First of all thanks for the detailed analysis! I haven't been able to work on elog much, due to heavy work load these days.
* Florian Weimer [2006-01-23 16:42:16+0100]
> Package: elog
> Version: 2.6.0beta2+r1716-1
> Tags: security upstream fixed-upstream
> Severity: grave
>
> First a little version cross-reference, based on the src/elog{,d}.c
> files.
>
> Debian CVS (elogd.c) Subversion
> 2.6.0beta2+r1716-1 1.717* r1445
> 2.5.7+r1558-3 1.558 + 1.648 r1202 + r1347
>
> * Part of the upstream are contained in the .diff.gz file, so the
> embedded version number is not quite correct.
>
> The following issues are unfixed upstream:
>
> - CVE-2005-4439: buffer overflow through long URL parameters
> <http://marc.theaimsgroup.com/?m=113498708213563>
>
> - If host names are resolved, no forward lookup is performed to
> verify the PTR RR. (This does not affect the sarge version
> because it unconditionally uses addresses, not host names.)
>
> - There are still some format string issues when things are written
> to the logfile.
>
> Apparently, upstream is not aware of those three issues.
>
> The following potential security issues have been fixed upstream, but
> not in the sid version (there are some more issues apparently, but
> those bugs were introduced past the sid version AFAICS):
I'm going to prepare an urgent sid upload for those bugs.
>
> ------------------------------------------------------------------------
> r1529 | ritt | 2005-10-25 20:26:34 +0200 (Tue, 25 Oct 2005) | 1 line
> Changed paths:
> M /trunk/src/elogd.c
>
> Fixed bug with fprintf and buffer containing "%"
>
> ------------------------------------------------------------------------
> r1472 | ritt | 2005-08-04 22:26:35 +0200 (Thu, 04 Aug 2005) | 2 lines
> Changed paths:
> M /trunk/src/elog.c
> M /trunk/src/elogd.c
>
> Do not distinguish between invalid user name and invalid password for
> security reasons
>
>
>
> On top of that, the following issues affect the sarge version only:
>
> ------------------------------------------------------------------------
> r1335 | ritt | 2005-04-27 12:43:43 +0200 (Wed, 27 Apr 2005) | 2 lines
> Changed paths:
> M /trunk/src/elogd.c
>
> Applied patch from Emiliano to fix possible buffer overflow
>
> ------------------------------------------------------------------------
> r1333 | ritt | 2005-04-22 15:41:18 +0200 (Fri, 22 Apr 2005) | 2 lines
> Changed paths:
> M /trunk/src/elogd.c
>
> Fixed crashes with very long (revisions) attributes
>
>
> I've back-ported all four issues to the sarge version, but they
> haven't received any testing yet. If anybody has got a sarge elog
> installation, please speak up.
Thanks for the backport, unfortunately I don't have a Sarge box at the
moment, but will try to find one. Could you please supply the url of
backported patch so that I can also work on it?
> I'm going to ask upstream about the following issue:
>
> ------------------------------------------------------------------------
> r1487 | ritt | 2005-09-09 22:59:46 +0200 (Fri, 09 Sep 2005) | 2 lines
> Changed paths:
> M /trunk/src/elogd.c
>
> Fixed infinite redirection with ?fail=1
CCing to Stefan.
[Stefan: Please keep the discussion CCed to the bug report]
Regards,
--
roktas
signature.asc
Description: Digital signature
