Ubuntu
sarg package

[CVE-2008-1922] Multiple buffer overflows in sarg

Bug #236769 reported by Till Ulen
258
Affects Status Importance Assigned to Milestone
sarg (Debian)
Fix Released
Unknown
sarg (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Fix Released
Medium
Unassigned
Intrepid
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: sarg

CVE-2008-1922 description:

"Multiple stack-based buffer overflows in Sarg might allow attackers to execute arbitrary code via unknown vectors, probably a crafted Squid log file."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1922
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html

Kees Cook (kees)
Changed in sarg:
status: New → Confirmed
Revision history for this message
Alessio Treglia (quadrispro) wrote :

Fixed:

sarg (2.2.5-2) unstable; urgency=low

  * debian/watch
    - Use SF redirector and make lintian happy

  * debian/{rules,compat}
    - Move DH_COMPAT to debian/compat and make lintian happy

  * debian/rules
    - Change make clean invocation and make lintian happier
    - Added support for DEB_BUILD_OPTIONS
    - Move documentation files from sarg-php to doc directory
    - Remove hidden file from /etc/squid/languages

  * debian/control
    - Removed dependency on bash, now essential
    - Bumped Standard-Version to 3.8.0

  * debian/postinst
    - Make postint fail on error

  * debian/copyright
    - Added copyright notice
    - Updated maintainer reference

  * debian/sarg-reports.1
    - Added man page, thanks to Juan Angulo Moreno (Closes: #481889)

  * debian/patches/show_read_statistics.patch
    - Added patch from Vladimir Lettiev fixing segfault with
      show_read_statistics set to no. (Closes: #444845, # 370811)

  * debian/patches/totger_patches.patch
    - Added patch from Thomas Bliesener fixing several buffer overflows
      (Closes: #470791)

  * debian/patches/opensuse_1_getword_boundary_limit.patch
    - Added patch from OpenSUSE to avoid segfaults in getword() calls

  * debian/patches/opensuse_2_enlarge_report_buffers.patch
    - Added patch from OpenSUSE to avoid overflow in report buffers

  * debian/patches/opensuse_3_too_small_font_buffer.patch
    - Added patch from OpenSUSE to avoid overflow in font buffer

  * debian/patches/opensuse_4_enlarge_log_buffer.patch
    - Added patch from OpenSUSE to avoid overflow in log buffer

  * debian/patches/opensuse_5_limit_sprintf.patch
    - Added patch from OpenSUSE to avoid segfaults in sprintf() calls

  * debian/patches/opensuse_6_limit_useragent_sprintf.patch
    - Added patch from OpenSUSE to avoid segfaults in sprintf() calls

  * debian/patches/opensuse_7_year_assertion.patch
    - Added patch from OpenSUSE to avoid assertion in year parsing

 -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 09 Feb 2009 08:56:57 +0000

Changed in sarg (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Alessio Treglia (quadrispro) wrote :
Revision history for this message
Alessio Treglia (quadrispro) wrote :
Revision history for this message
Krzysztof Klimonda (kklimonda) wrote :

Please, fix debdiffs so they don't modify source code in-place. I see that you have also added patches that do the same so that's probably just an oversight.

Revision history for this message
Alessio Treglia (quadrispro) wrote :

As you can see, the Debian maintainer doesn't use a patch system, simply he applies the patches and includes them.

I've done the same, in order to not increase the delta with Debian.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marked 'In Progress' per https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

Changed in sarg (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Medium
Changed in sarg (Ubuntu Intrepid):
status: New → In Progress
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs. I needed to adjust them to use the -security pocket, but made that change and uploaded to the -security queue.

Changed in sarg (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in sarg (Ubuntu Intrepid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sarg - 2.2.5-1ubuntu0.8.04.1

---------------
sarg (2.2.5-1ubuntu0.8.04.1) hardy-security; urgency=low

  * Backport totger_buffers.patch to fix multiple buffer overflows, fixes
    LP: #236769 (CVE-2008-1922).
  * Backport and refresh totger_buffers.patch to avoid SEGFAULT when running
    sarg with "show_read_statistics no" in sarg.conf.

 -- Alessio Treglia <email address hidden> Mon, 25 May 2009 11:16:29 +0200

Changed in sarg (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sarg - 2.2.5-1ubuntu0.8.10.1

---------------
sarg (2.2.5-1ubuntu0.8.10.1) intrepid-security; urgency=low

  * Backport totger_buffers.patch to fix multiple buffer overflows, fixes
    LP: #236769 (CVE-2008-1922).
  * Backport and refresh totger_buffers.patch to avoid SEGFAULT when running
    sarg with "show_read_statistics no" in sarg.conf.

 -- Alessio Treglia <email address hidden> Mon, 25 May 2009 11:16:29 +0200

Changed in sarg (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in sarg (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.