libgtop-daemon: remote format string vulnerability

To: security@debian.org
Cc: submit@bugs.debian.org, debian-security@lists.debian.org
Subject: libgtop-daemon: remote format string vulnerability
From: Noel Koethe <noel@debian.org>
Date: Sun, 6 Jan 2002 17:54:37 +0100
Message-id: <[🔎] 20020106165434.GA20333@hopi.hostsharing.net>

Package: libgtop-daemon
Version: 1.0.12-2
Severity: grave
Justification: user security hole
Tags: security

Hello,

I found this problem about my (since 1 week:)) package libgtop
http://www.securityfocus.com/bid/3586 :
"GNOME libgtop_daemon Remote Format String Vulnerability

The GNOME libgtop_daemon is used to monitor processes running
on a remote Linux system running GNOME.

Under some conditions, when a remote connection fails, user
supplied input is used as a format string within a log message.
A malicious user may construct a string including format modifiers,
causing stack information to be written to the log file, and
possibly leading to remote execution of arbitrary code.

Older versions of libgtop_daemon may share this vulnerability."

I'm working on version 1.0.13 but I thing the problem is also
in potato (version 1.0.6-1).
I just wanted to inform you about this problem.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux debian 2.4.16-pre1 #2 Sun Nov 25 21:33:40 CET 2001 i686
Locale: LANG=de_DE.ISO-8859-1, LC_CTYPE=C

Versions of packages libgtop-daemon depends on:
ii  libc6                         2.2.4-7    GNU C Library: Shared libraries an
ii  libglib1.2                    1.2.10-3   The GLib library of C routines
ii  libgnomesupport0              1.4.1.2-7  The Gnome libraries (Support libra
ii  libgtop1                      1.0.12-2   Libraries for gtop system monitori

-- 
	Noèl Köthe

Reply to:

Prev by Date: Re: Secure Finger Daemon
Next by Date: cfingerd bugs [Re: Secure Finger Daemon]
Previous by thread: Re: Secure Finger Daemon
Next by thread: IP accounting per user
Index(es):
- Date
- Thread