[CVE-2008-5076] htop does not filter non-printable characters in process names

Patch that fixes this (taken from Fedora). Applied it inline as it is a small patch and Debian does not provide a patchsys (IIRC, we try not to add patch systems if possible). Builds in a Jaunty pbuilder.

This bug was fixed in the package htop - 0.8.1-0ubuntu2

---------------
htop (0.8.1-0ubuntu2) jaunty; urgency=low

  * Add patch (inline) to filter non-printable characters in process names.
    Thanks to Andrew O. Shadoura for the patch. (LP: #299627)
    - This bug could be used by an attacker to hide malicious processes.
    - CVE-2008-5076

 -- David Futcher <email address hidden> Tue, 18 Nov 2008 20:42:48 +0000

How is this applied patch supposed to be working with Unicode characters?

After reading the code for the last few releases of Htop, all Ubuntu releases all the way back to Dapper are affected by this bug.

Currently do not have the time to fix this bug. I will pass it on to someone who knows more about security processes in Ubuntu.

Here is a debdiff for intrepid fixing this.

And for hardy.

gutsy goes EOL shortly, not worth fixing it there.
Fixing it for dapper will require a little more invasive fix; so i'm not completely sure how to proceed with that one.

Both of the above debdiffs are of course build on that release; and tested.

Andreas, thanks for your help on this! :) You uploaded a dsc file for Hardy and not a debdiff. Can you upload the debdiff?

I forgot to mention: please change the status to 'In Progress' after uploading the hardy debdiff.

This one should be better :)

Andreas-- the patch for hardy is not correct (FTBFS). Specifically:
- this->chstr[i] = data[j] | attrs;
+ this->chstr[i] = (isprint(data_c[j]) ? data_c[j] : '?') | attrs;

Your changed from data[] to data_c[]. AFAICT data_c doesn't exist in Hardy's code. Please resubmit after testing, mark to In Progress, and please detail the testing performed on Hardy. Thanks!

I'm terribly sorry; seems the debdiff juggling did not go well for me this time at all!

Here is the correct debdiff that you should have gotten in the first place. I've started from scratch in a new directory with this debdiff to check that everyting is correct now.

The testing has been operating the program: switching viewmodes, sorting, searching etc.

Same goes for the intrepid debdiff.

This bug was fixed in the package htop - 0.6.6+svn20070915-1ubuntu0.2

---------------
htop (0.6.6+svn20070915-1ubuntu0.2) hardy-security; urgency=low

  * SECURITY UPDATE: Insufficient character filters in htop when displaying
    commands allowed programs that rewrite their program name to inject
    escape sequences. (LP: #299627)
    - CVE-2008-5076
    - Patch taken from upstream svn rev 148; applied inline.

 -- Andreas Wenning <email address hidden> Tue, 07 Apr 2009 17:43:47 +0200

This bug was fixed in the package htop - 0.8-0ubuntu1.1

---------------
htop (0.8-0ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Insufficient character filters in htop when displaying
    commands allowed programs that rewrite their program name to inject
    escape sequences. (LP: #299627)
    - CVE-2008-5076
    - Patch taken from upstream svn rev 148; applied inline.

 -- Andreas Wenning <email address hidden> Tue, 07 Apr 2009 17:34:27 +0200

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.