Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for whitedune. > > CVE-2008-7228[0]: > | Multiple format string vulnerabilities in White_Dune before > | 0.29beta851 have unspecified impact and attack vectors, a different > | vulnerability than CVE-2008-0101. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry.
Talking as the "upstream" (developer, sourcecode maintainer): After reinspecting the source changes, it looks like the only potential dangerous vulnerability problem is still part of http://ftp.de.debian.org/debian/pool/main/w/whitedune/whitedune_0.28.14.orig.tar.gz and http://ftp.de.debian.org/debian/pool/main/w/whitedune/whitedune_0.28.13.orig.tar.gz > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7228 > http://security-tracker.debian.net/tracker/CVE-2008-7228 | Description | Multiple format string vulnerabilities in White_Dune before | 0.29beta851 have unspecified impact and attack vectors, a different | vulnerability than CVE-2008-0101. According to http://archives.neohapsis.com/archives/apps/freshmeat/2008-02/0005.html it looks like, this entry was created from the freshmeat log entry "Changes: Ppotential format string security problems were fixed." Unfortunalty, i never noticed CVE-2008-7228 and noone told me about it 8-( So i should say something about the impact and attack vectors: To enable the problem, white_dune must be compiled with the --with-aflockdebug option of ./configure. The debian binary versions are not compiled with the --with-aflockdebug option, therefore the debian binary versions are not vulnerable. The one potential problematic line can be found in the file white_dune-0.28pl14/src/Aflock.cpp void Aflock::initCorrectionTable( const char* const fName ) { int i,j,k, xsize,ysize,zsize; float dump; FILE* inFile; AFLOCK_PRINT(" Initializing calibration table ... "); AFLOCK_PRINT(fName); The line " AFLOCK_PRINT(fName);" should be deleted. See in file white_dune-0.28pl14/src/Aflock.h #ifdef HAVE_AFLOCK_DEBUG #define AFLOCK_PRINT(message) fprintf(stderr,message) #else #define AFLOCK_PRINT(message) #endif HAVE_AFLOCK_DEBUG is not defined as you can see in the file white_dune-0.28pl14/src/config.h $ grep HAVE_AFLOCK_DEBUG white_dune-0.28pl14/src/config.h /* #undef HAVE_AFLOCK_DEBUG */ If the --with-aflockdebug option of configure would be used, the only way to attack would be the usage of a filename for the "-calfile" option. The usage of the "-calfile" option requires the usage of the "-aflock" option. The "-aflock" option and --with-aflockdebug option is only needed for the usage (and debugging) of a "Ascention Flock of birds" magnetic headtracking device (see http://people.virginia.edu/~smb3u/PostureStand.gif), which is only used in CAVE/powerwall environments or other biometrics. It is/was rather expensive and is therefore rather rare today. Summary: I don't think, it is very likely that a attacker would trick a debian user to recompile the white_dune 0.14 package with the --with-aflockdebug configure option and then would trick him/her to enter a rather strange filename for the -calfile commandline option. Nevertheless, there is no good reason not to fix this minor problem in the debian sourcetree... thanks for bringing this problem into my attention so long MUFTI BTW: according to http://packages.debian.org/lenny/whitedune the homepage is http://www.csv.ica.uni-stuttgart.de/vrml/dune/ This is the old homepage, which is not active anymore. The new homepage is http://vrml.cip.ica.uni-stuttgart.de/dune/ (or http://129.69.35.12/dune/) -- Die weltweite Nachfrage nach Kraftfahrzeugen wird eine Million nicht ueberschreiten - allein schon aus Mangel an verfuegbaren Chauffeuren. Gottlieb Daimler -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
