Your message dated Wed, 05 Oct 2005 14:02:08 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#298929: fixed in distcc 2.18.3-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Mar 2005 18:37:17 +0000
>From [EMAIL PROTECTED] Thu Mar 10 10:37:17 2005
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D9SX6-0004cx-00; Thu, 10 Mar 2005 10:37:17 -0800
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id 2E7B2366B64; Thu, 10 Mar 2005 19:37:24 +0100 (CET)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <[EMAIL PROTECTED]>
for [EMAIL PROTECTED]; Thu, 10 Mar 2005 19:30:31 +0100 (CET)
Date: Thu, 10 Mar 2005 19:30:31 +0100
From: Martin Schulze <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Security problem in distcc
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: distcc
Version: 2.18.1-5
Severity: grave
Tags: sarge sid security
Saw this on bugtraq:
XCode ships with version 2.0.1 of distcc. We also tried updating to
2.18.3 and had similar issues with that version as well.
Apple was not contacted prior to this release because the exploit for
distccd is already known and in the wild. Users of the distributed
compiling system in XCode should disable this feature until both Apple
and Samba can take proper action to protect its users.
Exploit:
There are a few known exploits for distcc. By using a common method
provided by metasploit (http://metasploit.com/projects/Framework/
exploits.html#distcc_exec), I was given full access to the remote users
home folder via telnet.
Proposed Solution:
Samba needs to work on proper directory jailing and remote code
execution with their distcc product. Apple needs to at least ship with
the latest version of distcc, which supports an Allow List of people that
are allowed to connect to the distcc daemon. This would minimize the
damage caused by running this service on a machine.
This document and follow up information can be found at
http://dev.sdf1.net/archives/003082.html
Regards,
Joey
--
MIME - broken solution for a broken design. -- Ralf Baechle
Please always Cc to me when replying to me on the lists.
---------------------------------------
Received: (at 298929-close) by bugs.debian.org; 5 Oct 2005 21:08:47 +0000
>From [EMAIL PROTECTED] Wed Oct 05 14:08:47 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1ENGOu-0001I9-00; Wed, 05 Oct 2005 14:02:08 -0700
From: Carsten Wolff <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#298929: fixed in distcc 2.18.3-3
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 05 Oct 2005 14:02:08 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 4
Source: distcc
Source-Version: 2.18.3-3
We believe that the bug you reported is fixed in the latest version of
distcc, which is due to be installed in the Debian FTP archive:
distcc_2.18.3-3.diff.gz
to pool/main/d/distcc/distcc_2.18.3-3.diff.gz
distcc_2.18.3-3.dsc
to pool/main/d/distcc/distcc_2.18.3-3.dsc
distcc_2.18.3-3_i386.deb
to pool/main/d/distcc/distcc_2.18.3-3_i386.deb
distccmon-gnome_2.18.3-3_i386.deb
to pool/main/d/distcc/distccmon-gnome_2.18.3-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Wolff <[EMAIL PROTECTED]> (supplier of updated distcc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 5 Oct 2005 20:35:16 +0200
Source: distcc
Binary: distcc distccmon-gnome
Architecture: source i386
Version: 2.18.3-3
Distribution: unstable
Urgency: low
Maintainer: Carsten Wolff <[EMAIL PROTECTED]>
Changed-By: Carsten Wolff <[EMAIL PROTECTED]>
Description:
distcc - Simple distributed compiler client and server
distccmon-gnome - GTK monitor for distcc a distributed client and server
Closes: 217924 276277 298489 298929 313561 315826 323308 330754 330822 331804
Changes:
distcc (2.18.3-3) unstable; urgency=low
.
* added dependency-alternative on debconf-2.0
(closes: Bug#331804)
* added version to adduser dependency
(closes: Bug#330822)
* only remove user in postrm, if the user exists and deluser is available
(closes: Bug#330754)
(closes: Bug#298489)
* added Vietnamese and Czech debconf template translations
thanks to Clytie Siddall and Miroslav Kure
(closes: Bug#313561)
(closes: Bug#315826)
* added --listen option and some warnings about distccd and untrusted nets
(closes: Bug#323308)
(closes: Bug#276277)
(closes: BUg#298929)
* new standards version 3.6.2 (no changes)
* updated FSF's postal address in the copyright file
* corrected "possible-bashism-in-maintainer-script" in config
* added "masquerade" directory /usr/lib/distcc with symlinks to distcc,
named after debian's compilers
(closes: Bug#217924)
Files:
cdd65600dc48b06fdbf5a276bdc60301 655 devel optional distcc_2.18.3-3.dsc
571f75e47f170c54cbdcd82fe61d2d94 35096 devel optional distcc_2.18.3-3.diff.gz
97be6fca91b157a037bd31f9bc3e3174 142046 devel optional distcc_2.18.3-3_i386.deb
f1a53bea4b940ccfe989281346a14c6a 35876 devel optional
distccmon-gnome_2.18.3-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDRDoo9/DnDzB9Vu0RAhcVAJ9Bf/RdjLhR2K1tLvxes7CwZaJxeACfT96V
jCZaJYVgHDoy+YSRpOKSXgo=
=wBBG
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
