Re: pkg/55809: Webalizer seqfaults on NetBSD 9.0 and NetBSD 9.1

[Adrian Immanuel Kieß <adrian%kiess.onl@localhost>]

The following reply was made to PR pkg/55809; it has been noted by GNATS.

From: Adrian Immanuel =?ISO-8859-1?Q?Kie=DF?= <adrian%kiess.onl@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: pkg/55809: Webalizer seqfaults on NetBSD 9.0 and NetBSD 9.1
Date: Mon, 07 Dec 2020 09:05:54 +0100

 --=-xRKaxbnFsf8A02yI1zSX
 Content-Type: multipart/mixed; boundary="=-NG0m5nSPRfrXL3FIhiQU"
 
 
 --=-NG0m5nSPRfrXL3FIhiQU
 Content-Type: text/plain; charset="UTF-8"
 Content-Transfer-Encoding: quoted-printable
 
 Dear Maintainer,
 
 mlelstv at the IRC channel #NetBSD built me a new version of webalizer
 from pkgsrc-current for NetBSD 9.1/amd64 to try things out.
 
 I installed the new version of webalizer.
 
 But the "bug" is still there. I know it is not really a bug, more a
 security concern.
 
 The problems occurs when running webalizer against a webalizer.hist
 file with 2 or more months being written to it.
 
 Removing my webalizer.hist, the new webalizer also works fine.
 
 I let it run until a new month (January, 2021) begins and will see if
 that bug happens again.
 
 You can reproduce the bug with a webalizer.hist file in the webalizer
 working directory, with two or more month of history written to it.
 
 I attached the webalizer.hist, causing this trouble, as attachment to
 this e-mail. You can try running webalizer with that example file.
 
 Thank you very much for your reply.
 
 Sincerely,
 
 Adrian Kie=C3=9F
 
 
 Le jeudi 26 novembre 2020 =C3=A0 15:25 +0000, Benny Siegert a =C3=A9crit=C2=
 =A0:
 > The following reply was made to PR pkg/55809; it has been noted by
 > GNATS.
 >=20
 > From: Benny Siegert <bsiegert%gmail.com@localhost>
 > To: gnats-bugs%netbsd.org@localhost
 > Cc: pkg-manager%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
 > pkgsrc-bugs%netbsd.org@localhost
 > Subject: Re: pkg/55809: Webalizer seqfaults on NetBSD 9.0 and NetBSD
 > 9.1
 > Date: Thu, 26 Nov 2020 16:21:49 +0100
 >=20
 > =C2=A0Yes, this indicates a buffer overflow, which is a security issue.
 > This
 > =C2=A0is something that you should report upstream.
 > =C2=A0
 > =C2=A0That said, the pkgsrc package is an older version, and version 2.23=
 -
 > 08
 > =C2=A0(released in 2013!) says in the release notes that it fixes a buffe=
 r
 > =C2=A0overflow.
 > =C2=A0
 
 --=20
 With many greetings from Leipzig, Germany.
 Adrian Immanuel Kie=C3=9F=20
 
 Gothaer Stra=C3=9Fe 34
 D-04155 Leipzig
 
 =F0=9F=93=AA =E2=80=94 < adrian%kiess.onl@localhost >
 
 --SYSTEM--
 echo "Your fortune cookie: " && /usr/games/fortune -c -s de
 > (zitate) % Das ist das Merkmal des gro=C3=9Fen und guten Menschen, da=C3=
 =9F er
 immer zuerst auf das Ganze und auf andere sieht, auf sich zuletzt. --
 Adalbert Stifter
 
 echo "g6.lan.dac uptime: " && /usr/bin/uptime
 > 08:53:47 up 3:23, 11 users, load average: 0,49, 0,52, 0,59
 
 
 --=-NG0m5nSPRfrXL3FIhiQU
 Content-Disposition: attachment; filename="webalizer.hist.20201207"
 Content-Transfer-Encoding: base64
 Content-Type: text/plain; name="webalizer.hist.20201207"; charset="UTF-8"
 
 IyBXZWJhbGl6ZXIgVjIuMjEtMDIgSGlzdG9yeSBEYXRhIC0gMDEvTm92LzIwMjAgMDA6MDA6MDEg
 KDEyMCBtb250aCkKMTAgMjAyMCAzNDQzOCAyNzI4OSAxNDYyIDEwODE1MDkgMSAzMSAyOTg1NCAy
 NDQ2CjkgMjAyMCA1ODkxIDM3ODEgNDQ3IDIzNTY0MyAxOSAzMCA0NTAxIDcxNwo4IDIwMjAgMCAw
 IDAgMCAwIDAgMCAwCjcgMjAyMCAwIDAgMCAwIDAgMCAwIDAKNiAyMDIwIDAgMCAwIDAgMCAwIDAg
 MAo1IDIwMjAgMCAwIDAgMCAwIDAgMCAwCjQgMjAyMCAwIDAgMCAwIDAgMCAwIDAKMyAyMDIwIDAg
 MCAwIDAgMCAwIDAgMAoyIDIwMjAgMCAwIDAgMCAwIDAgMCAwCjEgMjAyMCAwIDAgMCAwIDAgMCAw
 IDAKMTIgMjAxOSAwIDAgMCAwIDAgMCAwIDAKMTEgMjAxOSAwIDAgMCAwIDAgMCAwIDAKMTAgMjAx
 OSAwIDAgMCAwIDAgMCAwIDAKOSAyMDE5IDAgMCAwIDAgMCAwIDAgMAo4IDIwMTkgMCAwIDAgMCAw
 IDAgMCAwCjcgMjAxOSAwIDAgMCAwIDAgMCAwIDAKNiAyMDE5IDAgMCAwIDAgMCAwIDAgMAo1IDIw
 MTkgMCAwIDAgMCAwIDAgMCAwCjQgMjAxOSAwIDAgMCAwIDAgMCAwIDAKMyAyMDE5IDAgMCAwIDAg
 MCAwIDAgMAoyIDIwMTkgMCAwIDAgMCAwIDAgMCAwCjEgMjAxOSAwIDAgMCAwIDAgMCAwIDAKMTIg
 MjAxOCAwIDAgMCAwIDAgMCAwIDAKMTEgMjAxOCAwIDAgMCAwIDAgMCAwIDAKMTAgMjAxOCAwIDAg
 MCAwIDAgMCAwIDAKOSAyMDE4IDAgMCAwIDAgMCAwIDAgMAo4IDIwMTggMCAwIDAgMCAwIDAgMCAw
 CjcgMjAxOCAwIDAgMCAwIDAgMCAwIDAKNiAyMDE4IDAgMCAwIDAgMCAwIDAgMAo1IDIwMTggMCAw
 IDAgMCAwIDAgMCAwCjQgMjAxOCAwIDAgMCAwIDAgMCAwIDAKMyAyMDE4IDAgMCAwIDAgMCAwIDAg
 MAoyIDIwMTggMCAwIDAgMCAwIDAgMCAwCjEgMjAxOCAwIDAgMCAwIDAgMCAwIDAKMTIgMjAxNyAw
 IDAgMCAwIDAgMCAwIDAKMTEgMjAxNyAwIDAgMCAwIDAgMCAwIDAKMTAgMjAxNyAwIDAgMCAwIDAg
 MCAwIDAKOSAyMDE3IDAgMCAwIDAgMCAwIDAgMAo4IDIwMTcgMCAwIDAgMCAwIDAgMCAwCjcgMjAx
 NyAwIDAgMCAwIDAgMCAwIDAKNiAyMDE3IDAgMCAwIDAgMCAwIDAgMAo1IDIwMTcgMCAwIDAgMCAw
 IDAgMCAwCjQgMjAxNyAwIDAgMCAwIDAgMCAwIDAKMyAyMDE3IDAgMCAwIDAgMCAwIDAgMAoyIDIw
 MTcgMCAwIDAgMCAwIDAgMCAwCjEgMjAxNyAwIDAgMCAwIDAgMCAwIDAKMTIgMjAxNiAwIDAgMCAw
 IDAgMCAwIDAKMTEgMjAxNiAwIDAgMCAwIDAgMCAwIDAKMTAgMjAxNiAwIDAgMCAwIDAgMCAwIDAK
 OSAyMDE2IDAgMCAwIDAgMCAwIDAgMAo4IDIwMTYgMCAwIDAgMCAwIDAgMCAwCjcgMjAxNiAwIDAg
 MCAwIDAgMCAwIDAKNiAyMDE2IDAgMCAwIDAgMCAwIDAgMAo1IDIwMTYgMCAwIDAgMCAwIDAgMCAw
 CjQgMjAxNiAwIDAgMCAwIDAgMCAwIDAKMyAyMDE2IDAgMCAwIDAgMCAwIDAgMAoyIDIwMTYgMCAw
 IDAgMCAwIDAgMCAwCjEgMjAxNiAwIDAgMCAwIDAgMCAwIDAKMTIgMjAxNSAwIDAgMCAwIDAgMCAw
 IDAKMTEgMjAxNSAwIDAgMCAwIDAgMCAwIDAKMTAgMjAxNSAwIDAgMCAwIDAgMCAwIDAKOSAyMDE1
 IDAgMCAwIDAgMCAwIDAgMAo4IDIwMTUgMCAwIDAgMCAwIDAgMCAwCjcgMjAxNSAwIDAgMCAwIDAg
 MCAwIDAKNiAyMDE1IDAgMCAwIDAgMCAwIDAgMAo1IDIwMTUgMCAwIDAgMCAwIDAgMCAwCjQgMjAx
 NSAwIDAgMCAwIDAgMCAwIDAKMyAyMDE1IDAgMCAwIDAgMCAwIDAgMAoyIDIwMTUgMCAwIDAgMCAw
 IDAgMCAwCjEgMjAxNSAwIDAgMCAwIDAgMCAwIDAKMTIgMjAxNCAwIDAgMCAwIDAgMCAwIDAKMTEg
 MjAxNCAwIDAgMCAwIDAgMCAwIDAKMTAgMjAxNCAwIDAgMCAwIDAgMCAwIDAKOSAyMDE0IDAgMCAw
 IDAgMCAwIDAgMAo4IDIwMTQgMCAwIDAgMCAwIDAgMCAwCjcgMjAxNCAwIDAgMCAwIDAgMCAwIDAK
 NiAyMDE0IDAgMCAwIDAgMCAwIDAgMAo1IDIwMTQgMCAwIDAgMCAwIDAgMCAwCjQgMjAxNCAwIDAg
 MCAwIDAgMCAwIDAKMyAyMDE0IDAgMCAwIDAgMCAwIDAgMAoyIDIwMTQgMCAwIDAgMCAwIDAgMCAw
 CjEgMjAxNCAwIDAgMCAwIDAgMCAwIDAKMTIgMjAxMyAwIDAgMCAwIDAgMCAwIDAKMTEgMjAxMyAw
 IDAgMCAwIDAgMCAwIDAKMTAgMjAxMyAwIDAgMCAwIDAgMCAwIDAKOSAyMDEzIDAgMCAwIDAgMCAw
 IDAgMAo4IDIwMTMgMCAwIDAgMCAwIDAgMCAwCjcgMjAxMyAwIDAgMCAwIDAgMCAwIDAKNiAyMDEz
 IDAgMCAwIDAgMCAwIDAgMAo1IDIwMTMgMCAwIDAgMCAwIDAgMCAwCjQgMjAxMyAwIDAgMCAwIDAg
 MCAwIDAKMyAyMDEzIDAgMCAwIDAgMCAwIDAgMAoyIDIwMTMgMCAwIDAgMCAwIDAgMCAwCjEgMjAx
 MyAwIDAgMCAwIDAgMCAwIDAKMTIgMjAxMiAwIDAgMCAwIDAgMCAwIDAKMTEgMjAxMiAwIDAgMCAw
 IDAgMCAwIDAKMTAgMjAxMiAwIDAgMCAwIDAgMCAwIDAKOSAyMDEyIDAgMCAwIDAgMCAwIDAgMAo4
 IDIwMTIgMCAwIDAgMCAwIDAgMCAwCjcgMjAxMiAwIDAgMCAwIDAgMCAwIDAKNiAyMDEyIDAgMCAw
 IDAgMCAwIDAgMAo1IDIwMTIgMCAwIDAgMCAwIDAgMCAwCjQgMjAxMiAwIDAgMCAwIDAgMCAwIDAK
 MyAyMDEyIDAgMCAwIDAgMCAwIDAgMAoyIDIwMTIgMCAwIDAgMCAwIDAgMCAwCjEgMjAxMiAwIDAg
 MCAwIDAgMCAwIDAKMTIgMjAxMSAwIDAgMCAwIDAgMCAwIDAKMTEgMjAxMSAwIDAgMCAwIDAgMCAw
 IDAKMTAgMjAxMSAwIDAgMCAwIDAgMCAwIDAKOSAyMDExIDAgMCAwIDAgMCAwIDAgMAo4IDIwMTEg
 MCAwIDAgMCAwIDAgMCAwCjcgMjAxMSAwIDAgMCAwIDAgMCAwIDAKNiAyMDExIDAgMCAwIDAgMCAw
 IDAgMAo1IDIwMTEgMCAwIDAgMCAwIDAgMCAwCjQgMjAxMSAwIDAgMCAwIDAgMCAwIDAKMyAyMDEx
 IDAgMCAwIDAgMCAwIDAgMAoyIDIwMTEgMCAwIDAgMCAwIDAgMCAwCjEgMjAxMSAwIDAgMCAwIDAg
 MCAwIDAKMTIgMjAxMCAwIDAgMCAwIDAgMCAwIDAKMTEgMjAxMCAwIDAgMCAwIDAgMCAwIDAK
 
 
 --=-NG0m5nSPRfrXL3FIhiQU--
 
 --=-xRKaxbnFsf8A02yI1zSX
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: This is a digitally signed message part
 Content-Transfer-Encoding: 7bit
 
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEE9UJkhUvo8iOqz0LX1CpGptGZGuAFAl/N4mIACgkQ1CpGptGZ
 GuDB9Af/WH5/N/UztQtzFLGEes+nX3BtgzSYAJToGGeaiUmNzQyBNat5rjJ6KKr4
 dB47tkhEvO1BpnYFRlh4gxRLWHvZv49pEZ7pZIYHO8eyKa4uYHJq2BC9/3aIQG9j
 NXadx5yLQw3kLVW8WzJIDOOzBcY1dyRzq0cqrEd8iD7DzfyIMOqNoIRI7qEBX+qc
 lMJ7WjsZn62WlgfCNs48EQWzqM1jmz8d+xuVTHvVs6BXuse9eNPelFeo9zfQcXso
 A191gR1hzQCet3XYsrdOY4DyNNuJsDKzrqbnAbZEL6F2dIwCU2VR8+XKr1hpnPCY
 JbIfjLoYSPwd3z0T4GGOlHXY2ibGvQ==
 =fgQu
 -----END PGP SIGNATURE-----
 
 --=-xRKaxbnFsf8A02yI1zSX--