TUCoPS :: Linux :: Apps A-M :: analog~1.htm

Vulnerability
 analog
Affected
 analog all versions except 4.16 and 4.90beta3
Description
 Stephen Turner found following. There is a buffer overflow bug
 in all versions of analog released prior to 13-02-2001. A
 malicious user could use an ALIAS command to construct very long
 strings which were not checked for length.
 This bug is particularly dangerous if the form interface (which
 allows unknown users to run the program via a CGI script) has been
 installed.
Solution
 This bug was discovered by the program author, and there is no
 known exploit. However, users are advised to upgrade to one of
 the two safe versions immediately, especially if they have
 installed the form interface.
 For Red Hat:
 ftp://updates.redhat.com/secureweb/2.0/SRPMS/analog-4.16-1.src.rpm
 ftp://updates.redhat.com/secureweb/2.0/i386/analog-4.16-1.i386.rpm
 ftp://updates.redhat.com/secureweb/2.0/i386/analog-form-4.16-1.i386.rpm
 For Debian:
 http://security.debian.org/dists/stable/updates/main/source/analog_4.01.orig.tar.gz
 http://security.debian.org/dists/stable/updates/main/source/analog_4.01-1potato1.dsc
 http://security.debian.org/dists/stable/updates/main/source/analog_4.01-1potato1.diff.gz
 http://security.debian.org/dists/stable/updates/main/binary-i386/analog_4.01-1potato1_i386.deb
 http://security.debian.org/dists/stable/updates/main/binary-m68k/analog_4.01-1potato1_m68k.deb
 http://security.debian.org/dists/stable/updates/main/binary-sparc/analog_4.01-1potato1_sparc.deb
 http://security.debian.org/dists/stable/updates/main/binary-alpha/analog_4.01-1potato1_alpha.deb
 http://security.debian.org/dists/stable/updates/main/binary-powerpc/analog_4.01-1potato1_powerpc.deb
 http://security.debian.org/dists/stable/updates/main/binary-arm/analog_4.01-1potato1_arm.deb
 For Turbo Linux:
 ftp://ftp.turbolinux.com/pub/updates/6.0/security/analog-4.16-2.i386.rpm