not correct. From authlib/debug.c:
static int auth_debug( const char *ofmt, const char *fmt, va_list ap )
{
char buf[DEBUG_
int i;
int len;
/* print into buffer to be able to replace control and other unwanted chars. */
vsnprintf( buf, DEBUG_MESSAGE_SIZE, fmt, ap );
len = strlen( buf );
/* replace nonprintable chars by dot */
for( i=0 ; i<len ; i++ )
if( !isprint(buf[i]) )
buf[i] = '.';
/* emit it */
return fprintf( stderr, ofmt , buf );
}
This function is different from the one mentioned in the advisory.
>
> The advisory says that this bug is fixed in 3.0.7.
>
This is not correct, either the bug is still present or it has
been fixed before 3.0.5.
> Please evaluate this again.
Done.
Bye
Racke
--
LinuXia Systems => http://
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://
Interchange Development Team
Debian Bug Importer (debzilla) wrote : | #11 |
Message-Id: <email address hidden>
Date: Thu, 9 Sep 2004 23:42:25 +0200
From: Stefan Hornburg <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed
On Thu, 9 Sep 2004 20:24:35 +0200
Martin Pitt <email address hidden> wrote:
> reopen 266723
> thanks
>
> Hi Stefan!
>
> How did you check that this bug is fixed in courier-
> the file authlib/debug.c is identical to courier-0.45.6
This is correct. Brian Candler rewrote the debug stuff for 0.45.5.
> and the
> function in both versions is identical to the one shown in the
> security advisory [1].
This is not correct. From authlib/debug.c:
static int auth_debug( const char *ofmt, const char *fmt, va_list ap )
{
char buf[DEBUG_
int i;
int len;
/* print into buffer to be able to replace control and other unwanted chars. */
vsnprintf( buf, DEBUG_MESSAGE_SIZE, fmt, ap );
len = strlen( buf );
/* replace nonprintable chars by dot */
for( i=0 ; i<len ; i++ )
if( !isprint(buf[i]) )
buf[i] = '.';
/* emit it */
return fprintf( stderr, ofmt , buf );
}
This function is different from the one mentioned in the advisory.
>
> The advisory says that this bug is fixed in 3.0.7.
>
This is not correct, either the bug is still present or it has
been fixed before 3.0.5.
> Please evaluate this again.
Done.
Bye
Racke
--
LinuXia Systems => http://
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://
Interchange Development Team
In Debian Bug tracker #266723, Martin Pitt (pitti) wrote : | #12 |
Hi Stefan!
Thanks for your fast reply.
On 2004-09-09 23:42 +0200, Stefan Hornburg wrote:
> > How did you check that this bug is fixed in courier-
> > the file authlib/debug.c is identical to courier-0.45.6
>
> This is correct. Brian Candler rewrote the debug stuff for 0.45.5.
Did that already contain the security fix?
>
> > and the
> > function in both versions is identical to the one shown in the
> > security advisory [1].
>
> This is not correct. From authlib/debug.c:
> [...]
> This function is different from the one mentioned in the advisory.
Indeed, sorry for that.
> > The advisory says that this bug is fixed in 3.0.7.
> >
>
> This is not correct, either the bug is still present or it has
> been fixed before 3.0.5.
And which alternative is the right one? In any case the advisory is
erroneous wrt the version numbers. If the bug is fixed, then please
close this bug again (I reopened it in my previous mail).
Thanks in advance and have a nice day!
Martin
--
Martin Pitt Debian GNU/Linux Developer
<email address hidden> <email address hidden>
http://
In Debian Bug tracker #266723, Stefan Hornburg (Racke) (racke) wrote : | #13 |
On Fri, 10 Sep 2004 12:12:53 +0200
Martin Pitt <email address hidden> wrote:
> Hi Stefan!
>
> Thanks for your fast reply.
>
> On 2004-09-09 23:42 +0200, Stefan Hornburg wrote:
> > > How did you check that this bug is fixed in courier-
> > > the file authlib/debug.c is identical to courier-0.45.6
> >
> > This is correct. Brian Candler rewrote the debug stuff for 0.45.5.
>
> Did that already contain the security fix?
It looks like he fixed it before the vulnerability was detected.
However, I'm no security expert and cannot tell for sure if this
code is correct now.
>
> >
> > > and the
> > > function in both versions is identical to the one shown in the
> > > security advisory [1].
> >
> > This is not correct. From authlib/debug.c:
> > [...]
> > This function is different from the one mentioned in the advisory.
>
> Indeed, sorry for that.
Everyone makes mistakes. No problem.
>
> > > The advisory says that this bug is fixed in 3.0.7.
> > >
> >
> > This is not correct, either the bug is still present or it has
> > been fixed before 3.0.5.
>
> And which alternative is the right one? In any case the advisory is
> erroneous wrt the version numbers. If the bug is fixed, then please
> close this bug again (I reopened it in my previous mail).
>
> Thanks in advance and have a nice day!
With regards
Racke
--
LinuXia Systems => http://
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://
Interchange Development Team
In Debian Bug tracker #266723, Florian Weimer (fw) wrote : | #14 |
* Martin Pitt:
> [1] http://
ISTR that this advisory contained a lot of misinformation. I would
consider it an authoritative source for the vulnerability.
In Debian Bug tracker #266723, Stefan Hornburg (Racke) (racke) wrote : | #15 |
On Fri, 10 Sep 2004 12:56:51 +0200
Florian Weimer <email address hidden> wrote:
> * Martin Pitt:
>
> > [1] http://
>
> ISTR that this advisory contained a lot of misinformation.
Seconded.
> I would consider it an authoritative source for the vulnerability.
Isn't that a contradiction to your first statement ?
Bye
Racke
--
LinuXia Systems => http://
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://
Interchange Development Team
In Debian Bug tracker #266723, Florian Weimer (fw) wrote : | #16 |
* Stefan Hornburg:
> On Fri, 10 Sep 2004 12:56:51 +0200
> Florian Weimer <email address hidden> wrote:
>
>> * Martin Pitt:
>>
>> > [1] http://
>>
>> ISTR that this advisory contained a lot of misinformation.
>
> Seconded.
>
>> I would consider it an authoritative source for the vulnerability.
>
> Isn't that a contradiction to your first statement ?
Oops, sorry. "I would *not* consider it..."
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Fri, 10 Sep 2004 12:12:53 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed
--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi Stefan!
Thanks for your fast reply.
On 2004-09-09 23:42 +0200, Stefan Hornburg wrote:
> > How did you check that this bug is fixed in courier-
> > the file authlib/debug.c is identical to courier-0.45.6=20
>=20
> This is correct. Brian Candler rewrote the debug stuff for 0.45.5.
Did that already contain the security fix?
>=20
> > and the
> > function in both versions is identical to the one shown in the
> > security advisory [1].
>=20
> This is not correct. From authlib/debug.c:
> [...]
> This function is different from the one mentioned in the advisory.
Indeed, sorry for that.
> > The advisory says that this bug is fixed in 3.0.7.
> >=20
>=20
> This is not correct, either the bug is still present or it has
> been fixed before 3.0.5.
And which alternative is the right one? In any case the advisory is
erroneous wrt the version numbers. If the bug is fixed, then please
close this bug again (I reopened it in my previous mail).
Thanks in advance and have a nice day!
Martin
--=20
Martin Pitt Debian GNU/Linux Developer
<email address hidden> <email address hidden>
http://
--X1bOJ3K7DJ5YkBrT
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBQX4lDec
od7ATjQ6BmbYC0/
=bS0q
-----END PGP SIGNATURE-----
--X1bOJ3K7DJ5Yk
Debian Bug Importer (debzilla) wrote : | #18 |
Message-Id: <email address hidden>
Date: Fri, 10 Sep 2004 12:29:48 +0200
From: Stefan Hornburg <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed
On Fri, 10 Sep 2004 12:12:53 +0200
Martin Pitt <email address hidden> wrote:
> Hi Stefan!
>
> Thanks for your fast reply.
>
> On 2004-09-09 23:42 +0200, Stefan Hornburg wrote:
> > > How did you check that this bug is fixed in courier-
> > > the file authlib/debug.c is identical to courier-0.45.6
> >
> > This is correct. Brian Candler rewrote the debug stuff for 0.45.5.
>
> Did that already contain the security fix?
It looks like he fixed it before the vulnerability was detected.
However, I'm no security expert and cannot tell for sure if this
code is correct now.
>
> >
> > > and the
> > > function in both versions is identical to the one shown in the
> > > security advisory [1].
> >
> > This is not correct. From authlib/debug.c:
> > [...]
> > This function is different from the one mentioned in the advisory.
>
> Indeed, sorry for that.
Everyone makes mistakes. No problem.
>
> > > The advisory says that this bug is fixed in 3.0.7.
> > >
> >
> > This is not correct, either the bug is still present or it has
> > been fixed before 3.0.5.
>
> And which alternative is the right one? In any case the advisory is
> erroneous wrt the version numbers. If the bug is fixed, then please
> close this bug again (I reopened it in my previous mail).
>
> Thanks in advance and have a nice day!
With regards
Racke
--
LinuXia Systems => http://
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://
Interchange Development Team
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Fri, 10 Sep 2004 12:56:51 +0200
From: Florian Weimer <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed
* Martin Pitt:
> [1] http://
ISTR that this advisory contained a lot of misinformation. I would
consider it an authoritative source for the vulnerability.
Debian Bug Importer (debzilla) wrote : | #20 |
Message-Id: <email address hidden>
Date: Fri, 10 Sep 2004 13:12:02 +0200
From: Stefan Hornburg <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed
On Fri, 10 Sep 2004 12:56:51 +0200
Florian Weimer <email address hidden> wrote:
> * Martin Pitt:
>
> > [1] http://
>
> ISTR that this advisory contained a lot of misinformation.
Seconded.
> I would consider it an authoritative source for the vulnerability.
Isn't that a contradiction to your first statement ?
Bye
Racke
--
LinuXia Systems => http://
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://
Interchange Development Team
Debian Bug Importer (debzilla) wrote : | #21 |
Message-ID: <email address hidden>
Date: Fri, 10 Sep 2004 13:34:38 +0200
From: Florian Weimer <email address hidden>
To: Stefan Hornburg <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#266723: This bug does not seem to be fixed
* Stefan Hornburg:
> On Fri, 10 Sep 2004 12:56:51 +0200
> Florian Weimer <email address hidden> wrote:
>
>> * Martin Pitt:
>>
>> > [1] http://
>>
>> ISTR that this advisory contained a lot of misinformation.
>
> Seconded.
>
>> I would consider it an authoritative source for the vulnerability.
>
> Isn't that a contradiction to your first statement ?
Oops, sorry. "I would *not* consider it..."
Changed in courier: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #266723 http:// bugs.debian. org/266723