This received at security@gentoo.org: ---------------------------------------- Date: Sun, 2 Oct 2005 04:12:49 +0200 From: Ulf Harnhammar <metaur@telia.com> Subject: weex remote format string bug Hello all, weex suffers from a remote format string security bug. Someone who controls an FTP server that weex will log in to can set up malicious data in the account that weex will use, and that will cause a format string bug that will allow remote code execution. It will only happen when weex is first run or when its cache files are rebuilt with the -r option, though. I have verified this behaviour in versions 2.6.1 and 2.6.1.5. I have attached a patch that corrects this problem, as well as a session capture that shows it. I hope that we can co-ordinate our respective updates of weex. // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/ ------------------------------------------------
Created attachment 69687 [details, diff] patch provided by Ulf Harnhammar
phosphan: please bump in CVS with patch.
In CVS, thanks for the hint and patch.
Calling specific arch testers (x86, amd64) to test and mark stable. We keep it low-profile for now.
*blush* Ok, that's not what the policy asked me to do, but I just left keywords the way they were - this patch is just too trivial, sorry.
Hehe. Security doesn't take position in maintainer/archteams conflicts :) blubb and tester can scream at you if needed when they'll test. But I agree it's a very non-disruptive bugfix.
it compiles fine here, and the patch is really trivial, so amd64 is happy :)
"It will only happen when weex is first run or when its cache files are rebuilt with the -r option, though." That quite complicates exploitation...
seems to work ok on x86...
This one is ready for GLSA.
Please use CAN-2005-3150 instead.
GLSA 200510-09