Bug#425391: marked as done (Patch/bug fix for CVE-2007-2447 breaks the use of ;)

Thu, 12 May 2011 05:45:23 -0700 

Your message dated Thu, 12 May 2011 14:40:35 +0200
with message-id <[email protected]>
and subject line Yet another "wontfix" bug we can close
has caused the Debian Bug report #425391,
regarding Patch/bug fix for CVE-2007-2447 breaks the use of ;
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
425391: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=425391
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: samba
Version: 3.0.14a-3sarge
After some debugging I discovered that a strange problem I experienced was caused by the patched code added in Samba 3.0.14a-3sarge for CVE-2007-2447 (Remote Command Injection Vulnerability). It is now no longer possible to use the ";" character in options like "preexec = " & "postexec =" causing the use of ie. (in my case) "root preexec = mkdir -p /home/software/Recycle; chown root:admins /home/software/.Recycle" to be executed as "root preexec = mkdir -p /home/software/Recycle chown root:admins /home/software/.Recycle" (The semicolon disappears!).
As far as I can see now, it also breaks the use of (in my case) "passwd program = /usr/bin/passwd %u; /usr/local/lib/yp_make.sh"
This new unexpected behaviour can possibly break a lot of setups! I think the easiest solution is to add the ";" (and possibly also & and |) to #define INCLUDE_LIST "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabdefghijklmnopqrstuvwxyz_/ \t.," 


--
Ing. A.C.J. van Amersfoort (Arno)
Department Of Electronics (ELD, k1007)
Huygens Laboratory
Leiden University
P.O. Box 9504
Niels Bohrweg 2
2333 CA Leiden
The Netherlands
----------------------------------------------------------------
Phone : +31-(0)71-527.1894   Fax: +31-(0)71-527.5819
E-mail: [email protected]
----------------------------------------------------------------
Arno's (Linux firewall) homepage: http://rocky.eld.leidenuniv.nl

--- End Message ---
--- Begin Message --- 
Version: 3.0.14a-3sarge

This bug for a security fix breaking some existing setups by
preventing the use of ";" in preexec and postexec commands, is around
for a while and nobody else complained since then.

I don't think it's worth going anywhere. Broken existing setups have
been fixed for a while now, hence closing.

--

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to