Upstream bug in log4cpp

Cantor, Scott cantor.2 at
Thu Mar 29 03:15:05 UTC 2012

I think Scott Koranda was going to file this, but in case there's any
confusion, he identified a bug that I believe I patched in my log4shib
fork, but hasn't been fixed in log4cpp, which Debian's Shibboleth SP
packages rely on.

His new bug entry is here:

The original entry is:

The patch is:

The bug affects large vararg parameters (such as log input) on the x64
arch. Many packages using vsnprintf and other variants were affected by
the issue a few years ago.

In practice, Shibboleth is only affected when logging on DEBUG. It's a
denial of service condition, but since it affects DEBUG logging only, it
isn't something I considered a major security matter when I dealt with it.
YMMV of course.

-- Scott

More information about the Pkg-shibboleth-devel mailing list