headers
Paul Wise | 8 Mar 2009 08:40
Picon
Favicon
Gravatar

request for review: Primrose: game server in PHP, client in C++

Hi all,

I'm thinking about packaging Primrose, the latest game from Jason Rohrer
(we already have some of his work in Debian; transcend, cultivation,
passage, gravitation):

http://primrose.sourceforge.net/

This is the second of his games that features multiplayer. It uses a
server written in PHP and the code is available. Since it is in PHP and
could be public-Internet facing, I figure it would be a good idea to get
it audited for security issues. Is anyone interested in auditing it?

The server code is here:

http://hcsoftware.cvs.sourceforge.net/viewvc/hcsoftware/tilePlacementGames/game1/server/

I'm in contact with upstream if any issues are found.

I previously requested an audit for his first multiplayer game, Between.
Raphael Geissert is auditing Between, but may need some help finishing
it, please contact him if you would like to do that.

--

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
Permalink | Reply | 0 comments |
headers
Paul Wise | 22 Dec 2008 05:45
Picon
Favicon
Gravatar

request for review: Between: game server in PHP

Hi all,

I'm thinking about packaging Between, the latest game from Jason Rohrer
(we already have some of his work in Debian; transcend, cultivation,
passage, gravitation):

http://www.esquire.com/features/best-and-brightest-2008/rohrer-game

This is the first of his games that features multiplayer. It uses a
server written in PHP and the code is available. Since it is in PHP and
could be public-Internet facing, I figure it would be a good idea to get
it audited for security issues. Is anyone interested in auditing it?

The server code is here:

http://hcsoftware.cvs.sourceforge.net/viewvc/hcsoftware/game7/server/server.php?view=markup

I'm in contact with upstream if any issues are found.

--

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
Permalink | Reply | 1 comment |
headers
Moritz Muehlenhoff | 27 May 2008 10:09
Favicon

wordnet audit

Does anyone have time for an audit of the wordnet package? 

Some initial issues were fixed, but there's indication that more
issues need to be addressed:
https://bugs.gentoo.org/show_bug.cgi?id=211491

Cheers,
        Moritz
Permalink | Reply | 0 comments |
headers
Stefan Fritsch | 19 May 2008 21:33
Picon
Favicon

Fwd: Request for review of apache suexec changes

It seems this mail didn't get through to debian-audit. My apologies if 
you get it twice.

Hi,

due to various bug reports, I have created a custom version of the 
suid root suexec cgi wrapper for apache. This version reads some 
settings from a config file instead of having all settings compiled 
in. Before I upload this to Debian, I would like someone else to 
review the changes I made.

[1] contains these files:

suexec.c.upstream:
the source as it comes from upstream. This has been audited at [2].

suexec.c:
the source I intend to use for the 'standard' suexec. This fixes some 
issues pointed out at [2] (CVE-2007-1742, etc.) and one bug related 
to logging. The latter fix is already in the current Debian package.

suexec-custom.c:
the source I intend to use for the 'custom' suexec.

suexec.8:
the man page for suexec-custom.c

Comments are welcome. Thanks in advance.

Cheers,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stefan Fritsch | 6 May 2008 18:25
Picon
Favicon

Request for review of apache suexec changes

Hi,

due to various bug reports, I have created a custom version of the 
suid root suexec cgi wrapper for apache. This version reads some 
settings from a config file instead of having all settings compiled 
in. Before I upload this to Debian, I would like someone else to 
review the changes I made.

[1] contains these files:

suexec.c.upstream:
the source as it comes from upstream. This has been audited at [2].

suexec.c:
the source I intend to use for the 'standard' suexec. This fixes some 
issues pointed out at [2] (CVE-2007-1742, etc.) and one bug related 
to logging. The latter fix is already in the current Debian package.

suexec-custom.c:
the source I intend to use for the 'custom' suexec.

suexec.8:
the man page for suexec-custom.c

Comments are welcome. Thanks in advance.

Cheers,
Stefan

[1] http://people.debian.org/~sf/suexec/
(Continue reading)

Permalink | Reply | 0 comments |
headers
أحمد المحمودي | 17 Apr 2008 20:43
Picon

acon package needs audit

Hello,

  I have been told on #debian-security that acon (a package that I 
  maintian) needs audit.

  The package can be found at:
  http://mentors.debian.net/debian/pool/main/a/acon/acon_1.0.5-7.dsc

--

-- 
 أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
  SySDSoft, Inc.
 GPG KeyID: 0x9DCA0B27 ( <at>  subkeys.pgp.net)
 GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C  156E D325 C3C8 9DCA 0B27
Permalink | Reply | 3 comments |
headers
Simon Josefsson | 15 Apr 2008 14:38
Favicon
Gravatar

request of audit of 'shishid'

Hi,

I read Steve's blog entry about requesting audit of new packages here.
I've maintained debian packages for Shishi for a while, so it isn't
strictly a new package, but I do appreciate code audits of it.  Shishi
contains shishid which is a network daemon started by root so it is a
good target to inspect for security problems.

You can download upstream source code from
<http://josefsson.org/shishi/release/> or browse it in git:

http://git.savannah.gnu.org/gitweb/?p=shishi.git;a=tree;f=src;hb=HEAD

In particular, the shishid daemon code is in:

http://git.savannah.gnu.org/gitweb/?p=shishi.git;a=blob;f=src/shishid.c;hb=HEAD

I could describe in detail how the work is intended to work, but I
suspect it is better to have a clean mindset when doing audits.  Ask if
there is anything unclear.

The PTS entry for shishi is:

http://packages.qa.debian.org/s/shishi.html

/Simon
Permalink | Reply | 0 comments |
headers
Victor Stinner | 4 Jul 2007 13:57

Environment variable fuzzing

(This email first destination was skx#debian.org but he doesn't answer, so I 
retry on this mailing list)

Hi,

I see that you found a bug in unicon-imc2 program. Great job ;-)

I wrote a fuzzer for files and environment variable. I already found some 
serious bugs in ClamAV, Freetype and libexif.

So you should try it ;-)
  http://fusil.hachoir.org/trac

I found a bug in xterm (and program file is in setguid mode): there is a bug 
in PATH content parsing (when it only contains one path, no ":"). Check 
xterm/misc.c, near line 2811, function xtermFindShell(). It doesn't allocate 
enough bytes to store nul byte. xterm author didn't answer to my email.

I also found many bugs in gettext but gettext's author don't care because it « 
would not serve the purpose of a maximally efficient lookup of 
translations ». Ok, but it's possible to use 
LANGUAGE='../../../../../../../../tmp' with non-suid programs... libc use 
strong validation of LANGUAGE variable, but only for suid programs (stupid 
thing).

Another funny bug « COLUMNS=10000000 dpkg-query -l » segfault (with 
UTF-8 locale) because of a bug in libc :-) (bug fixed in libc upstream)

Victor Stinner aka haypo
http://hachoir.org/
(Continue reading)

Permalink | Reply | 3 comments |
headers
Steve Kemp | 1 Jul 2007 21:40
Picon
Favicon
Gravatar

Long time, no activity ..


Hi all,

  It's been a long time since there was a post upon this list,
 yet I see people joining every week or two.  Very strange.

  Anyway I figured it was worth pointing people at a new "project"
 I've recently started working upon.  Rather than explicitly looking
 for security problems I thought it would be interesting to look
 for bad code across the *whole Debian archive*.

  As it happens this has turned up a couple of security issues, but
 that is mostly incidental.

  There is a brief overview of the work here:

    http://shellcode.org/SourceScan/

  In brief:

    1.  Download the source to the Debian archive.
    2.  Grep for simple patterns.
    3.  Examine hits manually; reporting bugs as appropriate.
    4.  Repeat.

  So far I've just looked for things like:

    grep getenv | grep (sprintf|strcpy)
    grep popen  | grep /tmp
    grep system | grep >[ ]*/tmp
(Continue reading)

Permalink | Reply | 4 comments |
headers
Nico Golde | 12 Mar 2007 12:54
Picon
Favicon

libpam-opie

Hi,
I did a quick audit of libpam-opie and found the following:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414015

I haven't received an answer by the maintainer yet and
because the code quality in general is moderate I wanted to  
know if it's ok to raise the Severity of this bug to grave?
I haven't checked in detail in which situation this leads to 
memory corruption and if it's exploitable but since it could 
be..
Kind regards
Nico

--

-- 
Nico Golde - http://www.ngolde.de
JAB: nion <at> jabber.ccc.de - GPG: 0x73647CFF
Forget about that mouse with 3/4/5 buttons,
gimme a keyboard with 103/104/105 keys!
Permalink | Reply | 0 comments |
headers
Cameron Dale | 11 Mar 2007 01:04
Picon

Security audit for TorrentFlux

Hi,

A Debian package I maintain, TorrentFlux, was recently removed from Testing due
to security issues. Now that it is security-issue free, my request for having it
added back in was denied, and it was suggested that I ask for an audit on this
list (see this post: http://lists.debian.org/debian-release/2006/12/msg01039.html).

So, I am requesting a security audit for the Debian package TorrentFlux.

All the security issues that affected this package were discovered in a 2 month
period from mid-October to mid-December of last year. All have been fixed. In
doing the fixing, myself, the upstream maintainer, and Stefan Fritsch (who
posted to the list about this package at the time) were all doing independent
searches for the discovered, and any other, issues, during which we found and
fixed some problems that were not yet discovered by others. Since this time (3
months ago), no other security related bugs have been found in the package, and
I believe it to be security-issue free.

The package is available in the Debian archive here:

http://packages.debian.org/unstable/web/torrentflux

It is made up of mostly PHP files for hosting on a webserver, and a few Python
scripts.

Thanks,
Cameron
Permalink | Reply | 9 comments |

Gmane