CVE-2008-1922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1922): Multiple stack-based buffer overflows in Sarg might allow attackers to execute arbitrary code via unknown vectors, probably a crafted Squid log file.
There's several issues fixed in the suse package: * Thu Apr 24 2008 - kssingvo@suse.de - fix for buffer size in log.c: fun CVE-2008-??? - fix for sprintf() calls through use of snprintf() calls CVE-2008-??? - fix for font buffer size CVE-2008-??? * Tue Apr 22 2008 - kssingvo@suse.de - fix for buffer size in report.c (bugzilla#209273) - buffer checks for getword() introduced, CVE-2008-1922 (bugzilla#382255) * Thu Mar 06 2008 - kssingvo@suse.de - fix for arbitrary code execution CVE-??? (bugzilla#366848)
http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/sarg-2.2.3.1-39.4.src.rpm Find patches there. But we'd have to sort out this mess, hopefully with the help of upstream.
I've tried to get in contact with Klause (aka kssingvo) to get any information about this bugs. Some of fixes are not clear what they actually fix...
(In reply to comment #3) > I've tried to get in contact with Klause (aka kssingvo) to get any information > about this bugs. Some of fixes are not clear what they actually fix... > any news here?
(In reply to comment #4) > (In reply to comment #3) > > I've tried to get in contact with Klause (aka kssingvo) to get any information > > about this bugs. Some of fixes are not clear what they actually fix... > > > > any news here? > *ping*
Ebuild with fixes (sarg-2.2.5-r1) was just added to the tree.
Arches, please test and mark stable: =net-analyzer/sarg-2.2.5-r1 Target keywords : "amd64 ppc x86"
amd64/x86 stable
ppc done
(In reply to comment #6) > Ebuild with fixes (sarg-2.2.5-r1) was just added to the tree. > With this ebuild and same configuration I get the next error: SARG: getword loop detected. SARG: searching for 'x20' SARG: Maybe you have a broken record or garbage in your access.log file. If I reemerge the previous version (2.2.5) with the same configuration and access.log file, all works ok...
(In reply to comment #10) > With this ebuild and same configuration I get the next error: > SARG: getword loop detected. > SARG: searching for 'x20' > SARG: Maybe you have a broken record or garbage in your access.log file. Thank you for report, cpa. This is predictable. This new version checks size of input buffer and instead of overflow prints such error message. Please, localize record in your access.log which makes this warning, open *new bug* and attach this short access.log there.
(In reply to comment #11) > localize record in your access.log which makes this warning, open *new bug* and > attach this short access.log there. First of all, thank you for the support... The new ebuild fails allways... If I create a access.log with only one line like this: 1237962353.542 478 10.58.118.38 TCP_MISS/200 325 GET http://ui.skype.com/ui/0/3.2.0.148.141/es/getlatestversion? - DIRECT/204.9.163.158 text/html then it fails... If you want, I'll open a new bug right now... Best regards...
> If you want, I'll open a new bug right now... The new bug is: #263802 Thanks again...
back to [ebuild] due to possible regression in bug 263802
Hopefully regression fixed. Arch teams, please, stabilize sarg-2.2.5-r4.
(In reply to comment #15) > Hopefully regression fixed. Arch teams, please, stabilize sarg-2.2.5-r4. > Wait for my replay on the other bug... I'm writting it...
> Wait for my replay on the other bug... I'm writting it... -> With the r2 did not work for me. Now, with the r3 it seems to work. More details on the other bug... Sorry about my "wait"... :-S
Well, that small regression was tracked down and fixed. Arch teams, please, stabilize sarg-2.2.5-r5. Probably there will be new similar issues, but since I made them non-fatal I think we can live some time with them. Anyway we need to go from 2.5.5-r1, so, please, don't wait, stabilize :)
Please remove older, vulnerable versions.
(In reply to comment #21) > Please remove older, vulnerable versions. All removed except 2.2.5-r5.
(In reply to comment #22) > (In reply to comment #21) > > Please remove older, vulnerable versions. > > All removed except 2.2.5-r5. > Hi... there is a new version (2.2.7). Is there any ebuild for it?? Best regards... ;-)
(In reply to comment #23) > Hi... there is a new version (2.2.7). Is there any ebuild for it?? > This bug is not intended for bump requests.
> > This bug is not intended for bump requests. > Ups :-s ... Sorry about that... Must I create a new bug, or what must I do??... Best regards...
(In reply to comment #25) > > > > This bug is not intended for bump requests. > > > > Ups :-s ... Sorry about that... Must I create a new bug, or what must I do??... > > Best regards... > I guess I've got it... I've posted a new version bump here: http://bugs.gentoo.org/show_bug.cgi?id=318097 Thanks and sorry for my confusion...
GLSA 201009-04, thanks everyone.