Bug 90851

Summary:	www-servers/pound: "add_port()" Function Buffer Overflow Vulnerability
Product:	Gentoo Security	Reporter:	Jean-François Brunette (RETIRED) <formula7>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://secunia.com/advisories/15142/
Whiteboard:	B1 [glsa] koon
Package list:		Runtime testing required:	---

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-04-29 06:23:05 UTC

Description:
Steven Van Acker has reported a vulnerability in Pound, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in the "add_port()" function and can be exploited to cause a buffer overflow by supplying an overly long hostname.

Successful exploitation may allow execution of arbitrary code.

The vulnerability has been reported in version 1.8.2. Prior versions may also be affected.

Solution:
Update to version 1.8.3.
http://www.apsis.ch/pound/

Provided and/or discovered by:
Steven Van Acker

Original Advisory:
http://www.apsis.ch/pound/pound_...chive/2005/2005-04/1114516112000

Comment 1 solar (RETIRED) gentoo-dev

2005-04-29 06:27:57 UTC

Existing Keywords: pound-1.7:  ppc ~hppa x86 ~mips ~sparc alpha

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-04-29 06:33:34 UTC

web-apps herd, please bump to 0.8.3

Comment 3 Aaron Walker (RETIRED) gentoo-dev

2005-04-29 07:50:40 UTC

In cvs, x86 stable.  CC'd archs please mark stable.

Comment 4 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-04-29 10:24:03 UTC

Stable on ppc.

Comment 5 Bryan Østergaard (RETIRED) gentoo-dev

2005-04-30 01:03:26 UTC

Stable on alpha.

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-04-30 07:41:57 UTC

GLSA 200504-29
Thanks Jean-Fran

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2005-04-30 07:41:57 UTC

GLSA 200504-29
Thanks Jean-François for the draft :)