From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Jul 25 01:50:10 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDD5216A4DD for ; Tue, 25 Jul 2006 01:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0B8943D46 for ; Tue, 25 Jul 2006 01:50:08 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6P1o8xN099223 for ; Tue, 25 Jul 2006 01:50:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6P1o8pA099222; Tue, 25 Jul 2006 01:50:08 GMT (envelope-from gnats) Resent-Date: Tue, 25 Jul 2006 01:50:08 GMT Resent-Message-Id: <200607250150.k6P1o8pA099222@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, David Thiel Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3344916A4DE for ; Tue, 25 Jul 2006 01:42:32 +0000 (UTC) (envelope-from lx@redundancy.redundancy.org) Received: from redundancy.redundancy.org (redundancy.redundancy.org [64.147.160.152]) by mx1.FreeBSD.org (Postfix) with SMTP id EFD0843D45 for ; Tue, 25 Jul 2006 01:42:31 +0000 (GMT) (envelope-from lx@redundancy.redundancy.org) Received: (qmail 33887 invoked by uid 1001); 25 Jul 2006 01:42:55 -0000 Message-Id: <20060725014255.33886.qmail@redundancy.redundancy.org> Date: 25 Jul 2006 01:42:55 -0000 From: David Thiel To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: security-team@FreeBSD.org Subject: ports/100793: Maintainer Update: security/osiris, fix format string bugs X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: David Thiel List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2006 01:50:10 -0000 >Number: 100793 >Category: ports >Synopsis: Maintainer Update: security/osiris, fix format string bugs >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Jul 25 01:50:08 GMT 2006 >Closed-Date: >Last-Modified: >Originator: David Thiel >Release: FreeBSD 6.0-RELEASE i386 >Organization: >Environment: System: FreeBSD redundancy.redundancy.org 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 >Description: Patching osiris in response to CVE-2006-3120. "Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project have found several format string security bugs in osiris, a network-wide system integrity monitor control interface. A remote attacker could exploit them and cause a denial of service or execute arbitrary code." >How-To-Repeat: >Fix: diff -ruN osiris.old/Makefile osiris/Makefile --- osiris.old/Makefile Mon Jul 24 16:08:20 2006 +++ osiris/Makefile Mon Jul 24 18:37:22 2006 @@ -7,9 +7,10 @@ PORTNAME= osiris PORTVERSION= 4.2.0 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= http://www.hostintegrity.com/osiris/data/ \ - http://darkambient.net/ + http://redundancy.redundancy.org/mirror/ MAINTAINER= lx@redundancy.redundancy.org COMMENT= The Shmoo client/server host integrity checker diff -ruN osiris.old/files/patch-logging osiris/files/patch-logging --- osiris.old/files/patch-logging Wed Dec 31 16:00:00 1969 +++ osiris/files/patch-logging Mon Jul 24 16:12:40 2006 @@ -0,0 +1,66 @@ +--- src/osirisd/logging.c ++++ src/osirisd/logging.c +@@ -93,7 +93,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( SYSLOG_FACILITY | LOG_ERR ), header ); ++ syslog( ( SYSLOG_FACILITY | LOG_ERR ), "%s", header ); + #endif + } + +@@ -147,7 +147,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( SYSLOG_FACILITY | LOG_INFO ), header ); ++ syslog( ( SYSLOG_FACILITY | LOG_INFO ), "%s", header ); + #endif + } + +@@ -201,7 +201,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( SYSLOG_FACILITY | LOG_WARNING ), header ); ++ syslog( ( SYSLOG_FACILITY | LOG_WARNING ), "%s", header ); + #endif + } + +--- src/osirismd/logging.c ++++ src/osirismd/logging.c +@@ -106,7 +106,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( syslog_facility | LOG_ERR ), header ); ++ syslog( ( syslog_facility | LOG_ERR ), "%s", header ); + #endif + } + +@@ -168,7 +168,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( syslog_facility | LOG_INFO ), header ); ++ syslog( ( syslog_facility | LOG_INFO ), "%s", header ); + #endif + } + +@@ -230,7 +230,7 @@ + fprintf( stdout, "\n" ); + } + #else +- syslog( ( syslog_facility | LOG_WARNING ), header ); ++ syslog( ( syslog_facility | LOG_WARNING ), "%s", header ); + #endif + } + +@@ -281,7 +281,7 @@ + NULL); /* no raw data */ + } + #else +- syslog( ( syslog_facility | LOG_INFO ), buffer ); ++ syslog( ( syslog_facility | LOG_INFO ), "%s", buffer ); + #endif + } >Release-Note: >Audit-Trail: >Unformatted: