On sam., 2012-05-26 at 23:57 +0200, Yves-Alexis Perez wrote: > Package: arpwatch > Version: 2.1a15-1.1 > Severity: critical > Tags: security > Justification: root security hole > > Hi, > > as reported on oss-sec > (http://www.openwall.com/lists/oss-security/2012/05/24/12) the patch > added to arpwatch to drop privileges in fact adds the gid 0 (root) group > to the group list. This has been allocated CVE-2012-2653. > > Can you prepare updates fixing this (using pw->pw_gid in the call) or > should the security team do it? > I've uploaded the attached debdiff to DELAYED/2 and will upload the fix (but without the hardening part) to stable soon.
Note that the arpwatch package seems in a really bad state, if you don't have time or don't care anymore, you should orphan it. Regards, -- Yves-Alexis
Differences in arpwatch between 2.1a15-1.1 and 2.1a15-1.2 diff -u arpwatch-2.1a15/Makefile.in arpwatch-2.1a15/Makefile.in --- arpwatch-2.1a15/Makefile.in +++ arpwatch-2.1a15/Makefile.in @@ -51,6 +51,7 @@ # Standard CFLAGS CFLAGS = $(CCOPT) $(DEFS) $(INCLS) +LDFLAGS = @LDFLAGS@ # Standard LIBS LIBS = @LIBS@ @@ -97,11 +98,11 @@ arpwatch: $(WOBJ) @V_PCAPDEP@ @rm -f $@ - $(CC) $(CFLAGS) -o $@ $(WOBJ) $(LIBS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(WOBJ) $(LIBS) arpsnmp: $(SOBJ) @rm -f $@ - $(CC) $(CFLAGS) -o $@ $(SOBJ) $(SLIBS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(SOBJ) $(SLIBS) version.o: version.c version.c: $(srcdir)/VERSION @@ -109,7 +110,7 @@ sed -e 's/.*/char version[] = "&";/' $(srcdir)/VERSION > $(srcdir)/$@ zap: zap.o intoa.o - $(CC) $(CFLAGS) -o $@ zap.o intoa.o -lutil + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ zap.o intoa.o -lutil install: force $(INSTALL) -m 555 -o bin -g bin arpwatch $(DESTDIR)$(BINDEST) diff -u arpwatch-2.1a15/arpwatch.c arpwatch-2.1a15/arpwatch.c --- arpwatch-2.1a15/arpwatch.c +++ arpwatch-2.1a15/arpwatch.c @@ -153,7 +153,7 @@ struct passwd* pw; pw = getpwnam( user ); if ( pw ) { - if ( initgroups(pw->pw_name, 0) != 0 || setgid(pw->pw_gid) != 0 || + if ( initgroups(pw->pw_name, pw->pw_gid) != 0 || setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0 ) { syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,pw->pw_uid, pw->pw_gid); exit(1); diff -u arpwatch-2.1a15/debian/rules arpwatch-2.1a15/debian/rules --- arpwatch-2.1a15/debian/rules +++ arpwatch-2.1a15/debian/rules @@ -21,6 +21,10 @@ endif +CFLAGS=$(shell dpkg-buildflags --get CPPFLAGS) +CFLAGS+=$(shell dpkg-buildflags --get CFLAGS) +LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS) +LDFLAGS+=-Wl,-z,defs config.status: configure dh_testdir @@ -31,7 +35,7 @@ ifneq "$(wildcard /usr/share/misc/config.guess)" "" cp -f /usr/share/misc/config.guess config.guess endif - ./configure $(CROSS) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs" + ./configure $(CROSS) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" build: build-stamp diff -u arpwatch-2.1a15/debian/changelog arpwatch-2.1a15/debian/changelog --- arpwatch-2.1a15/debian/changelog +++ arpwatch-2.1a15/debian/changelog @@ -1,3 +1,14 @@ +arpwatch (2.1a15-1.2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix initgroups() adding the gid 0 group to the list. Instead of dropping + privileges it was in fact adding it. This is CVE-2012-2653. closes: #674715 + * debian/rules: + - enable hardening flags. + * Makefile.in: add LDFLAGS support. + + -- Yves-Alexis Perez <cor...@debian.org> Sun, 27 May 2012 09:20:52 +0200 + arpwatch (2.1a15-1.1) unstable; urgency=high * Non-maintainer upload.
signature.asc
Description: This is a digitally signed message part