Bug#776007: marked as done (buffer overrun in acknowledge.c(gi))

[Debian Bug Tracking System]

Your message dated Fri, 30 Jan 2015 09:49:03 +0000
with message-id <e1yh8cf-0005ec...@franck.debian.org>
and subject line Bug#776007: fixed in xymon 4.3.17-5
has caused the Debian Bug report #776007,
regarding buffer overrun in acknowledge.c(gi)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
776007: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776007
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: xymon
Version: 4.3.17-1
Severity: grave
Tags: security patch pending

web/acknowledge.c uses a string twice in a format string, but only
allocates memory for one copy. The attached patch fixes this.

Christoph
-- 
c...@df7cb.de | http://www.df7cb.de/

--- a/web/acknowledge.c
+++ b/web/acknowledge.c
@@ -289,7 +289,7 @@ int main(int argc, char *argv[])
                                        pcre *dummy;
                                        char *re;
 
-                                       re = (char *)malloc(8 + 
strlen(pagename));
+                                       re = (char *)malloc(8 + 
2*strlen(pagename));
                                        sprintf(re, "%s$|^%s/.+", pagename, 
pagename);
                                        dummy = compileregex(re);
                                        if (dummy) {

--- End Message ---

--- Begin Message ---

Source: xymon
Source-Version: 4.3.17-5

We believe that the bug you reported is fixed in the latest version of
xymon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Berg <christoph.b...@credativ.de> (supplier of updated xymon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 22 Jan 2015 17:37:26 +0100
Source: xymon
Binary: xymon xymon-client
Architecture: source amd64
Version: 4.3.17-5
Distribution: unstable
Urgency: medium
Maintainer: Christoph Berg <m...@debian.org>
Changed-By: Christoph Berg <christoph.b...@credativ.de>
Description:
 xymon      - monitoring system for systems, networks and applications
 xymon-client - client for the Xymon network monitor
Closes: 767840 767901 770168 771182 776007
Changes:
 xymon (4.3.17-5) unstable; urgency=medium
 .
   [ Christoph Berg ]
   * Restore the lost ROOTFS variable in xymonclient-linux.sh, and patch
     xymond/rrd/do_disk.c to ignore duplicate submissions for the / partition.
     (Closes: #767901)
   * Fix buffer overrun in web/acknowledge.c (Closes: #776007)
   * Debconf translations, thanks!
     + pt by Américo Monteiro (Closes: #767840)
     + fr by Jean-Pierre Giraud (Closes: #770168)
     + nl by Frans Spiesschaert (Closes: #771182)
 .
   [ Axel Beckert ]
   * Fix aborting installation in cases where a hobbit user exists despite
     hobbit-client was not installed before. (LP: #1407498)
Checksums-Sha1:
 629377f7aba1e31275b6d059bcef2a224d822216 2067 xymon_4.3.17-5.dsc
 be651615592f9a5373753d8323e8331c18162e10 93968 xymon_4.3.17-5.debian.tar.xz
 251925caf1d36b8aed77d83f8f386e67f0ef6dc5 2261638 xymon_4.3.17-5_amd64.deb
 65fbbf98a5de84a945614a41b49c1188335dc9e9 246944 xymon-client_4.3.17-5_amd64.deb
Checksums-Sha256:
 372098e94d0900926857cf925a219b883416d69ce0a05fa2ada2d3fe0ad223b8 2067 
xymon_4.3.17-5.dsc
 832344b00d5e2556b1e98c9db8ece8983066b5a5f4cb918e5f3c606aee557528 93968 
xymon_4.3.17-5.debian.tar.xz
 43990cfc99f38f790f8cf298a42f926e51231fb4d6f8a0d2a2fbe9bde2d00ddf 2261638 
xymon_4.3.17-5_amd64.deb
 49b9b36c89a9f4fd87161a8dc4ef02a336cfd5cabe1b591a43029d9b87999bb7 246944 
xymon-client_4.3.17-5_amd64.deb
Files:
 312d0cc53afdda0b3f6e9d778a007a59 2067 net extra xymon_4.3.17-5.dsc
 3cf624237bea5093f158f529825b520b 93968 net extra xymon_4.3.17-5.debian.tar.xz
 a77006904faf3c43dd1d58c1d2b89b2b 2261638 net extra xymon_4.3.17-5_amd64.deb
 d6910a87b04ec447df35fc821d479c77 246944 net extra 
xymon-client_4.3.17-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUwSfwAAoJEExaa6sS0qeuRLkP/1QmqNekpXWzh+nc8IHiCbZf
bZiO1jNRKSNTN72XQSR4c38w/FrllPqa9lnraZJf5MZAOwJVf/4CWVWAAORsvcrz
bYRJFM3gZ6Zg5KuedMI25XEMPtXOhiwI9og8DRwRCTNgM+QJuFjne9AgvQ+Omsws
dMLjU/c2R7E0uoOl5N5Oz0XxteHMDILf2LZl9Sku/BIRpxLkPnY4aTeIV0jAGid5
CrLDSqzMNUNfjf/owYM7FT1WZeugMhWY+TlsZVbrH8H67A3oL2JnLb8968kni+fi
ACmWVxbL3jUYdeKp2YoCpjjvb0j3RayvCgkOblUZ9mQY9O8MDqk85vTv+WL2GZn0
TKuJzMgcgLugo2MnYnAxfKXJGrOl7ILpEXu8bhGLYUvD3sRskSuVQeFmCkf7ykSt
OI4vJmpPsCRwa87+E9IdyUSpUB2Gq4uGTd7w4DJeGxWBdR6ScVUtOEq1XTXg7W2s
M9xhJkw8ibhR2FHLoJ+Xh2IQf6odYPxfkhqwYoZqSdfAOauiLJk73PbW/JAr3cmI
62mVHaufdKwByT45pxYsAmUsgjMaZuUKf+jPXYNXymhFZ9huuVWKxrSTFT/4O3HH
CtXwTha1q2BxIvdK2Tl3ZrnHrif7xVMkQ1MZoyoAO+qALP6siWv4yy+iHx4k4Qxs
OQkfJf3TMP6B90AMU2xl
=hkcx
-----END PGP SIGNATURE-----

--- End Message ---