ports/100793: Maintainer Update: security/osiris, fix format string bugs

[David Thiel]

>Number:         100793
>Category:       ports
>Synopsis:       Maintainer Update: security/osiris, fix format string bugs
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 25 01:50:08 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     David Thiel
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD redundancy.redundancy.org 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root at x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386


>Description:

Patching osiris in response to CVE-2006-3120.

"Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project
have found several format string security bugs in osiris, a network-wide
system integrity monitor control interface. A remote attacker could
exploit them and cause a denial of service or execute arbitrary code."

>How-To-Repeat:
>Fix:

diff -ruN osiris.old/Makefile osiris/Makefile
--- osiris.old/Makefile	Mon Jul 24 16:08:20 2006
+++ osiris/Makefile	Mon Jul 24 18:37:22 2006
@@ -7,9 +7,10 @@
 
 PORTNAME=	osiris
 PORTVERSION=	4.2.0
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	http://www.hostintegrity.com/osiris/data/ \
-		http://darkambient.net/
+		http://redundancy.redundancy.org/mirror/
 
 MAINTAINER=	lx at redundancy.redundancy.org
 COMMENT=	The Shmoo client/server host integrity checker
diff -ruN osiris.old/files/patch-logging osiris/files/patch-logging
--- osiris.old/files/patch-logging	Wed Dec 31 16:00:00 1969
+++ osiris/files/patch-logging	Mon Jul 24 16:12:40 2006
@@ -0,0 +1,66 @@
+--- src/osirisd/logging.c
++++ src/osirisd/logging.c
+@@ -93,7 +93,7 @@
+             fprintf( stdout, "\n" );
+         }
+ #else
+-    syslog( ( SYSLOG_FACILITY | LOG_ERR ), header );
++    syslog( ( SYSLOG_FACILITY | LOG_ERR ), "%s", header );
+ #endif
+ }
+ 
+@@ -147,7 +147,7 @@
+             fprintf( stdout, "\n" );
+         }
+ #else
+-    syslog( ( SYSLOG_FACILITY | LOG_INFO ), header );
++    syslog( ( SYSLOG_FACILITY | LOG_INFO ), "%s", header );
+ #endif
+ }
+ 
+@@ -201,7 +201,7 @@
+             fprintf( stdout, "\n" );
+         }
+ #else
+-    syslog( ( SYSLOG_FACILITY | LOG_WARNING ), header );
++    syslog( ( SYSLOG_FACILITY | LOG_WARNING ), "%s", header );
+ #endif
+ }
+ 
+--- src/osirismd/logging.c
++++ src/osirismd/logging.c
+@@ -106,7 +106,7 @@
+             fprintf( stdout, "\n" );
+         }
+ #else
+-    syslog( ( syslog_facility | LOG_ERR ), header );
++    syslog( ( syslog_facility | LOG_ERR ), "%s", header );
+ #endif
+ }
+ 
+@@ -168,7 +168,7 @@
+             fprintf( stdout, "\n" );
+         }
+ #else
+-    syslog( ( syslog_facility | LOG_INFO ), header );
++    syslog( ( syslog_facility | LOG_INFO ), "%s", header );
+ #endif
+ }
+ 
+@@ -230,7 +230,7 @@
+             fprintf( stdout, "\n" );
+         }
+ #else
+-    syslog( ( syslog_facility | LOG_WARNING ), header );
++    syslog( ( syslog_facility | LOG_WARNING ), "%s", header );
+ #endif
+ }
+ 
+@@ -281,7 +281,7 @@
+                     NULL);                /* no raw data */
+         }
+ #else
+-        syslog( ( syslog_facility | LOG_INFO ), buffer );
++        syslog( ( syslog_facility | LOG_INFO ), "%s", buffer );
+ #endif
+     }

>Release-Note:
>Audit-Trail:
>Unformatted: