similar to: Problems with dovecot 2.2.13 and monit

Hi, When ssh accesses a config file that contains a zero byte it'll expose a stack overflow. This can only be seen with valgrind or with compiling ssh with address sanitizer. I'll attach the address sanitizer and valgrind output. Reproduce: dd if=/dev/zero of=zero bs=1 count=1 valgrind -q ssh -F zero x This was found while fuzzing ssh with american fuzzy lop. (Please CC me on replies,

On Mon, 30 Mar 2015 09:19:02 +1100 (AEDT) Damien Miller <djm at mindrot.org> wrote: > What version of OpenSSH is this? 6.8 portable on Linux. > Also, when reporting fuzzer-derived problems it really helps to > include the test-case. The "test case" is a one byte file containing a zero byte. But here it is :-) -- Hanno B?ck http://hboeck.de/ mail/jabber: hanno at

Hi, I wanted to ask if there's an easy way to log the port in dovecot. The background is that, as everyone's probably aware, pop3/imap usually listen on two ports (110/995 for pop3, 143/993 for imap). One port is the "classic" port that allows unencrypted and STARTTLS connections, the other is the legacy SSL port that allows TLS only connections. The legacy SSL ports are

Hi, Yesterday I tried to replace the system openssl in a gentoo system with libressl. With openssh an interesting issue popped up: * RAND_bytes in libressl calls arc4random * arc4random is a compat function both in openssh and libressl * arc4random from openssh uses RAND_bytes So what's happening is a recursion. arc4random wants to use RAND_bytes and RAND_bytes wants to use arc4random. The

Hello, I recently tried to build my system with libressl instead of openssl. In dovecot one issue that popped up was that libressl doesn't have the ECDH auto functions from openssl 1.0.2 beta versions. However as the #ifdef's in dovecot's code check for the openssl version and libressl's version numbers are higher the compilation fails there. Attached is a patch that will change

On Sat, 25 Apr 2015 21:36:25 +0300 Teemu Huovila <teemu.huovila at dovecot.fi> wrote: > I was unable to reproduce this nor the first report. Could you > describe your environment in more detail? What version of openssl do > you have? What is the crash message you are seeing? both openssl and dovecot latest (1.0.2a, 2.2.16) on a Gentoo. Please note that it's not dovecot itself

On Sun, 26 Apr 2015 21:51:25 +0300 Teemu Huovila <teemu.huovila at dovecot.fi> wrote: > Seems the issue might require a version of libopenssl, that does not > have support for sslv3 compiled in. I have been made aware, that we > have a fix for Dovecot in the works. No that's not true. I have explicitely tried that. You just need to *disable* SSLv3, but that can be done within

Hi, I discovered an out of bounds read error in the file wildcard_match.c. Here's the code: /* find the end of each string */ while (*(++mask)); mask--; while (*(++data)); data--; The problem with this: It will search for the end of the strings (zero-terminated), but it'll only start at position 1, not at position 0 (because the ++ in front of the variable will first

Hi, I tracked down a tricky bug in dovecot that can cause the imap-login and pop3-login processes to crash on handshake failures. This can be tested by disabling SSLv3 in the dovecot config (ssl_protocols = !SSLv2 !SSLv3) and trying to connect with openssl and forced sslv3 (openssl s_client -ssl3 -connect localhost:995). This would cause a crash. What was going on is this: In

Hi, I have a glitch in all latest compiz versions (tried 0.5.2, 0.5.4 and git head+compiz-0.6 branch). When enabling cube and wobbly windows and moving a window left out of the screen (so the cube turns) the window seems to flip to the other side of the screen and back. This doesn't happen with 0.5. If required, I could try to make a film out of it. Any ideas what is wrong? I'd

If compiled with LDFLAGS="-Wl,--as-needed", compiz fails to correctly link the png-plugin. Attached patch fixes it (though I don't know if this is the correct way to do this in autotools). -- Hanno B?ck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber: jabber at hboeck.de -------------- next part -------------- A non-text attachment was scrubbed... Name:

Hi, As the last tindc said something about 3d really working on nv4x, I wanted to try that ( on a NV43). Built nouveau/mesa -> gallium-0.1 branch of mesa and git head of libdrm, kernel-drm and xf86-video-nouveau. glxinfo says: nouveau DRI driver expected DDX version 1-1.2.x but got version 0.0.10 So I assume I need some other branch of xf86-video-nouveau (?) I asked in irc but was pointed

A bypass for screensaver password dialogs has been found within compiz. What about it? Ubuntu created a patch, gentoo took the same: https://bugs.gentoo.org/show_bug.cgi?id=196878 -- Hanno B?ck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno at hboeck.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type:

Hi, In compiz' autogen.sh, there are these lines: # work around bgo 323968 ln -s ../po config/po intltoolize --force --copy --automake || exit 1 rm config/po Now, I'm not really familiar with that intltoolize/autotools/etc.-stuff, but am courious what this is for? What does bgo 323968 mean? Is this a bug number? It isn't in the fdo-bugzilla. The reason I'm investigating this

Hi, I was looking around for configuration tools for compiz. I don't really need anything special, but situation seems a bit problematic at the moment: - gset-compiz: Used it in the past, website is dead. - compiztools: Never seen it, but from what I read seems ok, but website defaced and download dead - csm: doesn't work with vanilla compiz So: Is there any tool atm to set the compiz

On Sun, 29 Mar 2015, Nico Kadel-Garcia wrote: > On Sun, Mar 29, 2015 at 6:36 PM, Hanno B?ck <hanno at hboeck.de> wrote: > > On Mon, 30 Mar 2015 09:19:02 +1100 (AEDT) > > Damien Miller <djm at mindrot.org> wrote: > > > >> What version of OpenSSH is this? > > > > 6.8 portable on Linux. > > There are a *lot* of Linux flavors. Which one?

Hi, I'm running latest server-1.3.-branch with git-mesa. compiz doesnt run and gives lots of these messages: compiz: pixmap 0x200008b can't be bound to texture compiz: Couldn't bind redirected window 0x1600008 to texture compiz: pixmap 0x200008d can't be bound to texture compiz: Couldn't bind redirected window 0x2200005 to texture compiz: pixmap 0x200008b can't be bound

Hi David, --use-cow seems to be quite stable on all variations of tfp (xgl, aiglx, nvidia), I think it was the plan to default-enable it. Do you think it's ready for that? Want a patch? -- Hanno B?ck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber: jabber@hboeck.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type:

laverne compiz # ./autogen.sh --disable-gconf [...] checking for GNOME_WINDOW_SETTINGS... yes checking for KDE_WINDOW_DECORATOR... yes configure: error: conditional "GCONF_SCHEMAS_INSTALL" was never defined. Ideas? -- Hanno B?ck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber: jabber@hboeck.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not

On Mon, 30 Mar 2015, Damien Miller wrote: > On Mon, 30 Mar 2015, Hanno B?ck wrote: > > > On Mon, 30 Mar 2015 09:19:02 +1100 (AEDT) > > Damien Miller <djm at mindrot.org> wrote: > > > > > What version of OpenSSH is this? > > > > 6.8 portable on Linux. > > That's strange - the line numbers in the valgrind stack trace don't >