Ubuntu
super package

Merge lp:~jtaylor/ubuntu/oneiric/super/CVE-2011-2776 into lp:ubuntu/oneiric/super

  1. Oneiric (11.10)
  2. CVE-2011-2776
  3. Merge into oneiric
Proposed by Julian Taylor
Status: Merged
Merge reported by: Julian Taylor
Merged at revision: not available
Proposed branch: lp:~jtaylor/ubuntu/oneiric/super/CVE-2011-2776
Merge into: lp:ubuntu/oneiric/super
Diff against target: 172 lines (+147/-0)
4 files modified
debian/changelog (+11/-0)
debian/patches/12-Use-vnsprintf.patch (+49/-0)
debian/patches/13-Potential-format-string-vulnerability.patch (+85/-0)
debian/patches/series (+2/-0)
To merge this branch: bzr merge lp:~jtaylor/ubuntu/oneiric/super/CVE-2011-2776
Reviewer Review Type Date Requested Status
Marc Deslauriers Approve
Ubuntu branches Pending
Review via email: mp+97323@code.launchpad.net
To post a comment you must log in.
lp:~jtaylor/ubuntu/oneiric/super/CVE-2011-2776 updated
10. By Julian Taylor

Thanks to Robert Luberda

11. By Julian Taylor

fix typo

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK. Uploading now.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2011-02-21 22:04:44 +0000
3+++ debian/changelog 2012-03-13 23:51:17 +0000
4@@ -1,3 +1,14 @@
5+super (3.30.0-5ubuntu0.1) oneiric-security; urgency=low
6+
7+ * SECURITY UPDATE: buffer overflow when logging via syslog (LP: #954579).
8+ - 12-Use-vsnprintf.patch:
9+ use vsnprintf to prevent overflow
10+ - 13-Potential-format-string-vulnerability.patch
11+ - Thanks to Robert Luberda
12+ - CVE-2011-2776
13+
14+ -- Julian Taylor <jtaylor@ubuntu.com> Wed, 14 Mar 2012 00:22:33 +0100
15+
16 super (3.30.0-5) unstable; urgency=low
17
18 * 10_ftbfs_hurd.patch: fix FTBFS on GNU/Hurd.
19
20=== added file 'debian/patches/12-Use-vnsprintf.patch'
21--- debian/patches/12-Use-vnsprintf.patch 1970-01-01 00:00:00 +0000
22+++ debian/patches/12-Use-vnsprintf.patch 2012-03-13 23:51:17 +0000
23@@ -0,0 +1,49 @@
24+From: Robert Luberda <robert@debian.org>
25+Date: Sun, 4 Dec 2011 16:56:57 +0100
26+Subject: 12 Use vnsprintf.
27+
28+error.c: Use vsnprintf() instead of vprintf() to fix a crash
29+occurring when syslog logging is enabled and total length
30+of arguments passed to super is greater then 1300 characters.
31+rsyslog.c: Do the same just in case.
32+---
33+ error.c | 4 ++--
34+ rsyslog.c | 2 +-
35+ 2 files changed, 3 insertions(+), 3 deletions(-)
36+
37+diff --git a/error.c b/error.c
38+index 0b91ad9..30529fa 100644
39+--- a/error.c
40++++ b/error.c
41+@@ -346,7 +346,7 @@ Error(
42+ if (tag)
43+ StrLCat(newfmt, tag, sizeof(newfmt));
44+ va_start(ap, fmt);
45+- (void) vsprintf(buf, newfmt, ap);
46++ (void) vsnprintf(buf, sizeof(buf), newfmt, ap);
47+ va_end(ap);
48+ if (show_perror)
49+ StrLCat(buf, Strerror(error), sizeof(buf));
50+@@ -515,7 +515,7 @@ va_dcl
51+ StrLCat(newfmt, fmt, sizeof(newfmt));
52+ if (tag)
53+ StrLCat(newfmt, tag, sizeof(newfmt));
54+- (void) vsprintf(buf, newfmt, ap);
55++ (void) vsnprintf(buf, sizeof(buf), newfmt, ap);
56+ va_end(ap);
57+ SysLog(error_priority, buf);
58+ }
59+diff --git a/rsyslog.c b/rsyslog.c
60+index ed478d8..af1e571 100644
61+--- a/rsyslog.c
62++++ b/rsyslog.c
63+@@ -103,7 +103,7 @@ static struct {
64+ (void) sprintf(msg,"(%d) ", getpid());
65+ if (*loginfo.ident)
66+ (void) sprintf(msg+strlen(msg),"%s: ", loginfo.ident);
67+- (void) vsprintf(msg+strlen(msg), fmt, args);
68++ (void) vsnprintf(msg+strlen(msg), sizeof(msg)-strlen(msg), fmt, args);
69+ va_end(args);
70+
71+ /*
72+--
73
74=== added file 'debian/patches/13-Potential-format-string-vulnerability.patch'
75--- debian/patches/13-Potential-format-string-vulnerability.patch 1970-01-01 00:00:00 +0000
76+++ debian/patches/13-Potential-format-string-vulnerability.patch 2012-03-13 23:51:17 +0000
77@@ -0,0 +1,85 @@
78+From: Robert Luberda <robert@debian.org>
79+Date: Sat, 7 Jan 2012 12:53:33 +0100
80+Subject: 13 Potential format string vulnerability.
81+
82+Fix potential format string vulnerability that
83+might occur if the user of file name or file name
84+used in the tag contains a '%' character.
85+---
86+ error.c | 26 ++++++++++----------------
87+ 1 files changed, 10 insertions(+), 16 deletions(-)
88+
89+diff --git a/error.c b/error.c
90+index 30529fa..c9a5cc0 100644
91+--- a/error.c
92++++ b/error.c
93+@@ -188,14 +188,16 @@ int fac;
94+ }
95+
96+ void
97+-SysLog(pri, buf)
98++SysLog(pri, user, buf, tag)
99+ int pri;
100++char *user;
101+ char *buf;
102++char *tag;
103+ {
104+ if (using_rsyslog) {
105+- rsyslog(pri, "%s", buf);
106++ rsyslog(pri, "(%s) %s%s", user, buf, (tag ? tag : ""));
107+ } else {
108+- syslog(pri, "%s", buf);
109++ syslog(pri, "(%s) %s%s", user, buf, (tag ? tag : ""));
110+ }
111+ }
112+
113+@@ -336,21 +338,17 @@ Error(
114+
115+ #ifdef HAVE_SYSLOG_H
116+ if (error_syslog) {
117+- char newfmt[MAXPRINT], buf[MAXPRINT];
118++ char buf[MAXPRINT];
119+ if (!openlog_done) {
120+ OpenLog(error_prog ? error_prog : "", 0, error_facility);
121+ openlog_done = 1;
122+ }
123+- sprintf(newfmt, "(%s) ", error_user ? error_user : user);
124+- StrLCat(newfmt, fmt, sizeof(newfmt));
125+- if (tag)
126+- StrLCat(newfmt, tag, sizeof(newfmt));
127+ va_start(ap, fmt);
128+- (void) vsnprintf(buf, sizeof(buf), newfmt, ap);
129++ (void) vsnprintf(buf, sizeof(buf), fmt, ap);
130+ va_end(ap);
131+ if (show_perror)
132+ StrLCat(buf, Strerror(error), sizeof(buf));
133+- SysLog(error_priority, buf);
134++ SysLog(error_priority, (error_user ? error_user : user), buf, tag);
135+ }
136+ #endif
137+
138+@@ -502,7 +500,7 @@ va_dcl
139+
140+ #ifdef HAVE_SYSLOG_H
141+ if (error_syslog) {
142+- char newfmt[MAXPRINT], buf[MAXPRINT];
143++ char buf[MAXPRINT];
144+ va_start(ap);
145+ show_perror = va_arg(ap, int);
146+ die = va_arg(ap, int);
147+@@ -511,13 +509,9 @@ va_dcl
148+ OpenLog(error_prog ? error_prog : "", 0, error_facility);
149+ openlog_done = 1;
150+ }
151+- sprintf(newfmt, "(%s) ", error_user ? error_user : user);
152+- StrLCat(newfmt, fmt, sizeof(newfmt));
153+- if (tag)
154+- StrLCat(newfmt, tag, sizeof(newfmt));
155+ (void) vsnprintf(buf, sizeof(buf), newfmt, ap);
156+ va_end(ap);
157+- SysLog(error_priority, buf);
158++ SysLog(error_priority, (error_user ? error_user : user), buf, tag);
159+ }
160+ #endif
161+
162+--
163
164=== modified file 'debian/patches/series'
165--- debian/patches/series 2011-02-21 22:04:44 +0000
166+++ debian/patches/series 2012-03-13 23:51:17 +0000
167@@ -9,3 +9,5 @@
168 09_Makefile_srcdir.patch
169 10_ftbfs_hurd.patch
170 11_gcc_wformat.patch
171+12-Use-vnsprintf.patch
172+13-Potential-format-string-vulnerability.patch

Subscribers

People subscribed via source and target branches

to all changes: