Date: 25 Jul 2006 01:42:55 -0000 From: David Thiel <lx@redundancy.redundancy.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: security-team@FreeBSD.org Subject: ports/100793: Maintainer Update: security/osiris, fix format string bugs Message-ID: <20060725014255.33886.qmail@redundancy.redundancy.org> Resent-Message-ID: <200607250150.k6P1o8pA099222@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 100793 >Category: ports >Synopsis: Maintainer Update: security/osiris, fix format string bugs >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Jul 25 01:50:08 GMT 2006 >Closed-Date: >Last-Modified: >Originator: David Thiel >Release: FreeBSD 6.0-RELEASE i386 >Organization: >Environment: System: FreeBSD redundancy.redundancy.org 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 >Description: Patching osiris in response to CVE-2006-3120. "Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project have found several format string security bugs in osiris, a network-wide system integrity monitor control interface. A remote attacker could exploit them and cause a denial of service or execute arbitrary code." >How-To-Repeat: >Fix: diff -ruN osiris.old/Makefile osiris/Makefile --- osiris.old/Makefile Mon Jul 24 16:08:20 2006 +++ osiris/Makefile Mon Jul 24 18:37:22 2006 @@ -7,9 +7,10 @@ PORTNAME= osiris PORTVERSION= 4.2.0 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= http://www.hostintegrity.com/osiris/data/ \ - http://darkambient.net/ + http://redundancy.redundancy.org/mirror/ MAINTAINER= lx@redundancy.redundancy.org COMMENT= The Shmoo client/server host integrity checker diff -ruN osiris.old/files/patch-logging osiris/files/patch-logging --- osiris.old/files/patch-logging Wed Dec 31 16:00:00 1969 +++ osiris/files/patch-logging Mon Jul 24 16:12:40 2006 @@ -0,0 +1,66 @@ +--- src/osirisd/logging.c ++++ src/osirisd/logging.c +@@ -93,7 +93,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( SYSLOG_FACILITY | LOG_ERR ), header ); ++ syslog( ( SYSLOG_FACILITY | LOG_ERR ), "%s", header ); + #endif + } + +@@ -147,7 +147,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( SYSLOG_FACILITY | LOG_INFO ), header ); ++ syslog( ( SYSLOG_FACILITY | LOG_INFO ), "%s", header ); + #endif + } + +@@ -201,7 +201,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( SYSLOG_FACILITY | LOG_WARNING ), header ); ++ syslog( ( SYSLOG_FACILITY | LOG_WARNING ), "%s", header ); + #endif + } + +--- src/osirismd/logging.c ++++ src/osirismd/logging.c +@@ -106,7 +106,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( syslog_facility | LOG_ERR ), header ); ++ syslog( ( syslog_facility | LOG_ERR ), "%s", header ); + #endif + } + +@@ -168,7 +168,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( syslog_facility | LOG_INFO ), header ); ++ syslog( ( syslog_facility | LOG_INFO ), "%s", header ); + #endif + } + +@@ -230,7 +230,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( syslog_facility | LOG_WARNING ), header ); ++ syslog( ( syslog_facility | LOG_WARNING ), "%s", header ); + #endif + } + +@@ -281,7 +281,7 @@ + NULL); /* no raw data */ + } + #else +- syslog( ( syslog_facility | LOG_INFO ), buffer ); ++ syslog( ( syslog_facility | LOG_INFO ), "%s", buffer ); + #endif + } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060725014255.33886.qmail>