Gentoo Bug 212208 - net-analyzer/sarg <2.2.4 Arbitrary code execution (CVE-2008-1167)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	212208
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Peter Volkov <pva@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 212208 depends on:			Show dependency tree
Bug 212208 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-03-03 16:24 0000

From sarg ChangeLog ( http://sarg.sourceforge.net/sarg.ChangeLog.txt ):

=========================================================================
security issues can be exploited to execute arbitrary code when sarg
is used with malicious input files.

The vulnerability within the processing of the useragent.log is rather
critical, as this can be exploited by passing a long user agent string
when browsing via a squid proxy. the manipulated GET request in the
access log would not be accepted by squid, so that file has to be specially
crafted.

Thank you to L4teral l4teral AT gmail.com
=========================================================================

Arch teams, please be aware that previous version of sarg was full different
crash problems and it never hit portage...

------- Comment #1 From Robert Buchholz 2008-03-03 18:14:44 0000 -------

Arches, please test and mark stable:
=net-analyzer/sarg-2.2.4
Target keywords : "amd64 ppc release x86"

------- Comment #2 From Markus Meier 2008-03-03 20:25:57 0000 -------

x86 stable

------- Comment #3 From Tobias Scherbaum 2008-03-04 18:45:06 0000 -------

ppc stable

------- Comment #4 From Steve Dibb 2008-03-06 13:50:48 0000 -------

amd64 stable

------- Comment #5 From Peter Volkov 2008-03-06 17:54:31 0000 -------

Fixed in release snapshot.

------- Comment #6 From Robert Buchholz 2008-03-08 16:51:51 0000 -------

request filed.

------- Comment #7 From Raphael Marichez 2008-03-12 19:50:20 0000 -------

GLSA  200803-21, thanks to everybody

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 212208

net-analyzer/sarg <2.2.4 Arbitrary code execution (CVE-2008-1167)

Last modified: 2008-03-12 19:50:20 0000