First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 104473
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Romang <zataz@zataz.net>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
apachetop_CAN-2005-2660.patch apachetop_CAN-2005-2660.patch patch Thierry Carrez (RETIRED) 2005-09-27 07:41 0000 586 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 104473 depends on: Show dependency tree
Show dependency graph
Bug 104473 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-09-01 05:48 0000 
Hello,

Take a look at : src/apachetop.h

247 #define DEBUG_OUTPUT "/tmp/atop.debug"

Then in : src/apachetop.cc

85         cf.debug = true;

1103 int dprintf(const char *fmt, ...) /* {{{ */
1104 {
1105         FILE *d;
1106         va_list args;
1107 
1108         if (cf.debug && (d = fopen(DEBUG_OUTPUT, "a")))
1109         {
1110                 va_start(args, fmt);
1111                 vfprintf(d, fmt, args);
1112                 fclose(d);
1113                 va_end(args);
1114         }
1115 
1116         return 0;
1117 } /* }}} */

Regards

------- Comment #1 From Tavis Ormandy (RETIRED) 2005-09-01 11:21:59 0000 ------- 
confirmed, moving to vulnerabilities.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-09-02 02:54:43 0000 ------- 
Eric: tell us when upstream is warned.

------- Comment #3 From Romang 2005-09-02 04:50:02 0000 ------- 
Hello,

I have send the adviso to upstream.

Chris Elsworth <chris@shagged.org>

Regards.

------- Comment #4 From Romang 2005-09-13 02:35:06 0000 ------- 
Hello,

No upstream response.

Send to : vendor-sec@lst.de

Disclosure the : 30/09/2005

Regards

------- Comment #5 From Sune Kloppenborg Jeppesen 2005-09-13 05:17:46 0000 ------- 
Spanky/solar/tigger anybody wants to patch?

------- Comment #6 From Tavis Ormandy (RETIRED) 2005-09-13 05:38:03 0000 ------- 
you could just redefine DEBUG_OUPUT to "atop.debug", and perhaps turn off debug 
by default.

------- Comment #7 From Romang 2005-09-15 00:25:58 0000 ------- 
Hello,

CVE : CAN-2005-2660

Steve Kemp for Debian is currently working on a patch.
Maybe you should have contact with him to got the same patch.

Planing release date : 30/09/2005

Regards.

------- Comment #8 From Thierry Carrez (RETIRED) 2005-09-17 06:40:35 0000 ------- 
Waiting for a patch and to be closer to the release date

------- Comment #9 From Thierry Carrez (RETIRED) 2005-09-27 07:07:33 0000 ------- 
I asked Steve Kemp for his patch.

------- Comment #10 From Thierry Carrez (RETIRED) 2005-09-27 07:41:10 0000 ------- 
Created an attachment (id=69342) [edit]
apachetop_CAN-2005-2660.patch

Patch from Steve Kemp (Debian)

------- Comment #11 From Thierry Carrez (RETIRED) 2005-09-27 07:43:10 0000 ------- 
Pulling rl03 in as web'apps security usual suspect.
We'll need to commit a patched version on 20050930 (not before), this is just a
warning so that you can prepare yourself.

------- Comment #12 From Renat Lumpau 2005-09-27 09:43:31 0000 ------- 
/me prepares self

------- Comment #13 From Thierry Carrez (RETIRED) 2005-09-30 06:00:45 0000 ------- 
Now public,
rl03: feel free to bump now

------- Comment #14 From Renat Lumpau 2005-09-30 10:23:31 0000 ------- 
bumped

------- Comment #15 From Thierry Carrez (RETIRED) 2005-09-30 13:44:01 0000 ------- 
Archs please test and mark 0.12.5-r1 stable

------- Comment #16 From Mark Loeser 2005-09-30 18:07:11 0000 ------- 
x86 done

------- Comment #17 From Michael Hanselmann (hansmi) (RETIRED) 2005-10-01 08:28:41 0000 ------- 
Stable on ppc.

------- Comment #18 From Homer Parker 2005-10-01 13:12:23 0000 ------- 
Stable on amd64

------- Comment #19 From Jason Wever (RETIRED) 2005-10-01 15:39:49 0000 ------- 
Stable on SPARC.

------- Comment #20 From Thierry Carrez (RETIRED) 2005-10-02 01:57:35 0000 ------- 
Ready for GLSA vote

------- Comment #21 From Thierry Carrez (RETIRED) 2005-10-02 06:01:32 0000 ------- 
My vote all depends on whether this is enabled by default or not... Tavis/Eric,
could you enlighten us ?

------- Comment #22 From Thierry Carrez (RETIRED) 2005-10-03 02:15:23 0000 ------- 
src/apachetop.cc:       cf.debug = true;
src/apachetop.cc:       if (cf.debug && (d = fopen(DEBUG_OUTPUT, "a")))
src/apachetop.h:#define DEBUG_OUTPUT "/tmp/atop.debug"

Apparently this is enabled by default (?) so I vote YES.

------- Comment #23 From Sune Kloppenborg Jeppesen 2005-10-06 08:05:48 0000 ------- 
Renat can you confirm that it is enabled per default?

------- Comment #24 From Tavis Ormandy (RETIRED) 2005-10-07 10:33:24 0000 ------- 
vote YES, although it would require the adns USE flag to be set to be much 
chance of exploiting, so not very likely.

------- Comment #25 From Thierry Carrez (RETIRED) 2005-10-07 10:52:49 0000 ------- 
If it requires USE=adns, I'm not sure it's needed...

------- Comment #26 From Sune Kloppenborg Jeppesen 2005-10-07 23:47:17 0000 ------- 
Never heard about adns, I tend to vote NO.

------- Comment #27 From Thierry Carrez (RETIRED) 2005-10-09 09:38:24 0000 ------- 
Reverting to NO and closing. USE=adns just sounds a little unlikely to me. Feel
free to reopen if you disagree though.
First Last Prev Next    No search results available      Search page      Enter new bug