Your message dated Thu, 24 Feb 2005 17:47:10 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#295261: fixed in mc 1:4.6.0-4.6.1-pre3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 14 Feb 2005 19:19:03 +0000
>From [EMAIL PROTECTED] Mon Feb 14 11:19:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D0lkM-0000CZ-00; Mon, 14 Feb 2005 11:19:02 -0800
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id 95C8E366C63; Mon, 14 Feb 2005 20:18:47 +0100 (CET)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <[EMAIL PROTECTED]>
for [EMAIL PROTECTED]; Mon, 14 Feb 2005 20:12:39 +0100 (CET)
Date: Mon, 14 Feb 2005 20:12:38 +0100
From: Martin Schulze <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: CAN-2004-1004+CAN-2004-1005: multiple vulnerabilities in mc
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="6c2NcOVqGQ03X4Wi"
Content-Disposition: inline
X-Debbugs-Cc: [EMAIL PROTECTED]
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Package: mc
Version: 4.6.0-4.6.1-pre1-3
Severity: grave
Tags: sarge sid security patch
I'm awfully sorry but when releasing DSA 639 I was under the impression
that the version of mc was sufficiently new and contained all security
fixes already. However, Gerardo Di Giacomo denied that, so attached
please find the patch he provided for a Debian fork which also applies
to the version in sarge = sid. I'm also attaching the patches I've
used for the update in woody.
CAN-2004-1004
Multiple format string vulnerabilities
CAN-2004-1005
Multiple buffer overflows
Linkname: [SECURITY] [DSA 639-1] New mc packages fix several vulnerabilities
URL:
http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00017.html
Please correct the package.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="diff.for.joey"
diff -u mc-4.6.0-4.6.1-pre1/debian/changelog
mc-4.6.0-4.6.1-pre1/debian/changelog
--- mc-4.6.0-4.6.1-pre1/debian/changelog
+++ mc-4.6.0-4.6.1-pre1/debian/changelog
@@ -1,3 +1,16 @@
+mc (1:4.6.0-4.6.1-pre1-3ubuntu0.1) warty-security; urgency=low
+
+ * SECURITY UPDATES: multiple vulnerabilities
+ * src/utilunix.c:
+ - Fixed a potential buffer overflow vulnerability
+ * vfs/fish.c:
+ - Fixed a potential format string vulnerability
+ * References:
+ - CAN-2004-1004
+ - CAN-2004-1005
+
+ -- Gerardo Di Giacomo <[EMAIL PROTECTED]> Mon, 14 Feb 2005 12:37:01 +0000
+
mc (1:4.6.0-4.6.1-pre1-3) unstable; urgency=low
* Polish documentation fix no longer needed.
only in patch2:
unchanged:
--- mc-4.6.0-4.6.1-pre1.orig/debian/patches/11_CAN-2004-1004_CAN-2004-1005.patch
+++ mc-4.6.0-4.6.1-pre1/debian/patches/11_CAN-2004-1004_CAN-2004-1005.patch
@@ -0,0 +1,24 @@
+diff -Nur mc-4.6.0-4.6.1-pre1.orig/src/utilunix.c
mc-4.6.0-4.6.1-pre1/src/utilunix.c
+--- mc-4.6.0-4.6.1-pre1.orig/src/utilunix.c 2005-02-14 12:23:54.358065160
+0000
++++ mc-4.6.0-4.6.1-pre1/src/utilunix.c 2005-02-14 12:30:02.910036744 +0000
+@@ -429,7 +429,7 @@
+ close (2);
+ dup (old_error);
+ close (old_error);
+- len = read (error_pipe[0], msg, MAX_PIPE_SIZE);
++ len = read (error_pipe[0], msg, MAX_PIPE_SIZE -1 );
+
+ if (len >= 0)
+ msg[len] = 0;
+diff -Nur mc-4.6.0-4.6.1-pre1.orig/vfs/fish.c mc-4.6.0-4.6.1-pre1/vfs/fish.c
+--- mc-4.6.0-4.6.1-pre1.orig/vfs/fish.c 2005-02-14 12:23:54.504042968
+0000
++++ mc-4.6.0-4.6.1-pre1/vfs/fish.c 2005-02-14 12:27:39.723804360 +0000
+@@ -232,7 +232,7 @@
+ print_vfs_message (_("fish: Waiting for initial line..."));
+ if (!vfs_s_get_line (me, SUP.sockr, answer, sizeof (answer), ':'))
+ ERRNOR (E_PROTO, -1);
+- print_vfs_message (answer);
++ print_vfs_message ("%s", answer);
+ if (strstr (answer, "assword")) {
+
+ /* Currently, this does not work. ssh reads passwords from
--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2004-1004.mc"
diff -u -p -Nr --exclude CVS mc-4.5.55.orig/vfs/fish.c mc-4.5.55/vfs/fish.c
--- mc-4.5.55.orig/vfs/fish.c 2004-10-31 08:09:30.000000000 +0100
+++ mc-4.5.55/vfs/fish.c 2004-10-31 08:30:02.000000000 +0100
@@ -222,7 +222,7 @@ open_archive_int (vfs *me, vfs_s_super *
print_vfs_message( _("fish: Waiting for initial line...") );
if (!vfs_s_get_line(me, SUP.sockr, answer, sizeof(answer), ':'))
ERRNOR (E_PROTO, -1);
- print_vfs_message( answer );
+ print_vfs_message( "%s", answer );
if (strstr(answer, "assword")) {
/* Currently, this does not work. ssh reads passwords from
--- mc-4.5.55.orig/src/utilunix.c 2001-08-14 02:55:38.000000000 +0200
+++ mc-4.5.55/src/utilunix.c 2004-12-01 12:25:11.000000000 +0100
@@ -408,7 +408,7 @@ close_error_pipe (int error, char *text)
if (len == 0) return 0; /* Nothing to show */
/* Show message from pipe */
- message (error, title, msg);
+ message (error, title, "%s", msg);
} else {
/* Show given text and possible message from pipe */
message (error, title, " %s \n %s ", text, msg);
@@ -442,7 +442,7 @@ void check_error_pipe (void)
close (error_pipe[0]);
}
if (len > 0)
- message (0, _(" Warning "), error);
+ message (0, _(" Warning "), "%s", error);
}
#endif
--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2004-1005.mc"
--- mc-4.5.55.orig/src/utilunix.c 2004-12-01 12:26:20.000000000 +0100
+++ mc-4.5.55/src/utilunix.c 2004-12-01 12:26:27.000000000 +0100
@@ -396,7 +396,7 @@ close_error_pipe (int error, char *text)
close (2);
dup (old_error);
close (old_error);
- len = read (error_pipe[0], msg, MAX_PIPE_SIZE);
+ len = read (error_pipe[0], msg, MAX_PIPE_SIZE - 1);
if (len >= 0)
msg[len] = 0;
@@ -424,7 +424,7 @@ void check_error_pipe (void)
char error[MAX_PIPE_SIZE];
int len = 0;
if (old_error >= 0){
- while (len < MAX_PIPE_SIZE)
+ while (len < MAX_PIPE_SIZE - 1)
{
fd_set select_set;
struct timeval timeout;
diff -u -p -Nr --exclude CVS mc-4.5.55.orig/src/boxes.c mc-4.5.55/src/boxes.c
--- mc-4.5.55.orig/src/boxes.c 2001-08-07 00:22:04.000000000 +0200
+++ mc-4.5.55/src/boxes.c 2004-11-30 18:57:44.000000000 +0100
@@ -584,7 +584,7 @@ static int sel_charset_button( int actio
cpname = (new_display_codepage < 0)
? _("Other 8 bit")
: codepages[ new_display_codepage ].name;
- sprintf( buf, "%-27s", cpname ); /* avoid strange bug with label
repainting */
+ g_snprintf( buf, sizeof (buf), "%-27s", cpname ); /* avoid strange bug
with label repainting */
label_set_text( cplabel, buf );
return 0;
}
diff -u -p -Nr --exclude CVS mc-4.5.55.orig/src/charsets.c
mc-4.5.55/src/charsets.c
--- mc-4.5.55.orig/src/charsets.c 2001-08-16 23:01:12.000000000 +0200
+++ mc-4.5.55/src/charsets.c 2004-11-30 19:00:23.000000000 +0100
@@ -171,7 +171,8 @@ char* init_translation_table( int cpsour
cd = iconv_open( cpdisp, cpsour );
if (cd == (iconv_t) -1) {
- sprintf( errbuf, _("Cannot translate from %s to %s"), cpsour, cpdisp );
+ g_snprintf( errbuf, sizeof (errbuf), _("Cannot translate from %s to
%s"), cpsour, cpdisp );
+
return errbuf;
}
@@ -184,7 +185,7 @@ char* init_translation_table( int cpsour
cd = iconv_open( cpsour, cpdisp );
if (cd == (iconv_t) -1) {
- sprintf( errbuf, _("Cannot translate from %s to %s"), cpdisp, cpsour );
+ g_snprintf( errbuf, sizeof (errbuf), _("Cannot translate from %s to
%s"), cpdisp, cpsour );
return errbuf;
}
diff -u -p -Nr --exclude CVS mc-4.5.55.orig/src/wtools.c mc-4.5.55/src/wtools.c
--- mc-4.5.55.orig/src/wtools.c 2001-06-20 19:12:47.000000000 +0200
+++ mc-4.5.55/src/wtools.c 2004-10-31 08:45:59.000000000 +0100
@@ -315,7 +315,7 @@ Dlg_head *message (int error, char *head
/* Setup the display information */
strcpy (buffer, "\n");
va_start (args, text);
- g_vsnprintf (&buffer [1], sizeof (buffer) - 1, text, args);
+ g_vsnprintf (&buffer [1], sizeof (buffer) - 2, text, args);
strcat (buffer, "\n");
va_end (args);
--- mc-4.5.55.orig/src/key.c 2001-08-18 21:27:31.000000000 +0200
+++ mc-4.5.55/src/key.c 2004-12-01 12:31:37.000000000 +0100
@@ -360,7 +360,8 @@ static key_def *create_sequence (char *s
}
/* The maximum sequence length (32 + null terminator) */
-static int seq_buffer [33];
+#define SEQ_BUFFER_LEN 33
+static int seq_buffer [SEQ_BUFFER_LEN];
static int *seq_append = 0;
static int push_char (int c)
@@ -368,7 +369,7 @@ static int push_char (int c)
if (!seq_append)
seq_append = seq_buffer;
- if (seq_append == &(seq_buffer [sizeof (seq_buffer)-2]))
+ if (seq_append == &(seq_buffer [SEQ_BUFFER_LEN-2]))
return 0;
*(seq_append++) = c;
*seq_append = 0;
@@ -383,7 +384,7 @@ int define_sequence (int code, char *seq
{
key_def *base;
- if (strlen (seq) > sizeof (seq_buffer)-1)
+ if (strlen (seq) > SEQ_BUFFER_LEN-1)
return 0;
for (base = keys; (base != 0) && *seq; ){
--- mc-4.5.55.orig/vfs/sfs.c 2001-08-11 06:57:17.000000000 +0200
+++ mc-4.5.55/vfs/sfs.c 2004-12-08 19:01:06.000000000 +0100
@@ -326,12 +326,13 @@ static int sfs_init (vfs *me)
}
if (!semi){
+ invalid_line:
fprintf (stderr, _("Warning: Invalid line in sfs.ini:\n%s\n"), key);
continue;
}
c = semi + 1;
- while ((*c != ' ') && (*c != '\t')) {
+ while (*c && (*c != ' ') && (*c != '\t')) {
switch (*c) {
case '1': flags |= F_1; break;
case '2': flags |= F_2; break;
@@ -341,6 +342,8 @@ static int sfs_init (vfs *me)
}
c++;
}
+ if (!*c)
+ goto invalid_line;
c++;
*(semi+1) = 0;
if ((semi = strchr (c, '\n')))
--- mc-4.5.55.orig/vfs/cpio.c 2004-10-31 08:09:30.000000000 +0100
+++ mc-4.5.55/vfs/cpio.c 2004-12-08 19:07:21.000000000 +0100
@@ -454,7 +454,8 @@ static int cpio_create_entry(vfs *me, vf
}
}
- while(name[strlen(name)-1] == PATH_SEP) name[strlen(name)-1] = 0;
+ for (tn = name + strlen (name) - 1; tn >= name && *tn == PATH_SEP; tn--)
+ *tn = 0;
if((tn = strrchr(name, PATH_SEP))) {
*tn = 0;
root = vfs_s_find_inode(me, root, name, LINK_FOLLOW, FL_MKDIR); /*
CHECKME! What function here? */
--- mc-4.5.55.orig/vfs/direntry.c 2004-12-11 10:59:05.000000000 +0100
+++ mc-4.5.55/vfs/direntry.c 2004-12-11 11:00:10.000000000 +0100
@@ -372,7 +372,7 @@ vfs_s_resolve_symlink (vfs *me, vfs_s_en
return (MEDATA->find_entry) (me, entry->dir->super->root, linkname,
follow - 1, 0);
else { /* FIXME: this does not work */
char *fullpath = vfs_s_fullpath(me, entry->dir);
- sprintf(buf, "%s/%s", fullpath, linkname);
+ snprintf(buf, sizeof(buf), "%s/%s", fullpath, linkname);
g_free (fullpath);
return (MEDATA->find_entry) (me, entry->dir->super->root, buf,
follow - 1, 0);
}
@@ -1155,7 +1155,7 @@ vfs_s_get_line (vfs *me, int sock, char
int i, status;
char c;
- for (i = 0; i < buf_len; i++, buf++){
+ for (i = 0; i < buf_len-1; i++, buf++){
if (read (sock, buf, sizeof(char)) <= 0)
return 0;
if (logfile){
--- mc-4.5.55.orig/vfs/cpio.c 2004-12-11 11:48:41.000000000 +0100
+++ mc-4.5.55/vfs/cpio.c 2004-12-11 11:49:58.000000000 +0100
@@ -306,7 +306,7 @@ static int cpio_read_oldc_head(vfs *me,
if((len = mc_read(super->u.cpio.fd, (void *)buf, HEAD_LENGTH)) <
HEAD_LENGTH)
return STATUS_EOF;
CPIO_POS(super) += len;
- buf[HEAD_LENGTH + 1] = 0;
+ buf[HEAD_LENGTH] = 0;
if(sscanf((void *)buf, "070707%6lo%6lo%6lo%6lo%6lo%6lo%6lo%11lo%6lo%11lo",
&hd.c_dev, &hd.c_ino, &hd.c_mode, &hd.c_uid, &hd.c_gid,
@@ -323,7 +323,10 @@ static int cpio_read_oldc_head(vfs *me,
name = g_malloc(hd.c_namesize);
if((len = mc_read(super->u.cpio.fd, name, hd.c_namesize)) < hd.c_namesize)
+ {
+ g_free (name);
return STATUS_EOF;
+ }
name[hd.c_namesize - 1] = '\0';
CPIO_POS(super) += len;
--- mc-4.5.55.orig/gtkedit/syntax.c 2004-10-31 08:09:30.000000000 +0100
+++ mc-4.5.55/gtkedit/syntax.c 2004-12-13 21:29:21.000000000 +0100
@@ -484,6 +484,9 @@ static char *strdup_convert (char *s)
case '}':
*p = '\004';
break;
+ case 0:
+ *p = *s;
+ return r;
default:
*p = *s;
break;
--6c2NcOVqGQ03X4Wi--
---------------------------------------
Received: (at 295261-close) by bugs.debian.org; 24 Feb 2005 22:55:38 +0000
>From [EMAIL PROTECTED] Thu Feb 24 14:55:38 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D4RtS-0001zc-00; Thu, 24 Feb 2005 14:55:38 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1D4RlG-0002Uu-00; Thu, 24 Feb 2005 17:47:10 -0500
From: Ludovic Drolez <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#295261: fixed in mc 1:4.6.0-4.6.1-pre3-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 24 Feb 2005 17:47:10 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 8
Source: mc
Source-Version: 1:4.6.0-4.6.1-pre3-1
We believe that the bug you reported is fixed in the latest version of
mc, which is due to be installed in the Debian FTP archive:
mc_4.6.0-4.6.1-pre3-1.diff.gz
to pool/main/m/mc/mc_4.6.0-4.6.1-pre3-1.diff.gz
mc_4.6.0-4.6.1-pre3-1.dsc
to pool/main/m/mc/mc_4.6.0-4.6.1-pre3-1.dsc
mc_4.6.0-4.6.1-pre3-1_i386.deb
to pool/main/m/mc/mc_4.6.0-4.6.1-pre3-1_i386.deb
mc_4.6.0-4.6.1-pre3.orig.tar.gz
to pool/main/m/mc/mc_4.6.0-4.6.1-pre3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Drolez <[EMAIL PROTECTED]> (supplier of updated mc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 17 Feb 2005 22:45:32 +0100
Source: mc
Binary: mc
Architecture: source i386
Version: 1:4.6.0-4.6.1-pre3-1
Distribution: unstable
Urgency: high
Maintainer: Stefano Melchior <[EMAIL PROTECTED]>
Changed-By: Ludovic Drolez <[EMAIL PROTECTED]>
Description:
mc - midnight commander - a powerful file manager
Closes: 92121 231071 241891 267596 282301 286395 295259 295261
Changes:
mc (1:4.6.0-4.6.1-pre3-1) unstable; urgency=high
.
* New maintainers: Stefano Melchior and Ludovic Drolez (closes: #282301).
* Urgency set to high because of security bug fixes.
* Missing quoting in ext2 and i18n fix.
* Samba lib warning (netmask.c) fixed.
* Security upload to handle DSA 639 (references: CAN-2004-1004,
CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092,
CAN-2004-1093, CAN-2004-1174, CAN-2004-1175, CAN-2004-1176),
Fixed upstream in the pre3 release (Closes: #295261).
* Pre3 release includes fix for CAN-2004-0226 (closes: #286395).
* Fixed ftp filesystem impossibility to list dirs when password contains #
(closes: #92121).
* Fixed subshell impossibility to be started (closes: #241891).
* Fixed CAN-2004-0494 (closes: #267596).
* Fixed buffer overflow and format string vulnerabilities (closes: #295259).
* Italian hotkey translation changed (closes: #231071).
* New upstream pre-release.
Files:
c8e34240a29a723bc78bdd85463a26f3 691 utils optional mc_4.6.0-4.6.1-pre3-1.dsc
2bea7e3250efa665d972229e755ac1e6 3900927 utils optional
mc_4.6.0-4.6.1-pre3.orig.tar.gz
8c8a3a55fdb76c3105a564e037f06022 25254 utils optional
mc_4.6.0-4.6.1-pre3-1.diff.gz
3a6752d5079f576910f291bd752960c8 2003694 utils optional
mc_4.6.0-4.6.1-pre3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCHlNlsRlQAP1GppgRAim8AJwJRGe3QLax1XUU1NmZ35R1TsN4PQCfY8k2
LZo2XB/RBba9ZXrH7kMF12M=
=WFw5
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
