[osiris] Re: fwd: CVE-2006-3120: Arbitrary code execution in osiris
B Potter
gdead at shmoo.com
Thu Jul 27 21:32:46 EDT 2006
Howdy,
Thanks for the patch. I've applied it and cut version 4.2.1.
Also note that osiris is using a new SVN server. The old code is
still available via the old SVN server (I need to migrate/archive all
the old data) but starting with 4.2.0, the new svn server is
e.shmoo.com. Details are on http://osiris.shmoo.com/
Thanks all.
bruce
On Jul 24, 2006, at 4:27 AM, Jamie Wilkinson wrote:
> I've received this patch from the Debian Security Team, please
> apply it to
> upstream as soon as possible. It applies cleanly to 4.2.0
> (excluding the
> debian/changelog hunk, obviously).
>
>
> ----- Forwarded message from Martin Schulze <joey at infodrom.org> -----
>
> Date: Sun, 23 Jul 2006 12:29:30 +0200
> From: Martin Schulze <joey at infodrom.org>
> Subject: CVE-2006-3120: Arbitrary code execution in osiris
> To: Jamie Wilkinson <jaq at debian.org>
> Cc: Debian Security Team <team at security.debian.org>
> User-Agent: Mutt/1.5.11+cvs20060403
>
> Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project
> have found several format string security bugs in osiris, a
> network-wide system integrity monitor control interface. A remote
> attacker could exploit them and cause a denial of service or execute
> arbitrary code.
>
> Please
> . update the package in sid
> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package
> . use urgency=high
>
> Regards,
>
> Joey
>
> --
> Long noun chains don't automatically imply security. -- Bruce
> Schneier
>
> diff -u osiris-4.0.6/debian/changelog osiris-4.0.6/debian/changelog
> --- osiris-4.0.6/debian/changelog
> +++ osiris-4.0.6/debian/changelog
> @@ -1,3 +1,11 @@
> +osiris (4.0.6-1sarge1) stable-security; urgency=high
> +
> + * Non-maintainer upload by the Security Team
> + * Applied patch by Ulf Harnhammar to fix arbitrary code
> execution and
> + other problems [osirisd/logging.c, osirismd/logging.c,
> CVE-2006-3120]
> +
> + -- Martin Schulze <joey at finlandia.org> Sun, 23 Jul 2006 12:07:42
> +0200
> +
> osiris (4.0.6-1) unstable; urgency=low
>
> * New upstream release.
> only in patch2:
> unchanged:
> --- osiris-4.0.6.orig/src/osirisd/logging.c
> +++ osiris-4.0.6/src/osirisd/logging.c
> @@ -93,7 +93,7 @@
> fprintf( stdout, "\n" );
> }
> #else
> - syslog( ( SYSLOG_FACILITY | LOG_ERR ), header );
> + syslog( ( SYSLOG_FACILITY | LOG_ERR ), "%s", header );
> #endif
> }
>
> @@ -147,7 +147,7 @@
> fprintf( stdout, "\n" );
> }
> #else
> - syslog( ( SYSLOG_FACILITY | LOG_INFO ), header );
> + syslog( ( SYSLOG_FACILITY | LOG_INFO ), "%s", header );
> #endif
> }
>
> @@ -201,7 +201,7 @@
> fprintf( stdout, "\n" );
> }
> #else
> - syslog( ( SYSLOG_FACILITY | LOG_WARNING ), header );
> + syslog( ( SYSLOG_FACILITY | LOG_WARNING ), "%s", header );
> #endif
> }
>
> only in patch2:
> unchanged:
> --- osiris-4.0.6.orig/src/osirismd/logging.c
> +++ osiris-4.0.6/src/osirismd/logging.c
> @@ -106,7 +106,7 @@
> fprintf( stdout, "\n" );
> }
> #else
> - syslog( ( syslog_facility | LOG_ERR ), header );
> + syslog( ( syslog_facility | LOG_ERR ), "%s", header );
> #endif
> }
>
> @@ -168,7 +168,7 @@
> fprintf( stdout, "\n" );
> }
> #else
> - syslog( ( syslog_facility | LOG_INFO ), header );
> + syslog( ( syslog_facility | LOG_INFO ), "%s", header );
> #endif
> }
>
> @@ -230,7 +230,7 @@
> fprintf( stdout, "\n" );
> }
> #else
> - syslog( ( syslog_facility | LOG_WARNING ), header );
> + syslog( ( syslog_facility | LOG_WARNING ), "%s", header );
> #endif
> }
>
> @@ -281,7 +281,7 @@
> NULL); /* no raw data */
> }
> #else
> - syslog( ( syslog_facility | LOG_INFO ), buffer );
> + syslog( ( syslog_facility | LOG_INFO ), "%s", buffer );
> #endif
> }
>
>
>
>
>
> ----- End forwarded message -----
> _______________________________________________
> osiris mailing list
> osiris at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
More information about the osiris
mailing list