buffer overflow in w_read function (possible DoS and execution of arbitary code)

Here is the changeset for the fix: http://svn.linuxrulz.org/WebSVN/listing.php?repname=Policyd&path=%2Ftrunk%2F&rev=4&sc=1

Here is a debdiff for Feisty, but it does not include a fix for bug 91607 (upgrade failure), so please do not upload yet - just for reference.

Moved LP reference from "References" to main line in debian/changelog.

Please upload the debdiff/new package.

It seems to be better IMHO to have a problem during upgrade (which has been there before already), but the security issue fixed.

I will also provide a debdiff for Dapper.

I'm no C expert at all, but it appears to me that 1.55-1ubuntu1 is not affected:
 - w_read in policyd.c uses MAXLINE for length already
 - the sanity check in sockets.c does not seem to apply for sockets.c in 1.55 (http://svn.linuxrulz.org/WebSVN/diff.php?repname=Policyd&path=%2Ftrunk%2Fsockets.c&rev=4&sc=1)

Please double-check my investigations!

The same observations as for Dapper seem to apply to postfix-policyd (1.78-1) from Edgy.

Thanks! I've built this and it is pending upload now.

postfix-policyd (1.80-2.1ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: Fixed buffer overflow in w_read function (LP: #136687)
  * Applied patch from upstream SVN inline (no patch system used yet)
  * Fixed start/stop upgrade problems (LP: #91607).
  * References
    CVE-2007-3791

 -- dAniel hAhler <email address hidden> Sun, 02 Sep 2007 06:05:01 +0200