Bug#345736: marked as done (libsafe 2.0-16-6 do not stop half of its own example exploits)

Debian Bug Tracking System Thu, 26 Jan 2006 01:48:11 -0800

Your message dated Thu, 26 Jan 2006 10:38:27 +0100
with message-id <[EMAIL PROTECTED]>
and subject line This has been removed from the archive
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 3 Jan 2006 08:14:04 +0000
>From [EMAIL PROTECTED] Tue Jan 03 00:14:04 2006
Return-path: <[EMAIL PROTECTED]>
Received: from poczta1.linux.webserwer.pl ([193.178.241.18])
        by spohr.debian.org with esmtp (Exim 4.50)
        id 1EthIy-0004Ep-EY
        for [EMAIL PROTECTED]; Tue, 03 Jan 2006 00:14:04 -0800
Received: from bum36.neoplus.adsl.tpnet.pl ([83.29.184.36] helo=[192.168.44.20])
        by poczta.webserwer.pl with esmtpsa (TLSv1:AES256-SHA:256)
        (Exim 4.52)
        id 1EthIu-0003dn-6m; Tue, 03 Jan 2006 09:14:00 +0100
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 03 Jan 2006 09:13:51 +0100
From: Rafal Maj <[EMAIL PROTECTED]>
Organization: Raf256.com
User-Agent: Debian Thunderbird 1.0.7 (X11/20051017)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: libsafe  2.0-16-6 do not stop half of its own example exploits
X-Enigmail-Version: 0.93.0.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: libsafe
Version: 2.0-16-6
Severity: serious

Libsafe 2.0-16-6 seem to not stop it's own, attached to sources, example 
exploits, which would make it quite useless if confirmed. That would 
mean that it gives false feeling of security (in matter of strcmp and 
related functions exploiting) when it fails to protect users from it.
Perhaps its even a grave bug since such protection actually is the main 
and only function on that lib.
Please verifie that possible bug, Im newbie in terms of reporting bugs 
to Debian project.

Also libsafe  seem to interfear with other programs, like in my prvious
bug report Bug#345728


[EMAIL PROTECTED]:~/cre.os/libsafe/libsafe-2.0-16/exploits$ ./t1
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /home/raf256/cre.os/libsafe/libsafe-2.0-16/exploits/t1.
     uid=2560  euid=2560  pid=94
Call stack:
     0xb7f2141c  /lib/libsafe.so.2.0.16
     0xb7f21510  /lib/libsafe.so.2.0.16
     0x80485a3   /home/raf256/cre.os/libsafe/libsafe-2.0-16/exploits/t1
     0x80485c9   /home/raf256/cre.os/libsafe/libsafe-2.0-16/exploits/t1
     0xb7dd3eab  /lib/tls/i686/cmov/libc-2.3.5.so
Overflow caused by strcpy()
Killed

Ok, that one worked, but:

[EMAIL PROTECTED]:~/cre.os/libsafe/libsafe-2.0-16/exploits$ ./t6
This program tries to use scanf() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-3.00$ whoami
raf256
sh-3.00$ pwd
/home/raf256/cre.os/libsafe/libsafe-2.0-16/exploits
sh-3.00$ exit
exit


Same if I build the example by hand or via debuild.

I use grsecurity kernel
Linux lore.raf256 2.6.14.3-grsec-d+gc-k8reg-pg4 #1 PREEMPT
on amd64 but in 32bit mode

-- 
RafaÅ Maj


---------------------------------------
Received: (at 345736-done) by bugs.debian.org; 26 Jan 2006 09:38:29 +0000
>From [EMAIL PROTECTED] Thu Jan 26 01:38:29 2006
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org ([193.22.164.111] 
helo=vserver151.vserver151.serverflex.de)
        by spohr.debian.org with esmtp (Exim 4.50)
        id 1F23aH-000482-IQ; Thu, 26 Jan 2006 01:38:29 -0800
Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50)
        id 1F23aF-00069C-Kz; Thu, 26 Jan 2006 10:38:28 +0100
Date: Thu, 26 Jan 2006 10:38:27 +0100
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: This has been removed from the archive
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond 
expanded to false
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
        version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

libsafe has been removed from sid and Etch, it's not present in Sarge due to 
buggyness.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#345736: marked as done (libsafe 2.0-16-6 do not stop half of its own example exploits)

Reply via email to