Hello, Take a look at : src/apachetop.h 247 #define DEBUG_OUTPUT "/tmp/atop.debug" Then in : src/apachetop.cc 85 cf.debug = true; 1103 int dprintf(const char *fmt, ...) /* {{{ */ 1104 { 1105 FILE *d; 1106 va_list args; 1107 1108 if (cf.debug && (d = fopen(DEBUG_OUTPUT, "a"))) 1109 { 1110 va_start(args, fmt); 1111 vfprintf(d, fmt, args); 1112 fclose(d); 1113 va_end(args); 1114 } 1115 1116 return 0; 1117 } /* }}} */ Regards
confirmed, moving to vulnerabilities.
Eric: tell us when upstream is warned.
Hello, I have send the adviso to upstream. Chris Elsworth <chris@shagged.org> Regards.
Hello, No upstream response. Send to : vendor-sec@lst.de Disclosure the : 30/09/2005 Regards
Spanky/solar/tigger anybody wants to patch?
you could just redefine DEBUG_OUPUT to "atop.debug", and perhaps turn off debug by default.
Hello, CVE : CAN-2005-2660 Steve Kemp for Debian is currently working on a patch. Maybe you should have contact with him to got the same patch. Planing release date : 30/09/2005 Regards.
Waiting for a patch and to be closer to the release date
I asked Steve Kemp for his patch.
Created attachment 69342 [details, diff] apachetop_CAN-2005-2660.patch Patch from Steve Kemp (Debian)
Pulling rl03 in as web'apps security usual suspect. We'll need to commit a patched version on 20050930 (not before), this is just a warning so that you can prepare yourself.
/me prepares self
Now public, rl03: feel free to bump now
bumped
Archs please test and mark 0.12.5-r1 stable
x86 done
Stable on ppc.
Stable on amd64
Stable on SPARC.
Ready for GLSA vote
My vote all depends on whether this is enabled by default or not... Tavis/Eric, could you enlighten us ?
src/apachetop.cc: cf.debug = true; src/apachetop.cc: if (cf.debug && (d = fopen(DEBUG_OUTPUT, "a"))) src/apachetop.h:#define DEBUG_OUTPUT "/tmp/atop.debug" Apparently this is enabled by default (?) so I vote YES.
Renat can you confirm that it is enabled per default?
vote YES, although it would require the adns USE flag to be set to be much chance of exploiting, so not very likely.
If it requires USE=adns, I'm not sure it's needed...
Never heard about adns, I tend to vote NO.
Reverting to NO and closing. USE=adns just sounds a little unlikely to me. Feel free to reopen if you disagree though.