Your message dated Tue, 22 Sep 2020 00:41:03 +0000
with message-id <[email protected]>
and subject line INADDR_LOOPBACK
has caused the Debian Bug report #812795,
regarding fakeroot opens a tcp socket which is open to the internet
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
812795: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812795
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fakeroot
Version: 1.20.2-1
Severity: normal
Dear Maintainer,
I noticed fakeroot-tcp binds a tcp socket to INADDR_ANY. This seems worrying,
even if we don't know about specific vulnerabilities. I haven't disclosed
this observation elsewhere.
Triage: I'm not sure how predictable the port number is. Many invocations of
fakeroot will be short-lived. So you would need to catch the right port at the
right time. The Debian fakeroot package uses fakeroot-sysv by default.
However I believe Debian is also acting as upstream, and other distributions
(Fedora) do default to fakeroot-tcp. Also fakeroot-tcp is necessary for
multi-threaded programs (see the README). fakeroot is sometimes used in
package building...
I hope there aren't any major build servers compromised by this :(.
Fix: replace htonl(INADDR_ANY) in fakerootd.c with htonl(INADDR_LOOPBACK). Not
tested, but libfakeroot already connects to INADDR_LOOPBACK. I'm not aware of
anything else this would break.
Thanks to you all
Alan
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: armel (armv5tel)
Kernel: Linux 3.16.0-4-kirkwood
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fakeroot depends on:
iu libc6 2.19-18+deb8u2
ii libfakeroot 1.20.2-1
fakeroot recommends no packages.
fakeroot suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 1.22-1
This was fixed in fakeroot 1.22
--- End Message ---
