[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)

tags 278777 security

On Fri, Oct 29, 2004 at 09:46:00PM +0200, Thomas Wana wrote:
> Frank Lichtenheld wrote:
> >
> >But you too, since that was the wrong part ;) The LANG vuln is fixed in
> >the current package (the patch is in debian/patches and gets applied at
> >build time). I guess the -xsokdir vuln could be not fixed, I will check 
> >that.
> oh - oh - fsck :)
> Yes, I didn't check the patches (I should have done that - shame on me).
> If that unintentionally uncovered another bug - good
> If not - sorry for the noise :)

Hmm, the exploits given on the bugtraq site all doesn't seem to work.
Since there are many dubios statements in the source code, I'm reluctant
to simply close the bug, though.

Perhaps someone with a little more experience in identifying security
problems should take a look, too. I CC'ed debian-security.

For the context: CAN-2004-0074 may have been fixed in xsok 1.02-8
(Changelog: "Fixed buffer overflow when reading environment variable
LANG.") but I'm not sure.

Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/

Reply to: