Debian Security Advisory

DSA-521-1 sup -- format string vulnerability

Date Reported:
18 Jun 2004
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 10571.
In Mitre's CVE dictionary: CVE-2004-0451.
More information: discovered a format string vulnerability in sup, a set of programs to synchronize collections of files across a number of machines, whereby a remote attacker could potentially cause arbitrary code to be executed with the privileges of the supfilesrv process (this process does not run automatically by default).

CAN-2004-0451: format string vulnerabilities in sup via syslog(3) in logquit, logerr, loginfo functions

For the current stable distribution (woody), this problem has been fixed in version 1.8-8woody2.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you update your sup package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.