On Thu, Sep 20, 2012 at 01:37:35PM -0500, John Lightsey wrote: > On 09/20/2012 11:39 AM, Henri Salo wrote: > > I could not reproduce this issue in squeeze with amd64-machine > > using monkey package 0.9.3-1. Could you tell me more about your > > virtualization environment? > > I used a KVM VM running Squeeze with an AMD Athlon(tm) II X4 640 > Processor and with the enabled processor features copied from the host > in virt-manager. The hypervisor was running linux-image-3.2.0-2-amd64 > version 3.2.20-1. It really didn't look like an issue that came up > because of my virtualization though, and the VMs I tested with are > very solid in my experience. > > If you'd like, I can get a full backtrace. It takes some effort since > the monkey package doesn't handle DEB_BUILD_OPTIONS correctly.
I think full backtrace is needed, but at the moment this monkey-package is unmaintained[1] and contains at least two unfixed security vulnerabilities[2][3]. Security team is going to request this packages removal from wheezy. Are you using this in production? Is it something that only monkey can handle or can it be any www-server software in Debian? > It's possible it has to hit the glibc 2.0 compatibility code in either > m_build_buffer() or m_build_buffer_from_buffer(). This seemed to be > consistent when I was looking at the problem. It's possible my system > hit this reliably because of length of the hostname or something along > those lines. 1: http://packages.qa.debian.org/m/monkey.html 2: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688007 (CVE-2012-4442) 3: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688008 - Henri Salo ps. included Raphael to this email as he was discussing the topic in #debian-security -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
