Re: [SECURITY] [DSA 930-1] New smstools packages fix format string vulnerability

[Martin Zobel-Helas <zobel@ftbfs.de>]

Hi Thijs,

On Monday, 09 Jan 2006, you wrote:
> Michael Stone wrote:
> >Vulnerability  : format string attack
> >Problem-Type   : local
> >Debian-specific: no
> >CVE ID         : CVE-2006-0083
> >
> >Ulf Harnhammar from the Debian Security Audit project discovered a
> >format string attack in the logging code of smstools, which may be
> >exploited to execute arbitary code with root privileges.
> >
> >The old stable distribution (woody) does not contain smstools package.
> >
> >For the stable distribution (sarge) this problem has been fixed in
> >version 1.14.8-1sarge0.
> >
> >For the unstable distribution the package will be updated shortly.
> >  
> It's great to hear that unstable will be fixed soon, but why wasn't 
> there a grave bug filed against the package? If for some reason the 
> maintainer misses this DSA, it is lateron unknown that the version in 
> unstable is vulnerable and still needs to be fixed...

you are right, but also the testing security team usually tracks this
kinds of bugs so i guess (if it is not filed already) it will do so
soon.

Greetings
Martin