Summary: | <sys-power/nut-2.6.3 upsd RCE/DoS (CVE-2012-2944) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Weber (RETIRED) <xmw> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | phmagic, robbat2 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://security-tracker.debian.org/tracker/CVE-2012-2944 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Michael Weber (RETIRED)
2012-06-02 16:46:51 UTC
Arches, please go ahead (without 30 days delay) Target alpha amd64 ppc ppc64 sparc x86 Thanks Arches, the package to stabilize is sys-power/nut-2.6.3. amd64 stable ppc stable x86 stable alpha/sparc keywords dropped The vulnerability exists in <sys-power/nut-2.6.4 (not 2.6.3 as it is written in the title of this bug). The actual version now is sys-power/nut-2.6.5 (which contains another important fix which is not related to security: "any upssched.conf command that takes a second argument resulted in a defective frame sent to the parent process. Thus, the command was not executed"). (In reply to comment #7) > The vulnerability exists in <sys-power/nut-2.6.4 (not 2.6.3) Please ignore my previous comment. It's true that vulnerability is fixed in 2.6.4 upstream but the ebuild applies a patch to 2.6.3 in order to fix the vulnerability. ppc64 stable, last arch done CVE-2012-2944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2944): Buffer overflow in the addchar function in common/parseconf.c in upsd in Network UPS Tools (NUT) before 2.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (electric-power outage) via a long string containing non-printable characters. Thanks, everyone. Filing a new GLSA request. This issue was resolved and addressed in GLSA 201209-19 at http://security.gentoo.org/glsa/glsa-201209-19.xml by GLSA coordinator Sean Amoss (ackle). |