Bug#378640: libnet-server-perl: [CVE-2005-1127] format string vulnerability in log() function

[Stephen Gran]

Package: libnet-server-perl
Version: 0.87-3
Severity: critical
Tags: security patch

Hello Carsten,

It appears that this is still a problem for stable, and no bug was ever
opened.  I have pinged the security team about it, and sent a rough
patch (below).  Can you verify that it is complete, and work with
[EMAIL PROTECTED] to make sure this gets fixed for sarge as well?

Thanks,

diff -Nru /tmp/Ahc2P0oPki/libnet-server-perl-0.87/lib/Net/Server.pm 
/tmp/4HT6qXR2pz/libnet-server-perl-0.90/lib/Net/Server.pm
--- /tmp/Ahc2P0oPki/libnet-server-perl-0.87/lib/Net/Server.pm   2003-11-06 
22:49:05.000000000 +0000
+++ /tmp/4HT6qXR2pz/libnet-server-perl-0.90/lib/Net/Server.pm   2005-12-05 
21:13:04.000000000 +0000
@@ -1036,41 +1116,38 @@

 ### record output
 sub log {
-  my $self  = shift;
+  my ($self, $level, $msg) = @_;
   my $prop = $self->{server};
-  my $level = shift;

   return unless $prop->{log_level};
   return unless $level <= $prop->{log_level};

   ### log only to syslog if setup to do syslog
   if( $prop->{log_file} eq 'Sys::Syslog' ){
     $level = $level!~/^\d+$/ ? $level : $Net::Server::syslog_map->{$level} ;
-    Sys::Syslog::syslog($level,@_);
+    Sys::Syslog::syslog($level, '%s', $msg);
     return;
   }

-  $self->write_to_log_hook($level,@_);
+  $self->write_to_log_hook($level, $msg);
 }


 ### standard log routine, this could very easily be
 ### overridden with a syslog call
 sub write_to_log_hook {
-  my $self  = shift;
+  my ($self, $level, $msg) = @_;
   my $prop = $self->{server};
-  my $level = shift;
-  local $_  = shift || '';
-  chomp;
-  s/([^\n\ -\~])/sprintf("%%%02X",ord($1))/eg;
+  chomp $msg;
+  $msg =~ s/([^\n\ -\~])/sprintf("%%%02X",ord($1))/eg;

   if( $prop->{log_file} ){
-    print _SERVER_LOG $_, "\n";
+    print _SERVER_LOG $msg, "\n";
   }elsif( defined($prop->{setsid}) ){
     # do nothing
   }else{
     my $old = select(STDERR);
-    print $_. "\n";
+    print $msg. "\n";
     select($old);
   }


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-3-686-smp
Locale: LANG=en_US.ISO-8859-1, LC_CTYPE=en_US.ISO-8859-1 (charmap=ISO-8859-1) 
(ignored: LC_ALL set to en_US.ISO-8859-1)

Versions of packages libnet-server-perl depends on:
ii  libio-multiplex-perl       1.08-1        object-oriented interface to selec
ii  perl                       5.8.4-8sarge4 Larry Wall's Practical Extraction 

-- no debconf information

-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        [EMAIL PROTECTED] |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

signature.asc
Description: Digital signature