Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.

Reported by: "Piotr Engelking" <inkerman42@gmail.com>

Date: Sat, 31 Mar 2007 15:03:02 UTC

Severity: important

Tags: patch, security

Found in version python2.5/2.5-5

Fixed in version 2.5.1-1

**Done:** Matthias Klose <doko@cs.tu-berlin.de>

Bug is archived. No further changes may be made.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:  
Bug#416931; Package python2.4. (full text, mbox, link).

**Acknowledgement sent** to "Piotr Engelking" <inkerman42@gmail.com>:  
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Package: python2.4
Version: 2.4.4-2
Severity: important
Tags: security patch

In Modules/\_localemodule.c, PyLocale\_strxfrm() miscalculates the length of
the strxfrm() destination buffer, which causes the function to return a
wrong string, and to read past the destination buffer, which may (and does)
result in an information leak. The bug is also present in python2.5.

The attached patch fixes this problem.


-- System Information:
Debian Release: 4.0
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (x86\_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC\_CTYPE=pl\_PL.UTF8 (charmap=UTF-8)

Versions of packages python2.4 depends on:
ii  libbz2-1.0                  1.0.3-6      high-quality block-sorting file co
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libdb4.4                    4.4.20-8     Berkeley v4.4 Database Libraries \[
ii  libncursesw5                5.5-5        Shared libraries for terminal hand
ii  libreadline5                5.2-2        GNU readline and history libraries
ii  libssl0.9.8                 0.9.8c-4     SSL shared libraries
ii  mime-support                3.39-1       MIME files 'mime.types' & 'mailcap
ii  python2.4-minimal           2.4.4-2      A minimal subset of the Python lan

python2.4 recommends no packages.

-- no debconf information

\[strxfrm-leak.patch (text/x-patch, attachment)\]

**Bug 416931 cloned as bug 416934.** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:05 GMT) (full text, mbox, link).

**Bug reassigned from package \`python2.4' to \`python2.5'.** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:08 GMT) (full text, mbox, link).

**Changed Bug title to python2.5: off-by-one bug in strxfrm() (causes information leak) from python2.4: off-by-one bug in strxfrm() (causes information leak).** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:10 GMT) (full text, mbox, link).

**Bug marked as found in version 2.5-5.** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 17:27:02 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:  
Bug#416934; Package python2.5. (full text, mbox, link).

**Acknowledgement sent** to Lubomir Kundrak <lkundrak@redhat.com>:  
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #18 received at 416934@bugs.debian.org (full text, mbox, reply):

Piotr: Could you please provide a reproducer, or a string/locale couple
that triggered th bug for you?

In my system, when n1 returned by strxfrm() was equal to n2, the string
was terminated with \\0, only that it was truncated (so a subsequent
attempt to read it did not lead to an out-of-bound read). Though the
manual states that the behavior is undefined. I did not try it in
Debian, but I can't really imagine why would Debian's glibc behave
differently from Fedora's one.

Btw. I can't imagine a real-world situation where would this lead to an
information disclosure. The return value of strxfrm() is never meant to
be displayed to the user.

-- 
Lubomir Kundrak (Red Hat Security Response Team)

**Information forwarded** to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:  
Bug#416934; Package python2.5. (full text, mbox, link).

**Acknowledgement sent** to "Piotr Engelking" <inkerman42@gmail.com>:  
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #23 received at 416934@bugs.debian.org (full text, mbox, reply):

Lubomir Kundrak <lkundrak@redhat.com> wrote:
> Piotr: Could you please provide a reproducer, or a string/locale couple
> that triggered th bug for you?

Ok, sorry for being so terse in the original report:

$ cat foo
#!/usr/bin/python

import locale

print locale.setlocale(locale.LC\_COLLATE, 'pl\_PL.UTF8')
print repr(locale.strxfrm('a'))
$ ./foo
pl\_PL.UTF8
'\\x0c\\x01\\x08\\x01\\x02\\x01\\x18\\x08\\x10'
$

Here, '\\x0c\\x01\\x08\\x01\\x02\\x01' comes from glibc's strxfrm(), and the
rest of the string is the contents of the memory immediately after the
destination buffer. (It is also possible to get identifiable parts of
the strings processed by the program before the strxfrm() call but I
don't have a reproducible test case for that.)

> Btw. I can't imagine a real-world situation where would this lead to an
> information disclosure. The return value of strxfrm() is never meant to
> be displayed to the user.

Real-world case, and how I have found the bug in the first place: a
webapp that allows an user to upload some strings to the server, and
other users to view them and sort them in various ways. Since
Javascript doesn't have support for locale-aware string comparison,
each string carries a sorting key, which is the return value of
strxfrm(), and which is visible in the page source.

**Reply sent** to Matthias Klose <doko@cs.tu-berlin.de>:  
You have taken responsibility. (full text, mbox, link).

**Notification sent** to "Piotr Engelking" <inkerman42@gmail.com>:  
Bug acknowledged by developer. (full text, mbox, link).

Message #28 received at 416934-done@bugs.debian.org (full text, mbox, reply):

Version: 2.5.1-1

Fixed in 2.5.1-1

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Jul 2007 07:41:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Wed Aug 2 18:08:04 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2007-2052: #416934 - python2.5: off-by-one bug in strxfrm() (causes information leak)

Buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c for gimp before 2.2.12 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XCF file with a large num_axes value in the VECTORS property.

**Debian Bug report logs - #377049  
gimp: Buffer overrun in XCF reading code**

![version graph](http://bugs.debian.org/cgi-bin/version.cgi?width=2;absolute=0;collapse=1;package=gimp;fixed=gimp%2F2.2.12-1;fixed=2.2.12-1;fixed=2.3.10-1;height=2;found=gimp%2F2.2.6-1;found=gimp%2F2.2.11-3;found=gimp%2F2.3.9-1)

Reported by: Henning Makholm <henning@makholm.net>

Date: Thu, 6 Jul 2006 11:18:14 UTC

Severity: _grave_

Tags: fixed, fixed-in-experimental, fixed-upstream, patch, security

Found in versions gimp/2.2.6-1, gimp/2.2.11-3, gimp/2.3.9-1

Fixed in versions gimp/2.2.12-1, 2.2.12-1, 2.3.10-1

**Done:** Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>`:  
`Bug#377049`; Package `gimp`. (full text, mbox, link).

**Acknowledgement sent** to `Henning Makholm <henning@makholm.net>`:  
New Bug report received and forwarded. Copy sent to `Ari Pollak <ari@debian.org>`. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Package: gimp
Version: 2.2.6-1
Severity: grave
Tags: security patch
Justification: user security hole

I have reported this bug privately to the maintainer and the security
team, but it turns out that the upstream developers have no way of
reporting security bugs privately, so it is hereby in the open. It
is #346742 in the upstream bug tracking system.

The problem is in the function xcf\_load\_vector() in app/xcf/xcf-load.c
of the source tree. For each "stroke" being read, the code reads an
uint32 from the XCF file into the variable num\_axes, and then for each
control proint of the stroke reads num\_axes floats from the file into
the stack-allocated array coords whose size is hard-coded as 6.

A malicious XCF file creater could write a large number into the
num\_axes position and trick the XCF reader into overwriting part of
the stack with raw data read from the file. On little-endian systems,
the function xcf\_read\_float() that actually reads the floats does a
byte-order conversion on the data it reads but does not do any special
float processing, so an attacker has direct control of the data
written to the stack.

I have not attempted to construct an working exploit (though I did
verify being able to crash Gimp with a naively patched image file),
but there seems to be no reason why the overrun could not be used to
mount a standard arbitrary code execution attack if one can get the
victim to try to load an appropriately crafted image file.

The attack is in the VECTORS property of an XCF file which pure XCF
\_viewers\_ (e.g. imagemagick or xcftools) normally skip without
parsing.  Thus an attack file can easily be written such that the
image will display correctly with no symptoms at all in a viewer
application.

The same bug appears in the unstable (2.2.11) and experimental (2.3.9)
versions, as well as the upsteam CVS head.

The attached patch should fix it (more gracefully than the one in my
earlier private report).

\[gimppatch2 (text/plain, attachment)\]

**Bug marked as found in version 2.2.11-3.** Request was from `Henning Makholm <henning@makholm.net>` to `control@bugs.debian.org`. (full text, mbox, link).

**Bug marked as found in version 2.3.9-1.** Request was from `Henning Makholm <henning@makholm.net>` to `control@bugs.debian.org`. (full text, mbox, link).

**Bug marked as found in version 2.3.9-1.** Request was from `Steve Langasek <vorlon@debian.org>` to `control@bugs.debian.org`. (full text, mbox, link).

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>`:  
`Bug#377049`; Package `gimp`. (full text, mbox, link).

**Acknowledgement sent** to `Micah Anderson <micah@riseup.net>`:  
Extra info received and forwarded to list. Copy sent to `Ari Pollak <ari@debian.org>`. (full text, mbox, link).

Message #16 received at 377049@bugs.debian.org (full text, mbox, reply):

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

I've requested that a CVE ID be assigned for this issue. It has been
allocated:

======================================================
Name: CVE-2006-3404
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3404
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=377049

Buffer overflow in the xcf\_load\_vector function in app/xcf/xcf-load.c
for gimp 2.2.6 allows user-complicit attackers to cause a denial of
service (crash) and possibly execute arbitrary code via an XCF file
with a large num\_axes value in the VECTORS property

Please be sure to mention this CVE ID in any changelog that fixes this
issue.

Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFErW6V9n4qXRzy1ioRAskhAJ9BZPKmnjPC7t6gO4k+VBqVnspSjACfU8uL
2oQvmKvnJ71p1fQs8mHVojM=
=xIh2
-----END PGP SIGNATURE-----

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>`:  
`Bug#377049`; Package `gimp`. (full text, mbox, link).

**Acknowledgement sent** to `Henning Makholm <henning@makholm.net>`:  
Extra info received and forwarded to list. Copy sent to `Ari Pollak <ari@debian.org>`. (full text, mbox, link).

Message #21 received at 377049@bugs.debian.org (full text, mbox, reply):

tag 377049 fixed-upstream
thanks

This bug is fixed in the upstream Gimp release 2.2.12.

The fix did not make it into the development release 2.3.10, but
I have verified that it exists in the development CVS, so it will
probably be fixed in 2.3.11.

-- 
Henning Makholm       "It was intended to compile from some approximation to
                 the M-notation, but the M-notation was never fully defined,
                because representing LISP functions by LISP lists became the
 dominant programming language when the interpreter later became available."

**Tags added: fixed-upstream** Request was from `Henning Makholm <henning@makholm.net>` to `control@bugs.debian.org`. (full text, mbox, link).

**Tags added: fixed** Request was from `James Vega <jamessan@debian.org>` to `control@bugs.debian.org`. (full text, mbox, link).

**Reply sent** to `Ari Pollak <ari@debian.org>`:  
You have taken responsibility. (full text, mbox, link).

**Notification sent** to `Henning Makholm <henning@makholm.net>`:  
Bug acknowledged by developer. (full text, mbox, link).

Message #30 received at 377049-close@bugs.debian.org (full text, mbox, reply):

Source: gimp
Source-Version: 2.2.12-1

We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive:

gimp-data\_2.2.12-1\_all.deb
  to pool/main/g/gimp/gimp-data\_2.2.12-1\_all.deb
gimp-dbg\_2.2.12-1\_amd64.deb
  to pool/main/g/gimp/gimp-dbg\_2.2.12-1\_amd64.deb
gimp-helpbrowser\_2.2.12-1\_amd64.deb
  to pool/main/g/gimp/gimp-helpbrowser\_2.2.12-1\_amd64.deb
gimp-python\_2.2.12-1\_amd64.deb
  to pool/main/g/gimp/gimp-python\_2.2.12-1\_amd64.deb
gimp-svg\_2.2.12-1\_amd64.deb
  to pool/main/g/gimp/gimp-svg\_2.2.12-1\_amd64.deb
gimp\_2.2.12-1.diff.gz
  to pool/main/g/gimp/gimp\_2.2.12-1.diff.gz
gimp\_2.2.12-1.dsc
  to pool/main/g/gimp/gimp\_2.2.12-1.dsc
gimp\_2.2.12-1\_amd64.deb
  to pool/main/g/gimp/gimp\_2.2.12-1\_amd64.deb
gimp\_2.2.12.orig.tar.gz
  to pool/main/g/gimp/gimp\_2.2.12.orig.tar.gz
libgimp2.0-dev\_2.2.12-1\_amd64.deb
  to pool/main/g/gimp/libgimp2.0-dev\_2.2.12-1\_amd64.deb
libgimp2.0-doc\_2.2.12-1\_all.deb
  to pool/main/g/gimp/libgimp2.0-doc\_2.2.12-1\_all.deb
libgimp2.0\_2.2.12-1\_amd64.deb
  to pool/main/g/gimp/libgimp2.0\_2.2.12-1\_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 377049@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ari Pollak <ari@debian.org> (supplier of updated gimp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.7
Date: Tue, 11 Jul 2006 14:30:03 -0400
Source: gimp
Binary: gimp-python libgimp2.0-doc gimp-data gimp gimp-helpbrowser libgimp2.0 gimp-svg libgimp2.0-dev gimp-dbg
Architecture: source amd64 all
Version: 2.2.12-1
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Ari Pollak <ari@debian.org>
Description: 
 gimp       - The GNU Image Manipulation Program
 gimp-data  - Data files for The GIMP
 gimp-dbg   - Debugging symbols for The GIMP
 gimp-helpbrowser - Built-in Help Browser plugin for The GIMP
 gimp-python - Python support and plugins for The GIMP
 gimp-svg   - SVG (Scalable Vector Graphics) plugin for The GIMP
 libgimp2.0 - Libraries necessary to Run the GIMP
 libgimp2.0-dev - Headers and other files for compiling plugins for The GIMP
 libgimp2.0-doc - Developers' Documentation for the GIMP library
Closes: 339115 377049
Changes: 
 gimp (2.2.12-1) unstable; urgency=low
 .
   \* New upstream release
     - Fixes segfault when closing image while saving it (Closes: #339115)
   \* Acknowledge NMU (Closes: #377049), revert patch which has been applied
     upstream
Files: 
 cc817256038e6d142d848f6b75d2402b 1263 graphics optional gimp\_2.2.12-1.dsc
 89ececcfa9905b9100d2563334b221ec 18552000 graphics optional gimp\_2.2.12.orig.tar.gz
 ac6368f894443ed21fe098185c738b13 27530 graphics optional gimp\_2.2.12-1.diff.gz
 b8fdf89f7363740cff1e82ded2b75997 6770958 graphics optional gimp-data\_2.2.12-1\_all.deb
 549f43544840daf05e0556d13783144a 567520 doc optional libgimp2.0-doc\_2.2.12-1\_all.deb
 815b15169ea37cb4ed11722e093dd61c 574558 libs optional libgimp2.0\_2.2.12-1\_amd64.deb
 8f63afa6269c495c1408bf36f61fec79 63566 graphics optional gimp-helpbrowser\_2.2.12-1\_amd64.deb
 7effdb284ce44011b3bccddec11255a2 144322 graphics optional gimp-python\_2.2.12-1\_amd64.deb
 b582f7058bf523b94645f8f794881959 63838 graphics optional gimp-svg\_2.2.12-1\_amd64.deb
 206aa40c0eef845e658d79f9c542cfb8 3235344 graphics optional gimp\_2.2.12-1\_amd64.deb
 10cf85e3d095dc8fe4a2f9e37ac75f76 118980 libdevel optional libgimp2.0-dev\_2.2.12-1\_amd64.deb
 1925045f0a7b03608d87a1298da66a97 8393180 graphics extra gimp-dbg\_2.2.12-1\_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtAzZwO+u47cOQDsRAxXcAKCVO9oHYXOT9I8ivbLKLSHJLZT28gCfWCGt
UePwKA6Mdp7qn8im6XDaZqY=
=yxaT
-----END PGP SIGNATURE-----

**Tags added: fixed-in-experimental** Request was from `Ari Pollak <ari@debian.org>` to `control@bugs.debian.org`. (full text, mbox, link).

**Bug archived.** Request was from `Debbugs Internal Request <owner@bugs.debian.org>` to `internal_control@bugs.debian.org`. (Mon, 25 Jun 2007 13:25:09 GMT) (full text, mbox, link).

**Bug unarchived.** Request was from `Lucas Nussbaum <lucas@lucas-nussbaum.net>` to `controlbugs.debian.org`. (Sat, 09 Aug 2008 17:48:16 GMT) (full text, mbox, link).

**Reply sent** to `Moritz Muehlenhoff <jmm@inutil.org>`:  
You have taken responsibility. (full text, mbox, link).

**Notification sent** to `Henning Makholm <henning@makholm.net>`:  
Bug acknowledged by developer. (full text, mbox, link).

Message #41 received at 377049-done@bugs.debian.org (full text, mbox, reply):

Version: 2.2.12-1

**Reply sent** to `Thijs Kinkhorst <thijs@debian.org>`:  
You have taken responsibility. (full text, mbox, link).

**Notification sent** to `Henning Makholm <henning@makholm.net>`:  
Bug acknowledged by developer. (full text, mbox, link).

Message #46 received at 377049-done@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Version: 2.3.10-1

This has also been fixed in the 2.3 branch that came in via experimental.

\[Message part 2 (application/pgp-signature, inline)\]

**Bug archived.** Request was from `Debbugs Internal Request <owner@bugs.debian.org>` to `internal_control@bugs.debian.org`. (Thu, 11 Sep 2008 07:29:21 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Mon Feb 7 17:30:16 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2006-3404: #377049 - gimp: Buffer overrun in XCF reading code

inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.

Markus Oberhumer discovered a flaw in the way zlib, a library used for file compression and decompression, handles invalid input. This flaw can cause programs which use zlib to crash when opening an invalid file.

This problem does not affect the old stable distribution (woody).

For the current stable distribution (sarge), this problem has been fixed in version 1.2.2-4.sarge.2.

For the unstable distribution (sid), this problem has been fixed in version 1.2.3-1.

We recommend that you upgrade your zlib package.

CVE-2005-1849: Debian -- Security Information -- DSA-763-1 zlib

zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.

An error in the way zlib handles the inflation of certain compressed files can cause a program which uses zlib to crash when opening an invalid file.

This problem does not affect the old stable distribution (woody).

For the stable distribution (sarge), this problem has been fixed in version 1.2.2-4.sarge.1.

For the unstable distribution, this problem has been fixed in version 1.2.2-7.

We recommend that you upgrade your zlib package.

CVE-2005-2096: Debian -- Security Information -- DSA-740-1 zlib

Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.

Albert Puigsech Galicia discovered a directory traversal vulnerability in a proprietary FTP client (CAN-2004-1376) which is also present in gftp, a GTK+ FTP client. A malicious server could provide a specially crafted filename that could cause arbitrary files to be overwritten or created by the client.

For the stable distribution (woody) this problem has been fixed in version 2.0.11-1woody1.

For the unstable distribution (sid) this problem has been fixed in version 2.0.18-1.

We recommend that you upgrade your gftp package.

CVE-2005-0372: Debian -- Security Information -- DSA-686-1 gftp

The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.10, 5.0.x before 5.0.3, and other versions including 3.x, allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files.

Javier Fernandez-Sanguino Peña from the Debian Security Audit Project discovered a temporary file vulnerability in the mysqlaccess script of MySQL that could allow an unprivileged user to let root overwrite arbitrary files via a symlink attack and could also could unveil the contents of a temporary file which might contain sensitive information.

For the stable distribution (woody) this problem has been fixed in version 3.23.49-8.9.

For the unstable distribution (sid) this problem has been fixed in version 4.0.23-3 of mysql-dfsg and in version 4.1.8a-6 of mysql-dfsg-4.1.

We recommend that you upgrade your mysql packages.

CVE-2005-0004: Debian -- Security Information -- DSA-647-1 mysql

The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).

**Debian Bug report logs - #252253  
SIGSEGV in zlib1g 1.2.1.1-3 with pwzip-file**

Reported by: Johan Thelmén <johan.thelmen@cygate.se>

Date: Wed, 2 Jun 2004 11:18:03 UTC

Severity: important

Tags: confirmed, fixed-upstream, patch, upstream

Found in version 1.2.1.1-3

Fixed in version zlib/1:1.2.1.1-6

**Done:** Mark Brown <broonie@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, Mark Brown <broonie@debian.org>:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to Johan Thelmén <johan.thelmen@cygate.se>:  
New Bug report received and forwarded. Copy sent to Mark Brown <broonie@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: zlib1g
Version: 1.2.1.1-3
Severity: important

Debian verison 0.70 and also in clamscan / ClamAV version devel-20040602
ii  zlib1g                       1.2.1.1-3

With zlib1g\_1.1.4-1.0woody0\_i386.deb it is working.


inflate\_table (type=LENS, lens=0x8c24c08, codes=281, table=0x8c24c04, bits=0x8c24bec, work=0x8c24e88) at inftrees.c:110
110             count\[lens\[sym\]\]++;
(gdb) bt
#0  inflate\_table (type=LENS, lens=0x8c24c08, codes=281, table=0x8c24c04, bits=0x8c24bec, work=0x8c24e88) at inftrees.c:110
#1  0x4006745b in inflate (strm=0x8054db8, flush=0) at inflate.c:868
#2  0x400273d9 in zzip\_file\_read (fp=0x8054d90, buf=0x0, len=146951176) at zziplib/zzip-file.c:391
#3  0x4002169b in cli\_scanzip (desc=7, virname=0xbffff7a8, scanned=0x80529dc, root=0x805b198, limits=0x8c27338, options=9,
    reclev=0xbffff784) at scanners.c:457
#4  0x40023139 in cli\_magic\_scandesc (desc=7, virname=0xbffff7a8, scanned=0x80529dc, root=0x805b198, limits=0x8c27338, options=9,
    reclev=0xbffff784) at scanners.c:1072
#5  0x40023362 in cl\_scandesc (desc=146951176, virname=0x8c24c08, scanned=0x8c24c08, root=0x8c24c08, limits=0x8c24c08,
    options=146951176) at scanners.c:1136
#6  0x0804dac8 in checkfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x8c24c08, limits=0x8c24c08, options=146951176)
    at manager.c:832
#7  0x0804ca05 in scanfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x805b198, user=0x401f3f58, opt=0x8053008,
    limits=0x8c27338) at manager.c:513
#8  0x0804bdad in scanmanager (opt=0x8053008) at manager.c:307
#9  0x0804ab43 in clamscan (opt=0x8053008) at clamscan.c:147
#10 0x0804b2b8 in main (argc=2, argv=0xbffffb54) at options.c:149

-- 
Johan Thelmén
Cygate Måldata
Sweden Borlänge

**Information forwarded** to debian-bugs-dist@lists.debian.org:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to Mark Brown <broonie@debian.org>:  
Extra info received and forwarded to list. (full text, mbox, link).

Message #10 received at 252253@bugs.debian.org (full text, mbox, reply):

On Wed, Jun 02, 2004 at 01:06:36PM +0200, Johan Thelmén wrote:

> #7  0x0804ca05 in scanfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x805b198, user=0x401f3f58, opt=0x8053008,

Could you please supply one of these files that's causing trouble?

Thanks.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

**Tags added: upstream** Request was from broonie@sirena.org.uk (Mark Brown) to control@bugs.debian.org. (full text, mbox, link).

**Tags added: confirmed** Request was from broonie@sirena.org.uk (Mark Brown) to control@bugs.debian.org. (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to Mark Brown <broonie@debian.org>:  
Extra info received and forwarded to list. (full text, mbox, link).

Message #19 received at 252253@bugs.debian.org (full text, mbox, reply):

tag 252253 + patch pending
thanks

I've got a fix which appears to deal with the problem.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

**Tags added: patch, pending** Request was from Mark Brown <broonie@debian.org> to control@bugs.debian.org. (full text, mbox, link).

**Tags added: fixed-upstream** Request was from broonie@sirena.org.uk (Mark Brown) to control@bugs.debian.org. (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Mark Brown <broonie@debian.org>:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to linux@internetists.de:  
Extra info received and forwarded to list. Copy sent to Mark Brown <broonie@debian.org>. (full text, mbox, link).

Message #28 received at 252253@bugs.debian.org (full text, mbox, reply):

Good Morning,

according to the following link http://lwn.net/Articles/99288/ the severity 
should be changed or is this bug fixed in zlib1:1.2.1.1-5?

Regards

Chris

**Information forwarded** to debian-bugs-dist@lists.debian.org:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to Mark Brown <broonie@debian.org>:  
Extra info received and forwarded to list. (full text, mbox, link).

Message #33 received at 252253@bugs.debian.org (full text, mbox, reply):

On Wed, Aug 25, 2004 at 10:47:57PM +0200, Chris Lehnberger wrote:

> according to the following link http://lwn.net/Articles/99288/ the severity 
> should be changed or is this bug fixed in zlib1:1.2.1.1-5?

Probably, though the release and security teams are already aware.  It
will be fixed in -6. 

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

**Reply sent** to Mark Brown <broonie@debian.org>:  
You have taken responsibility. (full text, mbox, link).

**Notification sent** to Johan Thelmén <johan.thelmen@cygate.se>:  
Bug acknowledged by developer. (full text, mbox, link).

Message #38 received at 252253-close@bugs.debian.org (full text, mbox, reply):

Source: zlib
Source-Version: 1:1.2.1.1-6

We believe that the bug you reported is fixed in the latest version of
zlib, which is due to be installed in the Debian FTP archive:

zlib-bin\_1.2.1.1-6\_i386.deb
  to pool/main/z/zlib/zlib-bin\_1.2.1.1-6\_i386.deb
zlib1g-dev\_1.2.1.1-6\_i386.deb
  to pool/main/z/zlib/zlib1g-dev\_1.2.1.1-6\_i386.deb
zlib1g-udeb\_1.2.1.1-6\_i386.udeb
  to pool/main/z/zlib/zlib1g-udeb\_1.2.1.1-6\_i386.udeb
zlib1g\_1.2.1.1-6\_i386.deb
  to pool/main/z/zlib/zlib1g\_1.2.1.1-6\_i386.deb
zlib\_1.2.1.1-6.diff.gz
  to pool/main/z/zlib/zlib\_1.2.1.1-6.diff.gz
zlib\_1.2.1.1-6.dsc
  to pool/main/z/zlib/zlib\_1.2.1.1-6.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 252253@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Brown <broonie@debian.org> (supplier of updated zlib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 21 Aug 2004 23:30:57 +0100
Source: zlib
Binary: zlib1g-dev zlib1g lib64z1-dev lib64z1 zlib1g-udeb zlib-bin
Architecture: source i386
Version: 1:1.2.1.1-6
Distribution: testing
Urgency: high
Maintainer: Mark Brown <broonie@debian.org>
Changed-By: Mark Brown <broonie@debian.org>
Description: 
 zlib-bin   - compression library - sample programs
 zlib1g     - compression library - runtime
 zlib1g-dev - compression library - development
 zlib1g-udeb - compression library - runtime for Debian installer (udeb)
Closes: 252253
Changes: 
 zlib (1:1.2.1.1-6) testing; urgency=high
 .
   \* Fix the error handling in the new inflate implementation to avoid
     incorrectly continuing to process in the error state.  Thanks to Johan
     Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this
     bug.  This is CAN-2004-0797 (closes: #252253).
Files: 
 08adcb71b4ed23d9b38fd5912f86c73c 679 libs optional zlib\_1.2.1.1-6.dsc
 4e8989cfce378495761a467b275ec09c 17454 libs optional zlib\_1.2.1.1-6.diff.gz
 e1e08653f9d0d79c9a50a8c6742bb557 38320 debian-installer optional zlib1g-udeb\_1.2.1.1-6\_i386.udeb
 a6d230f3f3969ae7d1895435b4662282 62070 libs required zlib1g\_1.2.1.1-6\_i386.deb
 70872f7645e1a0b5efd308ce3534cec4 409254 libdevel optional zlib1g-dev\_1.2.1.1-6\_i386.deb
 104c1001587d0edaab3b39765ce8f729 25232 utils optional zlib-bin\_1.2.1.1-6\_i386.deb
package-type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBLjsoJ2Vo11xhU60RAjo6AKDj2h5S3sCopTfht9zTAg+7dYTGvQCgiexj
2X8ccdghMn1fyyWoQCNntbk=
=65/v
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Wed Jun 22 17:11:36 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2004-0797: #252253 - SIGSEGV in zlib1g 1.2.1.1-3 with pwzip-file

Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.

This security advisory corrects DSA 458-2 which caused a problem in the gethostbyaddr routine.

The original advisory said:

> Sebastian Schmidt discovered a buffer overflow bug in Python's getaddrinfo function, which could allow an IPv6 address, supplied by a remote attacker via DNS, to overwrite memory on the stack.
> 
> This bug only exists in python 2.2 and 2.2.1, and only when IPv6 support is disabled. The python2.2 package in Debian woody meets these conditions (the 'python' package does not).

For the stable distribution (woody), this bug has been fixed in version 2.2.1-4.6.

The testing and unstable distribution (sarge and sid) are not affected by this problem.

We recommend that you update your python2.2 packages.

CVE-2004-0150: Debian -- Security Information -- DSA-458-3 python2.2

os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.

Zack Weinberg discovered an insecure use of a temporary file in os.\_execvpe from os.py. It uses a predictable name which could lead execution of arbitrary code.

This problem has been fixed in several versions of Python: For the current stable distribution (woody) it has been fixed in version 1.5.2-23.1 of Python 1.5, in version 2.1.3-3.1 of Python 2.1 and in version 2.2.1-4.1 of Python 2.2. For the old stable distribution (potato) this has been fixed in version 1.5.2-10potato12 for Python 1.5. For the unstable distribution (sid) this has been fixed in version 1.5.2-24 of Python 1.5, in version 2.1.3-6a of Python 2.1 and in version 2.2.1-8 of Python 2.2. Python 2.3 is not affected by this problem.

We recommend that you upgrade your Python packages immediately.

CVE-2002-1119: Debian -- Security Information -- DSA-159-1 python

The libguile.so library file used by gnucash in Debian GNU/Linux is installed with world-writable permissions.

Tag

#debian