head	1.2;
access;
symbols;
locks; strict;
comment	@# @;


1.2
date	2006.07.28.07.39.02;	author itetcu;	state dead;
branches;
next	1.1;

1.1
date	2006.07.26.07.51.52;	author itetcu;	state Exp;
branches;
next	;


desc
@@


1.2
log
@- Updating the Osiris integrity checking system to 4.2.1. This version includes
the format string exploit fixes that were also in the patch in 4.2.0_1 (hence
removed).
- Also updating master site to the new official one.

PR:		ports/100952
Submitted by:	David Thiel (maintainer)
@
text
@--- src/osirisd/logging.c
+++ src/osirisd/logging.c
@@@@ -93,7 +93,7 @@@@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( SYSLOG_FACILITY | LOG_ERR ), header );
+    syslog( ( SYSLOG_FACILITY | LOG_ERR ), "%s", header );
 #endif
 }
 
@@@@ -147,7 +147,7 @@@@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( SYSLOG_FACILITY | LOG_INFO ), header );
+    syslog( ( SYSLOG_FACILITY | LOG_INFO ), "%s", header );
 #endif
 }
 
@@@@ -201,7 +201,7 @@@@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( SYSLOG_FACILITY | LOG_WARNING ), header );
+    syslog( ( SYSLOG_FACILITY | LOG_WARNING ), "%s", header );
 #endif
 }
 
--- src/osirismd/logging.c
+++ src/osirismd/logging.c
@@@@ -106,7 +106,7 @@@@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( syslog_facility | LOG_ERR ), header );
+    syslog( ( syslog_facility | LOG_ERR ), "%s", header );
 #endif
 }
 
@@@@ -168,7 +168,7 @@@@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( syslog_facility | LOG_INFO ), header );
+    syslog( ( syslog_facility | LOG_INFO ), "%s", header );
 #endif
 }
 
@@@@ -230,7 +230,7 @@@@
             fprintf( stdout, "\n" );
         }
 #else
-    syslog( ( syslog_facility | LOG_WARNING ), header );
+    syslog( ( syslog_facility | LOG_WARNING ), "%s", header );
 #endif
 }
 
@@@@ -281,7 +281,7 @@@@
                     NULL);                /* no raw data */
         }
 #else
-        syslog( ( syslog_facility | LOG_INFO ), buffer );
+        syslog( ( syslog_facility | LOG_INFO ), "%s", buffer );
 #endif
     }
@


1.1
log
@Patching osiris in response to CVE-2006-3120.

"Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project
have found several format string security bugs in osiris, a network-wide
system integrity monitor control interface. A remote attacker could
exploit them and cause a denial of service or execute arbitrary code."

PR:		ports/100793
Submitted by:	David Thiel (maintainer)
Security:	CVE-2006-3120
@
text
@@

