[osiris] fwd: CVE-2006-3120: Arbitrary code execution in osiris

[Jamie Wilkinson]

I've received this patch from the Debian Security Team, please apply it to
upstream as soon as possible.  It applies cleanly to 4.2.0 (excluding the
debian/changelog hunk, obviously).


----- Forwarded message from Martin Schulze <joey at infodrom.org> -----

Date: Sun, 23 Jul 2006 12:29:30 +0200
From: Martin Schulze <joey at infodrom.org>
Subject: CVE-2006-3120: Arbitrary code execution in osiris
To: Jamie Wilkinson <jaq at debian.org>
Cc: Debian Security Team <team at security.debian.org>
User-Agent: Mutt/1.5.11+cvs20060403

Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project
have found several format string security bugs in osiris, a
network-wide system integrity monitor control interface.  A remote
attacker could exploit them and cause a denial of service or execute
arbitrary code.

Please
 . update the package in sid
 . mention the CVE id from the subject in the changelog
 . tell me the version number of the fixed package
 . use urgency=high

Regards,

	Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

diff -u osiris-4.0.6/debian/changelog osiris-4.0.6/debian/changelog
--- osiris-4.0.6/debian/changelog
+++ osiris-4.0.6/debian/changelog
@@ -1,3 +1,11 @@
+osiris (4.0.6-1sarge1) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied patch by Ulf Harnhammar to fix arbitrary code execution and
+    other problems [osirisd/logging.c, osirismd/logging.c, CVE-2006-3120]
+
+ -- Martin Schulze <joey at finlandia.org>  Sun, 23 Jul 2006 12:07:42 +0200
+
 osiris (4.0.6-1) unstable; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- osiris-4.0.6.orig/src/osirisd/logging.c
+++ osiris-4.0.6/src/osirisd/logging.c
@@ -93,7 +93,7 @@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( SYSLOG_FACILITY | LOG_ERR ), header );
+    syslog( ( SYSLOG_FACILITY | LOG_ERR ), "%s", header );
 #endif
 }
 
@@ -147,7 +147,7 @@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( SYSLOG_FACILITY | LOG_INFO ), header );
+    syslog( ( SYSLOG_FACILITY | LOG_INFO ), "%s", header );
 #endif
 }
 
@@ -201,7 +201,7 @@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( SYSLOG_FACILITY | LOG_WARNING ), header );
+    syslog( ( SYSLOG_FACILITY | LOG_WARNING ), "%s", header );
 #endif
 }
 
only in patch2:
unchanged:
--- osiris-4.0.6.orig/src/osirismd/logging.c
+++ osiris-4.0.6/src/osirismd/logging.c
@@ -106,7 +106,7 @@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( syslog_facility | LOG_ERR ), header );
+    syslog( ( syslog_facility | LOG_ERR ), "%s", header );
 #endif
 }
 
@@ -168,7 +168,7 @@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( syslog_facility | LOG_INFO ), header );
+    syslog( ( syslog_facility | LOG_INFO ), "%s", header );
 #endif
 }
 
@@ -230,7 +230,7 @@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( syslog_facility | LOG_WARNING ), header );
+    syslog( ( syslog_facility | LOG_WARNING ), "%s", header );
 #endif
 }
 
@@ -281,7 +281,7 @@
                     NULL);                /* no raw data */
         }
 #else
-        syslog( ( syslog_facility | LOG_INFO ), buffer );
+        syslog( ( syslog_facility | LOG_INFO ), "%s", buffer );
 #endif
     }
 




----- End forwarded message -----