Upstream bug in log4cpp
Cantor, Scott
cantor.2 at osu.edu
Thu Mar 29 03:15:05 UTC 2012
I think Scott Koranda was going to file this, but in case there's any
confusion, he identified a bug that I believe I patched in my log4shib
fork, but hasn't been fixed in log4cpp, which Debian's Shibboleth SP
packages rely on.
His new bug entry is here:
https://issues.shibboleth.net/jira/browse/SSPCPP-432
The original entry is:
https://issues.shibboleth.net/jira/browse/SSPCPP-265
The patch is:
http://svn.shibboleth.net/view/utilities/cpp-log4shib/trunk/src/StringUtil.
cpp?r1=83&r2=84
The bug affects large vararg parameters (such as log input) on the x64
arch. Many packages using vsnprintf and other variants were affected by
the issue a few years ago.
In practice, Shibboleth is only affected when logging on DEBUG. It's a
denial of service condition, but since it affects DEBUG logging only, it
isn't something I considered a major security matter when I dealt with it.
YMMV of course.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list