Bug#781044: Bug#781043: monopd/libcapsinetwork: CVE-2015-0841: off-by-one error in network code

[Markus Koschany]

Hello,

On 23.03.2015 19:42, Niko Tyni wrote:
[...]
> There's an off-by-one error in libcapsinetwork network handling code,
> which was merged into monopd in version 0.9.4.

Thanks for the report.

[...]
> I have informed the monopd upstream maintainer, Sylvain Rochet, about this.
> His suggested patch was
> 
>  - char *readBuf = new char[MAXLINE];
>  + char *readBuf = new char[MAXLINE+1];  // MAXLINE + '\0'
> 
> The issue is present in at least
> 
>  monopd_0.9.7-2 (jessie/sid, embeds the code)

Since upstream and the security team agree that this is not exploitable
and thus not release critical, I suggest to fix this bug only in sid and
stretch.

>  libcapsinetwork_0.3.0-7 (wheezy, used by the wheezy monopd)
>  libcapsinetwork_0.3.0-8 (jessie/sid, no reverse dependencies)
> 
> The wheezy monopd doesn't contain the bug itself, only through
> libcapsinetwork linkage.
> 
> I'm cloning a separate bug for libcapsinetwork. Please note that it's dead
> upstream (according to debian/copyright), and monopd upstream says it
> could be safely removed as no one should really want to use it anymore.

My original intention was to ask for the removal of libcapsinetwork
during the release cycle of stretch because the library seemed stable
and reliable enough to warrant another inclusion in Debian stable. Given
the fact that libcapsinetwork only supports IPv4 and the network code
(including IPv6 support) is already included in monopd, we could also
ask for the removal right now.

If there are no objections, I will go ahead and ask the ftp team to
remove libcapsinetwork from Debian (including Jessie).

Regards,

Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20150323/483a21e9/attachment-0001.sig>