Your message dated Tue, 29 Jun 2010 23:05:46 +0100 (WEST)
with message-id <20100629220546.97a9b2...@kmos.homeip.net>
and subject line Package sudosh3 has been removed from Debian
has caused the Debian Bug report #566142,
regarding sudosh3: "code quality is terrible", says debian-devel ITP review
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
566142: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566142
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sudosh3
Version: 3.2.0-1
Severity: grave
Tags: security
Justification: during replay, reads up to 8MB into an 8KB buffer
You don't seem to have responded to Adam Borowski's mail wondering why this
package should be in Debian, and commenting on its quality. In particular,
he notes a trivial buffer overflow during replay.
In http://lists.debian.org/debian-devel/2010/01/msg00317.html he writes:
> > sudosh allows complete session logging of shells run under sudo.
> > Individual sudo commands are still logged as normal but running a shell
> > under sudosh records the entire session as well as session timings for
> > complete playback later.
>
> Uhm, it appears to be an one-trick pony which tries to replicate what ttyrec
> does, except that it's usage is sharply limited, it spits out several files
> instead of one, and the code quality is terrible. Just one example:
>
> In replay.c, it does sscanf("... %i ...", &b) to an int, makes a sanity
> check, rejecting values of b more than 8MB -- comparing it as a _signed_
> value. Then, it does read(fd, buffer, (size_t)b). (size_t is unsigned).
>
> But after a second reading of the code, you don't need to go that far. The
> check against overflow was for 8MB, and size of the static buffer is 8192
> bytes...
>
>
> Also,
> > * License : Open Software License version 2.0 (non free)
>
> Is there any need for non-free tools where better free equivalents already
> exist? Try ttyrec, my termrec, script -t (not as well suited for this
> task), RealLog, nh_recorder or one of many others...
Regards,
Simon
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 3.2.0-1+rm
You filed the bug http://bugs.debian.org/566142 in Debian BTS
against the package sudosh3. I'm closing it at *unstable*, but it will
remain open for older distributions.
For more information about this package's removal, read
http://bugs.debian.org/584588. That bug might give the reasons why
this package was removed and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
--- End Message ---
