Your message dated Tue, 01 Feb 2005 12:24:33 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#292726: buffer overflow in charset (CAN-2005-0086)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Jan 2005 06:06:00 +0000
>From [EMAIL PROTECTED] Fri Jan 28 22:06:00 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Culk8-0000bk-00; Fri, 28 Jan 2005 22:06:00 -0800
Received: from dragon.kitenet.net (243.80-203-46.nextgentel.com [80.203.46.243])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 8049218207
for <[EMAIL PROTECTED]>; Sat, 29 Jan 2005 06:05:59 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 429F36E10B; Sat, 29 Jan 2005 07:08:08 +0100 (CET)
Date: Sat, 29 Jan 2005 07:08:08 +0100
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: buffer overflow in charset (CAN-2005-0086)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS"
Content-Disposition: inline
X-Reportbug-Version: 3.6
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: less
Version: 382-2
Severity: grave
Tags: security patch
less is vulnerable to a head-based buffer overflow that can be triggered
by viewing certian binary files. This is theoretically exploitable by
providing a user with such a file and waiting for him to run less on it.
The problem was discovered by redhat and involves the expand_linebuf
function neglecting to expand the size of the charset buffer when it
expands the other buffers. Details in their BTS, including a test case
and a patch: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D145527
I tried to exploit it on Debian but failed to see the crash, however
this could be due to setup differences from red hat. The code seems to
be the same.
Please use CAN-2005-0086 when referring to this security hole.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Versions of packages less depends on:
ii debianutils 2.11.2 Miscellaneous utilities specif=
ic t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared librarie=
s an
ii libncurses5 5.4-4 Shared libraries for terminal =
hand
-- no debconf information
--=20
see shy jo
--qMm9M+Fa2AknHoGS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB+yhHd8HHehbQuO8RArN0AJ9/8usqwX+TkaXz6iOWySWoADTzuwCfRyuJ
NBz5Y6QNY7BhFjqiIjfjbBA=
=XV+W
-----END PGP SIGNATURE-----
--qMm9M+Fa2AknHoGS--
---------------------------------------
Received: (at 292726-done) by bugs.debian.org; 1 Feb 2005 11:25:12 +0000
>From [EMAIL PROTECTED] Tue Feb 01 03:25:12 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp07.web.de [217.72.192.225]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cvw9g-0004pV-00; Tue, 01 Feb 2005 03:25:12 -0800
Received: from [217.186.53.200] (helo=europa.test)
by smtp07.web.de with asmtp (WEB.DE 4.103 #192)
id 1Cvw9B-00039d-00; Tue, 01 Feb 2005 12:24:41 +0100
Received: from [127.0.0.1] (europa.test [127.0.0.1])
by europa.test (Postfix) with ESMTP id C2E2C1CB1AE;
Tue, 1 Feb 2005 12:24:34 +0100 (CET)
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 01 Feb 2005 12:24:33 +0100
From: Thomas Schoepf <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041217
X-Accept-Language: de, en
MIME-Version: 1.0
To: Joey Hess <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#292726: buffer overflow in charset (CAN-2005-0086)
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
X-Enigmail-Version: 0.89.6.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Closing because this bug only affects Red Hat's version of less
(http://rhn.redhat.com/errata/RHSA-2005-068.html)
Thomas
Joey Hess wrote:
> Thomas Schoepf wrote:
>
>>The bug is Redhat specific. It was introduced by a patch they apply to
>>less.
>>This is a comment taken from
>>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527
>>
>>
>>Additional Comment #15 From Josh Bressers (Security Response Team) on
>>2005-01-25 09:27 -------
>>
>>I've done some investigating on this issue. This problem is caused by
>>a patch we apply to the RHEL3 less. It does not affect the original
>>version, or any upstream versions I've tried.
>
>
> Ok sorry for the severity inflation and if you're sure it's fixed you
> can of course close the report.
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
