Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222121 (CVE-2008-1922) - <net-analyzer/sarg-2.2.5-r5 Multiple stack-based buffer overflows (CVE-2008-1922)
Summary: <net-analyzer/sarg-2.2.5-r5 Multiple stack-based buffer overflows (CVE-2008-1...
Status: RESOLVED FIXED
Alias: CVE-2008-1922
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: 263802
Blocks:
  Show dependency tree
 
Reported: 2008-05-14 18:06 UTC by Robert Buchholz (RETIRED)
Modified: 2010-09-09 15:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 18:06:52 UTC
CVE-2008-1922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1922):
  Multiple stack-based buffer overflows in Sarg might allow attackers to
  execute arbitrary code via unknown vectors, probably a crafted Squid log file.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 18:17:42 UTC
There's several issues fixed in the suse package:
* Thu Apr 24 2008 - kssingvo@suse.de
- fix for buffer size in log.c: fun  CVE-2008-???
- fix for sprintf() calls through use of snprintf() calls CVE-2008-???
- fix for font buffer size CVE-2008-???
* Tue Apr 22 2008 - kssingvo@suse.de
- fix for buffer size in report.c (bugzilla#209273)
- buffer checks for getword() introduced, CVE-2008-1922 (bugzilla#382255)
* Thu Mar 06 2008 - kssingvo@suse.de
- fix for arbitrary code execution CVE-??? (bugzilla#366848)

Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 18:19:34 UTC
http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/sarg-2.2.3.1-39.4.src.rpm

Find patches there. But we'd have to sort out this mess, hopefully with the help of upstream.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2008-05-16 18:07:48 UTC
I've tried to get in contact with Klause (aka kssingvo) to get any information about this bugs. Some of fixes are not clear what they actually fix...
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 19:01:07 UTC
(In reply to comment #3)
> I've tried to get in contact with Klause (aka kssingvo) to get any information
> about this bugs. Some of fixes are not clear what they actually fix...
> 

any news here?
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-19 12:33:11 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > I've tried to get in contact with Klause (aka kssingvo) to get any information
> > about this bugs. Some of fixes are not clear what they actually fix...
> > 
> 
> any news here?
> 
*ping*
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2009-03-23 09:08:00 UTC
Ebuild with fixes (sarg-2.2.5-r1) was just added to the tree.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-23 09:33:19 UTC
Arches, please test and mark stable:
=net-analyzer/sarg-2.2.5-r1
Target keywords : "amd64 ppc x86"
Comment 8 Markus Meier gentoo-dev 2009-03-23 20:36:57 UTC
amd64/x86 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-03-24 18:54:36 UTC
ppc done
Comment 10 cpa 2009-03-25 20:15:24 UTC
(In reply to comment #6)
> Ebuild with fixes (sarg-2.2.5-r1) was just added to the tree.
> 

With this ebuild and same configuration I get the next error:
SARG: getword loop detected.
SARG: searching for 'x20'
SARG: Maybe you have a broken record or garbage in your access.log file.

If I reemerge the previous version (2.2.5) with the same configuration and access.log file, all works ok...

Comment 11 Peter Volkov (RETIRED) gentoo-dev 2009-03-25 21:00:21 UTC
(In reply to comment #10)
> With this ebuild and same configuration I get the next error:
> SARG: getword loop detected.
> SARG: searching for 'x20'
> SARG: Maybe you have a broken record or garbage in your access.log file.

Thank you for report, cpa. This is predictable. This new version checks size of input buffer and instead of overflow prints such error message. Please, localize record in your access.log which makes this warning, open *new bug* and attach this short access.log there.
Comment 12 cpa 2009-03-25 22:29:21 UTC
(In reply to comment #11)
> localize record in your access.log which makes this warning, open *new bug* and
> attach this short access.log there.

First of all, thank you for the support...

The new ebuild fails allways... If I create a access.log with only one line like this:
1237962353.542    478 10.58.118.38 TCP_MISS/200 325 GET http://ui.skype.com/ui/0/3.2.0.148.141/es/getlatestversion? - DIRECT/204.9.163.158 text/html

then it fails...

If you want, I'll open a new bug right now...

Best regards...
 

Comment 13 cpa 2009-03-25 22:39:11 UTC
> If you want, I'll open a new bug right now...

The new bug is:
#263802

Thanks again... 
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 12:35:46 UTC
back to [ebuild] due to possible regression in bug 263802
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2009-04-08 14:54:32 UTC
Hopefully regression fixed. Arch teams, please, stabilize sarg-2.2.5-r4.
Comment 16 cpa 2009-04-08 15:07:11 UTC
(In reply to comment #15)
> Hopefully regression fixed. Arch teams, please, stabilize sarg-2.2.5-r4.
> 

Wait for my replay on the other bug... I'm writting it...
Comment 17 cpa 2009-04-08 15:13:41 UTC
> Wait for my replay on the other bug... I'm writting it...

-> With the r2 did not work for me. Now, with the r3 it seems to work. More details on the other bug...

Sorry about my "wait"... :-S

Comment 18 Peter Volkov (RETIRED) gentoo-dev 2009-04-08 19:23:34 UTC
Well, that small regression was tracked down and fixed. Arch teams, please, stabilize sarg-2.2.5-r5. Probably there will be new similar issues, but since I made them non-fatal I think we can live some time with them. Anyway we need to go from 2.5.5-r1, so, please, don't wait, stabilize :)
Comment 19 Markus Meier gentoo-dev 2009-04-15 19:41:31 UTC
amd64/x86 stable
Comment 20 Brent Baude (RETIRED) gentoo-dev 2009-04-18 13:41:12 UTC
ppc done
Comment 21 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-10 02:09:14 UTC
Please remove older, vulnerable versions.
Comment 22 Jeroen Roovers (RETIRED) gentoo-dev 2010-04-10 05:09:09 UTC
(In reply to comment #21)
> Please remove older, vulnerable versions.

All removed except 2.2.5-r5.
Comment 23 cpa 2010-05-01 23:06:01 UTC
(In reply to comment #22)
> (In reply to comment #21)
> > Please remove older, vulnerable versions.
> 
> All removed except 2.2.5-r5.
> 

Hi... there is a new version (2.2.7). Is there any ebuild for it??

Best regards... ;-)
Comment 24 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-02 07:19:18 UTC
(In reply to comment #23)
> Hi... there is a new version (2.2.7). Is there any ebuild for it??
> 

This bug is not intended for bump requests.
Comment 25 cpa 2010-05-02 07:30:49 UTC
> 
> This bug is not intended for bump requests.
> 

Ups :-s ... Sorry about that... Must I create a new bug, or what must I do??...

Best regards... 
Comment 26 cpa 2010-05-02 07:46:01 UTC
(In reply to comment #25)
> > 
> > This bug is not intended for bump requests.
> > 
> 
> Ups :-s ... Sorry about that... Must I create a new bug, or what must I do??...
> 
> Best regards... 
> 

I guess I've got it... I've posted a new version bump here:
http://bugs.gentoo.org/show_bug.cgi?id=318097

Thanks and sorry for my confusion...
Comment 27 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-09 15:38:47 UTC
GLSA 201009-04, thanks everyone.