Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212208 - net-analyzer/sarg <2.2.4 Arbitrary code execution (CVE-2008-1167)
Summary: net-analyzer/sarg <2.2.4 Arbitrary code execution (CVE-2008-1167)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://sarg.sourceforge.net/sarg.Chan...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-03 16:24 UTC by Peter Volkov (RETIRED)
Modified: 2008-03-12 19:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Volkov (RETIRED) gentoo-dev 2008-03-03 16:24:14 UTC
From sarg ChangeLog ( http://sarg.sourceforge.net/sarg.ChangeLog.txt ):

=========================================================================
security issues can be exploited to execute arbitrary code when sarg
is used with malicious input files.

The vulnerability within the processing of the useragent.log is rather
critical, as this can be exploited by passing a long user agent string
when browsing via a squid proxy. the manipulated GET request in the
access log would not be accepted by squid, so that file has to be specially crafted.

Thank you to L4teral l4teral AT gmail.com
=========================================================================

Arch teams, please be aware that previous version of sarg was full different crash problems and it never hit portage...
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 18:14:44 UTC
Arches, please test and mark stable:
=net-analyzer/sarg-2.2.4
Target keywords : "amd64 ppc release x86"
Comment 2 Markus Meier gentoo-dev 2008-03-03 20:25:57 UTC
x86 stable
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-04 18:45:06 UTC
ppc stable
Comment 4 Steve Dibb (RETIRED) gentoo-dev 2008-03-06 13:50:48 UTC
amd64 stable
Comment 5 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 17:54:31 UTC
Fixed in release snapshot.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-08 16:51:51 UTC
request filed.
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-03-12 19:50:20 UTC
GLSA  200803-21, thanks to everybody