From octo at verplant.org Thu Oct 1 09:20:06 2009 From: octo at verplant.org (Florian Forster) Date: Thu, 1 Oct 2009 09:20:06 +0200 Subject: [liboping] Version 1.3.3 available Message-ID: <20091001072006.GP11119@verplant.org> Hi everybody, Steve Kemp has identified an issue with oping, the ping application included with liboping. Using the ?-f? option, you can tell oping to read the hostnames from a file instead of specifying them on the command line. If liboping cannot resolve a hostname, oping will complain about this on standard error. The problem is that oping is often installed as SetUID-root. In this case the program can open *any* file and will basically print its content to STDERR as error messages. The ?-f? option has been changed to accept ?-? (i.?e. read from standard input) as the only argument unless the real and effective user IDs match. Everybody who has installed oping with SetUID-root (so that normal users can use the program) are advised to upgrade. Download -------- Version 1.3.3 is available from liboping's homepage or via these direct download links: The Debian package 1.3.3-1 fixes this problem, too, and is available in unstable. ChangeLog --------- 2009-09-29, Version 1.3.3: * oping: Disable the ?-f? option if the real and effective user IDs don't match. If that is the case the program is probably running SetUID and should not read foreign files. Unfortunately, dropping privileges before reading the file is not possible, because they are required for opening raw sockets. Reading from STDIN using ?-f -? is still possible. Thanks to Steve Kemp for reporting this issue as Debian bug #548684. Regards, ?octo -- Florian octo Forster Hacker in training GnuPG: 0x91523C3D http://verplant.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.verplant.org/pipermail/liboping/attachments/20091001/cb8b7b43/attachment.pgp From octo at verplant.org Thu Oct 1 14:26:29 2009 From: octo at verplant.org (Florian Forster) Date: Thu, 1 Oct 2009 14:26:29 +0200 Subject: [liboping] Odd bug in Net::Oping 1.20 in combination with liboping-1.3.3 In-Reply-To: <9B9F4D68-8681-460A-896C-D95482EE9799@xpd.se> <5377F57F-5B22-4B2A-8458-6F3B4FD18FD9@xpd.se> References: <9B9F4D68-8681-460A-896C-D95482EE9799@xpd.se> <5377F57F-5B22-4B2A-8458-6F3B4FD18FD9@xpd.se> Message-ID: <20091001122629.GU11119@verplant.org> Hi Fredrik, On Thu, Oct 01, 2009 at 01:06:01PM +0200, Fredrik Soderblom wrote: > Took me a while to figure out, but i found a rather odd bug > manifesting in Net::Oping (see attached file), but the net effect is > that you can't access the latency time w/o prepending a NULL > character to the hostname when dealing w. the hash reference being > returned by $obj->ping (). oh, yeah. The problem is that ?ping_iterator_get_info? returns a buffer size (i. e. includes the trailing null byte in the size) but Perl's ?newSVpvn? required the string length (i. e. not including the null byte). On Thu, Oct 01, 2009 at 01:18:50PM +0200, Fredrik Soderblom wrote: > However, you have most likely a very good reason for using newSVpvn() > instead of newSVpv(), so im prolly just lost :P Yeah, using ?newSVpv? is possible, too. I dislike such magic as ?do something different if the second arguemt is some special value?, so I've changed the line to: XPUSHs (sv_2mortal (newSVpvn(buffer, strlen (buffer)))); (Still enough magic in that. Plus it looks a bit like Lisp. ;) Thanks for the pointer and your fix, I'll upload an updated version of Net::Oping soon :) Regards, ?octo -- Florian octo Forster Hacker in training GnuPG: 0x91523C3D http://verplant.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.verplant.org/pipermail/liboping/attachments/20091001/cbbba108/attachment.pgp