[nas] nas: Multiple Vulnerabilities in nas 1.9.3
Erik Auerswald
auerswal at unix-ag.uni-kl.de
Thu Aug 15 05:07:20 MDT 2013
Hi,
On Thu, Aug 15, 2013 at 09:27:53AM +0430, Hamid Zamani wrote:
> On 08/15/2013 03:07 AM, Erik Auerswald wrote:
> > On 08/13/2013 11:38 PM, Jon Trulson wrote:
> >> [...]
> >> This looks fine.
> >
> > I have just committed the patch to svn.
> >
> > @Hamid Zamani: Please check if all vulnerabilities you reported are
> > actually fixed.
> >
> > @Jon: Would you like to prepare a maintenance release of NAS?
>
> Sorry, i was so busy these days.
>
> I checked all. thank you Eric, all done perfectly;)
>
> just a issue is in my mind and it is about 'AuServerHostName'. It's
> correct that almost all of string calls fixed right now but i think for
> later use it would be better to think about checking this or use a
> limitation about it. What do you think ?
I fixed the overflow vulnerabilities by adding range checks. Rejecting
wrong (for some value of wrong) input, in this case from the AUDIOHOST
environment variable, is useful.
It was easier to just mechanically add range checks, than to understand
and check for what constitutes a correct value for AUDIOHOST. ;-)
On Thu, Aug 15, 2013 at 09:24:38AM +0430, Hamid Zamani wrote:
> There are some issues about clients, can we fix them before maintenance
> release ? or later ?
I don't mind waiting a bit with the release. Please send identified
vulnerabilities to the list. You can split this by client program, you do
not need to send a complete list for all of them, if you prefer.
Thanks,
Erik
More information about the nas
mailing list