Your message dated Mon, 09 Feb 2009 22:17:08 +0000
with message-id <[email protected]>
and subject line Bug#513456: fixed in trickle 1.07-6
has caused the Debian Bug report #513456,
regarding trickle: may load arbitrary code from the current working directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
513456: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513456
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: trickle
Version: 1.07-5
Severity: normal
Tags: upstream
Hello, here's a copy of a mail I recently sent to the Security Team:
-8<-
Yesterday I was looking at the code of the trickle package, to see how
it worked. It uses the LD_PRELOAD mechanism to load a library that will
take care that no more bandwidth than the configured limits will be used.
This library lives in /usr/lib/trickle/trickle-overload.so. However,
the trickle.c program will prefer loading it from the current working
directory if a file named trickle-overload.so exists there.
I was wondering if this consitutes any kind of vulnerability, loading by
default arbitrary code from the current directory. The code can be seen
in trickle-1.07/trickle.c:
char *trypaths[] = {
LIBNAME,
LIBDIR "/" LIBNAME,
NULL
};
...
for (pathp = trypaths; *pathp != NULL; pathp++)
if (lstat(*pathp, &sb) == 0)
break;
...
if (path[0] != '/') {
/* make path absolute */
}
...
setenv("LD_PRELOAD", path, 1);
-8<-
Their response was:
-8<-
It should only load the library from a static system path under the exclusive
control of the local admin, otherwise someone could trick a user into running
trickle from a directory where the attacker has write access and placed a
manipulated library.
I'm not convinced this would warrant a DSA, but you should report this
upstream.
-8<-
Cheers,
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
Listening to: Manolo Tena - Loco por verte
--- End Message ---
--- Begin Message ---
Source: trickle
Source-Version: 1.07-6
We believe that the bug you reported is fixed in the latest version of
trickle, which is due to be installed in the Debian FTP archive:
trickle_1.07-6.diff.gz
to pool/main/t/trickle/trickle_1.07-6.diff.gz
trickle_1.07-6.dsc
to pool/main/t/trickle/trickle_1.07-6.dsc
trickle_1.07-6_amd64.deb
to pool/main/t/trickle/trickle_1.07-6_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Lemmen <[email protected]> (supplier of updated trickle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 02 Feb 2009 17:43:16 +0000
Source: trickle
Binary: trickle
Architecture: source amd64
Version: 1.07-6
Distribution: unstable
Urgency: low
Maintainer: [email protected]
Changed-By: Robert Lemmen <[email protected]>
Description:
trickle - user-space bandwidth shaper
Closes: 513456
Changes:
trickle (1.07-6) unstable; urgency=low
.
* Disables default loading of the .so from the local dir, this might be a
security issue (closes: #513456)
* Added dependency to libbsd and modified build scripts to fix FTBFS under
lenny
* Bumped Standards-Version since it is compliant with the new version without
further changes
Checksums-Sha1:
14c13a3a324266dd443f20e48b796ce0b8c63394 988 trickle_1.07-6.dsc
77b04181020f9e9f0c51595b7ddcbe1a8885236e 243038 trickle_1.07-6.diff.gz
c807ca1b95792d30bfeb8defcbd2b8e4bd9b3487 43368 trickle_1.07-6_amd64.deb
Checksums-Sha256:
e7d0637d9cc0e606e831a4e15c19d5ea1d6c7cfb36f825d76cbb5962958a6351 988
trickle_1.07-6.dsc
9aa084fb6a1a4d62bb982ad8303922b8a334a4245c7fdeef75ba6442f63411a2 243038
trickle_1.07-6.diff.gz
49e4fab8785e9a38ea16917bcbcbcc9f0a5cfe9b8dc74f97047bc614e59ac50b 43368
trickle_1.07-6_amd64.deb
Files:
ebb566b13ebc7c6653074a7b54744742 988 net optional trickle_1.07-6.dsc
b037af3d26b3d5bd0df3d6489935a711 243038 net optional trickle_1.07-6.diff.gz
636633d3d2674aedc95eb69828b5f50f 43368 net optional trickle_1.07-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJkKiQS6AOchRbaWYRAnOFAKC64UFJavpngP72k1kUfLP6PcNVxwCgmqGM
8wNpM1ax5M5awmqbOQ6vzvU=
=P1Ep
-----END PGP SIGNATURE-----
--- End Message ---