Upstream bug in log4cpp
cantor.2 at osu.edu
Thu Mar 29 03:15:05 UTC 2012
I think Scott Koranda was going to file this, but in case there's any
confusion, he identified a bug that I believe I patched in my log4shib
fork, but hasn't been fixed in log4cpp, which Debian's Shibboleth SP
packages rely on.
His new bug entry is here:
The original entry is:
The patch is:
The bug affects large vararg parameters (such as log input) on the x64
arch. Many packages using vsnprintf and other variants were affected by
the issue a few years ago.
In practice, Shibboleth is only affected when logging on DEBUG. It's a
denial of service condition, but since it affects DEBUG logging only, it
isn't something I considered a major security matter when I dealt with it.
YMMV of course.
More information about the Pkg-shibboleth-devel