Your message dated Fri, 14 Nov 2008 14:04:32 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Removed
has caused the Debian Bug report #501461,
regarding acon: code still insecure, post-audit buffer overflows exist
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
501461: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501461
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: acon
Version: 1.0.5-7
Severity: grave
Justification: local root
Hi,
as discussed on planet.debian.org and #476603, acon contains unsecure code:
> [Brian M. Carlson]
> > I am subscribed to debian-audit, and we were requested to provide an
> > audit, which I did. My recommendation stands. It's very difficult
> > to audit the code, which is why I can't be sure I haven't missed
> > something.
[...]
> Sounds like it indeed shouldn't be included in Lenny, then.
I tend to agree. People not believing the insecurity of the code are
invited to run acon, bring up the menu (it was at Ctrl-Alt-G for my
keyboard and disappeared, the latter goes away when one disables the
console switching test as in the attached diff), select add console and
type more than 200 letters to the 200 char tmp array of menu.c/options.
I have marked a code position overflowing this buffer in attached diff.
Please note that this is NOT about this specific overflow. I have found
it by grepping(!) through the code for string functions for 5 minutes.
acon needs to be completely redone before being remotely safe,
preferably in a way that is less likely to create all sorts of
vulnerabilities.
Note that this hole was unnoticed during an audit during which the
auditor came to the conclusion to not ship the code as it is likely that
there are more vulnerabilities than those he found. He was right.
I'd note that during testing acon seemed to exhibit multiple unrelated
crashes, too.
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
diff -urN acon-1.0.5~/menu.c acon-1.0.5/menu.c
--- acon-1.0.5~/menu.c 2003-07-18 21:09:34.000000000 +0200
+++ acon-1.0.5/menu.c 2008-10-07 17:27:41.000000000 +0200
@@ -129,8 +129,8 @@
/*if the active console is changed*/
if( currentconsole!=getactive())
{
- consoleswitched=1;
- return -1;
+ //consoleswitched=1;
+ //return -1;
}
}while(ch==256);
@@ -259,6 +259,8 @@
str[strlen(str)-1]=0;
break;
default:
+ if (strlen(str)>=200)
+ printf("Overflow if str has only size 200.\n");
str[strlen(str)+1]=0;
str[strlen(str)]=ch;
}
--- End Message ---
--- Begin Message ---
Version: 1.0.5-7+rm
acon was removed because it was insecure, buggy and not used much.
--
Martin Michlmayr
http://www.cyrius.com/
--- End Message ---
