Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 69658 - net-dns/ez-ipupdate - Format string vulnerability in syslog handling
Summary: net-dns/ez-ipupdate - Format string vulnerability in syslog handling
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.ez-ip.net/
Whiteboard: B1 [glsa] jaervosz
Keywords: InVCS
Depends on:
Blocks:
 
Reported: 2004-10-31 12:54 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2004-11-11 07:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ez-ipupdate-3.0.11_beta8-syslog.patch (ez-ipupdate-3.0.11_beta8-syslog.patch,300 bytes, patch)
2004-11-01 06:59 UTC, solar (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-10-31 12:54:23 UTC
Opening a bug so we can keep track of this issue. Klieber/Solar please provide any further information/patches.

This is exploitable both in daemon and quiet mode.
Comment 1 solar (RETIRED) gentoo-dev 2004-11-01 06:57:04 UTC
I have this ready to go. I'm itching to commit it please advise.
Comment 2 solar (RETIRED) gentoo-dev 2004-11-01 06:59:33 UTC
Created attachment 43073 [details, diff]
ez-ipupdate-3.0.11_beta8-syslog.patch

patch that fixes format string problem in syslog code.
Comment 3 solar (RETIRED) gentoo-dev 2004-11-01 07:02:36 UTC
Initial maintainer is no longer a dev.
Package has no clear maintainer.

What do we think about when we do sec updates for bugs and said pkg has no metadata.xml that we bring it up to the list that it has no maintainer and security@ requests that somebody || herd take XX under it's wing.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-01 07:07:45 UTC
Klieber/Solar: any news on coordinated release? All we have is:

> He will probably disclose this problem on Nov 3rd.

Nah, let's make that the 9th instead.

Wrt maintainers I think we should send a mail to see if anyone is willing to take it.
Comment 5 solar (RETIRED) gentoo-dev 2004-11-01 08:14:49 UTC
No new news updates. Is the 9th ok with us? 
We were on the CC: so we should respond confirming the 9th is ok with us.
Comment 6 solar (RETIRED) gentoo-dev 2004-11-01 09:05:28 UTC
- http://www.ez-ip.net/

EZ-IP closed to the general public...

Effective immediately, the EZ-IP project is closed to the general public. Preferred members will continue to have access to all EZ-IP services. This change in policy is the result of continued abuses on the part of "Free" account holders. We have enjoyed serving the community with this project over the past 8 months and are truly sorry that it has become necessary to close membership. Over the next few weeks, we will be revamping the EZ-IP site and application process to allow users to "upgrade" to Preferred Member status.
--------

Wonder who still needs this ebuild in portage? (argh I wish we could get stats from mirrors)
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-11-03 02:56:35 UTC
I vote to mask it (with no maintainer/ closed to the public reasons), first step toward complete removal.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-04 11:42:29 UTC
I vote for masking. Is standard procedure to contact -dev first?
Comment 9 Kurt Lieber (RETIRED) gentoo-dev 2004-11-04 11:54:50 UTC
standard procedure is sending an email to -dev saying "we want to mask this package and here's why.  If nobody steps up to maintain it, it will be masked in 24 hours"

I vote for masking as well, but if someone is willing to take it over, I see no reason to mask it.
Comment 10 solar (RETIRED) gentoo-dev 2004-11-06 06:49:03 UTC
I'd like to patch it on the 9th in case there any remaining gnetoo users who use the service, before we outright decide to mask it. Then I'll vote for for removal anytime after the 10th.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-11-09 04:21:52 UTC
D Day. I think we should patch it now ?
Comment 12 solar (RETIRED) gentoo-dev 2004-11-09 07:59:05 UTC
So ez-ipupdate goes right to stable? Or play the arch game?
Comment 13 Chris White (RETIRED) gentoo-dev 2004-11-09 08:11:16 UTC
I'd just stable move it, the patch is only one line and unless someone has a
broken syslog include file, it's gonna work.
Comment 14 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-11-09 08:11:51 UTC
with such a simple patch, i think this can go right to stable.
Comment 15 solar (RETIRED) gentoo-dev 2004-11-09 08:14:52 UTC
Thanks that's what I wanted to know.
I'll remove the old cruft ez-ipupdate-3.0.11_beta8.ebuild so/if anybody takes this pkg on to maintain it they will atleast have a clean plate to start with. etc.. 
Comment 16 solar (RETIRED) gentoo-dev 2004-11-09 08:19:42 UTC
ez-ipupdate-3.0.11_beta8-r1 is now in CVS

KEYWORDS="x86 ppc sparc amd64"

Opening bug.
Comment 17 Philippe Weibel 2004-11-09 11:21:37 UTC
> Wonder who still needs this ebuild in portage?

from http://ez-ipupdate.com/:

ez-ipupdate is a small utility for updating your host name for the any of the dynamic DNS service offered at:

    * http://www.ez-ip.net
    * http://www.justlinux.com
    * http://www.dhs.org
    * http://www.dyndns.org
    * http://www.ods.org
    * http://gnudip.cheapnet.net (GNUDip)
    * http://www.dyn.ca (GNUDip)
    * http://www.tzo.com
    * http://www.easydns.com
    * http://www.dyns.cx
    * http://www.hn.org
    * http://www.zoneedit.com

... so this little utility can update to other services than just ez-ip. (I don't know it this URL is really the "official" one, or if there is still an official site / maintainer)

I use it for DynDNS.org and this tool is the best tool for IP udate for me (tried some others)
Comment 18 Tuan Van (RETIRED) gentoo-dev 2004-11-09 12:47:20 UTC
I use ez-ipupdate. It works for me for year (with dyndns.org). Please don't remove it.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-11 07:11:18 UTC
GLSA 200411-20