[pkg-horde] Bug#342943: [Secure-testing-team] Re: Bug#342943: only kronolith2 fixed

Neil McGovern neilm at debian.org
Sun Jan 29 18:15:23 UTC 2006


On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
> Neil McGovern wrote:
> > On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
> > > Lionel Elie Mamane wrote:
> > > > I've tried to backport the upstream patch for kronolith 2, but most
> > > > files touched don't actually exist in kronolith 1, as well as a
> > > > sizeable part of the code touched in the files that do exist. Here is
> > > > my measle backport attempt, but I'd really like someone that
> > > > understands the issue to review it and see if nothing has been left
> > > > out. Do we have someone of that calibre (and willing to do it)
> > > > available in Debian?
> > > 
> > > I've taken a look at the patch, and several lines contain changes not
> > > suitable for a security update, i.e. fix different potential bugs or
> > > change the code.  I'm attaching the patch.  More eyes checking would
> > > be appreciated.
> > > 
> > 
> > A fairly odd bug. It only affects the app if REGISTER_GLOBALS is on,
> > however, the app requires REGISTER_GLOBALS :|
> > 
> > I'll do an audit of the code and try and find anything left over when I
> > get home later.
> 
> Any news on this?
> 

Sorry for the delay.

I haven't managed to find any more bugs relating to this particular
security hole that isn't fixed by the previous patch in this bug report.
kronolith seems to be fairly badly coded wrt security issues though. I'd
suggest depreciating kronolith1 and forcing people on to kronolith2,
whcih although only a little better, is actually supported upstream.

Cheers,
Neil
-- 
   __   
 .`  `. neilm at debian.org | Application Manager
 : :' ! ---------------- | Secure-Testing Team member
 '. `-  gpg: B345BDD3    | Webapps Team member
   `-   Please don't cc, I'm subscribed to the list




More information about the pkg-horde-hackers mailing list