Your message dated Mon, 24 Jul 2006 18:32:26 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#378640: libnet-server-perl: [CVE-2005-1127] format string
vulnerability in log() function
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libnet-server-perl
Version: 0.87-3
Severity: critical
Tags: security patch
Hello Carsten,
It appears that this is still a problem for stable, and no bug was ever
opened. I have pinged the security team about it, and sent a rough
patch (below). Can you verify that it is complete, and work with
[EMAIL PROTECTED] to make sure this gets fixed for sarge as well?
Thanks,
diff -Nru /tmp/Ahc2P0oPki/libnet-server-perl-0.87/lib/Net/Server.pm
/tmp/4HT6qXR2pz/libnet-server-perl-0.90/lib/Net/Server.pm
--- /tmp/Ahc2P0oPki/libnet-server-perl-0.87/lib/Net/Server.pm 2003-11-06
22:49:05.000000000 +0000
+++ /tmp/4HT6qXR2pz/libnet-server-perl-0.90/lib/Net/Server.pm 2005-12-05
21:13:04.000000000 +0000
@@ -1036,41 +1116,38 @@
### record output
sub log {
- my $self = shift;
+ my ($self, $level, $msg) = @_;
my $prop = $self->{server};
- my $level = shift;
return unless $prop->{log_level};
return unless $level <= $prop->{log_level};
### log only to syslog if setup to do syslog
if( $prop->{log_file} eq 'Sys::Syslog' ){
$level = $level!~/^\d+$/ ? $level : $Net::Server::syslog_map->{$level} ;
- Sys::Syslog::syslog($level,@_);
+ Sys::Syslog::syslog($level, '%s', $msg);
return;
}
- $self->write_to_log_hook($level,@_);
+ $self->write_to_log_hook($level, $msg);
}
### standard log routine, this could very easily be
### overridden with a syslog call
sub write_to_log_hook {
- my $self = shift;
+ my ($self, $level, $msg) = @_;
my $prop = $self->{server};
- my $level = shift;
- local $_ = shift || '';
- chomp;
- s/([^\n\ -\~])/sprintf("%%%02X",ord($1))/eg;
+ chomp $msg;
+ $msg =~ s/([^\n\ -\~])/sprintf("%%%02X",ord($1))/eg;
if( $prop->{log_file} ){
- print _SERVER_LOG $_, "\n";
+ print _SERVER_LOG $msg, "\n";
}elsif( defined($prop->{setsid}) ){
# do nothing
}else{
my $old = select(STDERR);
- print $_. "\n";
+ print $msg. "\n";
select($old);
}
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-3-686-smp
Locale: LANG=en_US.ISO-8859-1, LC_CTYPE=en_US.ISO-8859-1 (charmap=ISO-8859-1)
(ignored: LC_ALL set to en_US.ISO-8859-1)
Versions of packages libnet-server-perl depends on:
ii libio-multiplex-perl 1.08-1 object-oriented interface to selec
ii perl 5.8.4-8sarge4 Larry Wall's Practical Extraction
-- no debconf information
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : [EMAIL PROTECTED] |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 0.89-1
* Stephen Gran [Tue, 18 Jul 2006 00:40:24 +0100]:
> Package: libnet-server-perl
> Version: 0.87-3
> Severity: critical
> Tags: security patch
Marking as fixed in testing.
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
One way to make your old car run better is to look up the price of a new model.
--- End Message ---
