Hi, the attached patch fixes this issue. It will be also archived on: http://people.debian.org/~nion/nmu-diff/audit-1.5.3-2_1.5.3-2.1.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u audit-1.5.3/debian/patches/series audit-1.5.3/debian/patches/series
--- audit-1.5.3/debian/patches/series
+++ audit-1.5.3/debian/patches/series
@@ -1,0 +2 @@
+CVE-2008-1628.patch
diff -u audit-1.5.3/debian/changelog audit-1.5.3/debian/changelog
--- audit-1.5.3/debian/changelog
+++ audit-1.5.3/debian/changelog
@@ -1,3 +1,13 @@
+audit (1.5.3-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Added CVE-2008-1628.patch to fix a stack-based buffer overflow
+ in the audit_log_user_command function which can be triggered via
+ a command argument that is passed to that function and might lead
+ to execution of arbitrary code (Closes: #475227).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Thu, 10 Apr 2008 15:06:25 +0200
+
audit (1.5.3-2) unstable; urgency=low
* debian/auditd.init: Fix inverted AUDITD_CLEAN_STOP (Closes: #428066)
only in patch2:
unchanged:
--- audit-1.5.3.orig/debian/patches/CVE-2008-1628.patch
+++ audit-1.5.3/debian/patches/CVE-2008-1628.patch
@@ -0,0 +1,15 @@
+diff -Nurad audit-1.5.3.orig/lib/audit_logging.c audit-1.5.3/lib/audit_logging.c
+--- audit-1.5.3.orig/lib/audit_logging.c 2008-04-10 15:08:07.000000000 +0200
++++ audit-1.5.3/lib/audit_logging.c 2008-04-10 15:09:00.000000000 +0200
+@@ -607,7 +607,10 @@
+ }
+
+ p = cmd;
+- strcpy(commname, cmd);
++ if (len >= PATH_MAX) {
++ cmd[PATH_MAX] = 0;
++ len = PATH_MAX-1;
++ }
+ while (*p) {
+ if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) {
+ _audit_c2x(commname, cmd, len);
pgpfGAawjZb4e.pgp
Description: PGP signature
