52945 – app-admin/tripwire: Format String Vulnerability

Bug 52945 - app-admin/tripwire: Format String Vulnerability

Summary: app-admin/tripwire: Format String Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.securityfocus.com/archive/...
Whiteboard:	B1[Glsa]
Keywords:

Depends on:
Blocks:

Reported:	2004-06-03 21:58 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2011-10-30 22:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Flags:	jaervosz: Assigned_To? (jaervosz)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-06-03 21:58:30 UTC

I'm not completely sure that this affects the version in portage.

A format string vulnerability exists when tripwire generates an
email report (i.e. 'tripwire -m c -M'). 

More details on Bugtraq

http://www.securityfocus.com/archive/1/365036/2004-05-31/2004-06-06/0

Comment 1 Dan Margolis (RETIRED) gentoo-dev

2004-06-04 08:33:28 UTC

Tripwire has confirmed this vulnerability on bugtraq. ``I will endeavor to patch the sourceforge code base as soon as possible. In the meantime, it is strongly recommended that you apply Paul's patch and rebuild from source.''

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-06-04 12:10:57 UTC

Tavis please apply the supplied patch in the Bugtraq link and bump the ebuild(The patch has been approved by Tripwire). An official patch is coming out soon. But there is currently no ETA for the official fix so we better use the one Bugtraq one until then.

Comment 3 Tavis Ormandy (RETIRED) gentoo-dev

2004-06-04 12:40:43 UTC

fixed in cvs, tripwire-2.3.1.2-r1 has the patch

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-06-04 13:06:09 UTC

x86 please mark stable.

Target keywords: x86

Comment 5 Jon Portnoy (RETIRED) gentoo-dev

2004-06-04 13:20:41 UTC

Looks like the maintainer already did 8)

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-06-04 13:31:58 UTC

GLSA drafted ready to go when reviewed.

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-06-04 13:49:03 UTC

GLSA good to go.

Koon will you do the honor along with the sitecopy GLSA?

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-06-04 14:24:13 UTC

Taviso thanks for your quick resolution. Would you please also remove the vulnerable ebuild from portage?

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2004-06-04 14:48:38 UTC

GLSA 200406-02

Comment 10 Tavis Ormandy (RETIRED) gentoo-dev

2004-06-05 11:33:58 UTC

no problem, old ebuilds removed