On sam., 2012-05-26 at 23:57 +0200, Yves-Alexis Perez wrote: > Package: arpwatch > Version: 2.1a15-1.1 > Severity: critical > Tags: security > Justification: root security hole > > Hi, > > as reported on oss-sec > (http://www.openwall.com/lists/oss-security/2012/05/24/12) the patch > added to arpwatch to drop privileges in fact adds the gid 0 (root) group > to the group list. This has been allocated CVE-2012-2653. > > Can you prepare updates fixing this (using pw->pw_gid in the call) or > should the security team do it? > I've uploaded the attached debdiff to DELAYED/2 and will upload the fix (but without the hardening part) to stable soon.
Note that the arpwatch package seems in a really bad state, if you don't have time or don't care anymore, you should orphan it. Regards, -- Yves-Alexis
Differences in arpwatch between 2.1a15-1.1 and 2.1a15-1.2
diff -u arpwatch-2.1a15/Makefile.in arpwatch-2.1a15/Makefile.in
--- arpwatch-2.1a15/Makefile.in
+++ arpwatch-2.1a15/Makefile.in
@@ -51,6 +51,7 @@
# Standard CFLAGS
CFLAGS = $(CCOPT) $(DEFS) $(INCLS)
+LDFLAGS = @LDFLAGS@
# Standard LIBS
LIBS = @LIBS@
@@ -97,11 +98,11 @@
arpwatch: $(WOBJ) @V_PCAPDEP@
@rm -f $@
- $(CC) $(CFLAGS) -o $@ $(WOBJ) $(LIBS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(WOBJ) $(LIBS)
arpsnmp: $(SOBJ)
@rm -f $@
- $(CC) $(CFLAGS) -o $@ $(SOBJ) $(SLIBS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(SOBJ) $(SLIBS)
version.o: version.c
version.c: $(srcdir)/VERSION
@@ -109,7 +110,7 @@
sed -e 's/.*/char version[] = "&";/' $(srcdir)/VERSION > $(srcdir)/$@
zap: zap.o intoa.o
- $(CC) $(CFLAGS) -o $@ zap.o intoa.o -lutil
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ zap.o intoa.o -lutil
install: force
$(INSTALL) -m 555 -o bin -g bin arpwatch $(DESTDIR)$(BINDEST)
diff -u arpwatch-2.1a15/arpwatch.c arpwatch-2.1a15/arpwatch.c
--- arpwatch-2.1a15/arpwatch.c
+++ arpwatch-2.1a15/arpwatch.c
@@ -153,7 +153,7 @@
struct passwd* pw;
pw = getpwnam( user );
if ( pw ) {
- if ( initgroups(pw->pw_name, 0) != 0 || setgid(pw->pw_gid) != 0 ||
+ if ( initgroups(pw->pw_name, pw->pw_gid) != 0 || setgid(pw->pw_gid) != 0 ||
setuid(pw->pw_uid) != 0 ) {
syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,pw->pw_uid, pw->pw_gid);
exit(1);
diff -u arpwatch-2.1a15/debian/rules arpwatch-2.1a15/debian/rules
--- arpwatch-2.1a15/debian/rules
+++ arpwatch-2.1a15/debian/rules
@@ -21,6 +21,10 @@
endif
+CFLAGS=$(shell dpkg-buildflags --get CPPFLAGS)
+CFLAGS+=$(shell dpkg-buildflags --get CFLAGS)
+LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
+LDFLAGS+=-Wl,-z,defs
config.status: configure
dh_testdir
@@ -31,7 +35,7 @@
ifneq "$(wildcard /usr/share/misc/config.guess)" ""
cp -f /usr/share/misc/config.guess config.guess
endif
- ./configure $(CROSS) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs"
+ ./configure $(CROSS) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)"
build: build-stamp
diff -u arpwatch-2.1a15/debian/changelog arpwatch-2.1a15/debian/changelog
--- arpwatch-2.1a15/debian/changelog
+++ arpwatch-2.1a15/debian/changelog
@@ -1,3 +1,14 @@
+arpwatch (2.1a15-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix initgroups() adding the gid 0 group to the list. Instead of dropping
+ privileges it was in fact adding it. This is CVE-2012-2653. closes: #674715
+ * debian/rules:
+ - enable hardening flags.
+ * Makefile.in: add LDFLAGS support.
+
+ -- Yves-Alexis Perez <cor...@debian.org> Sun, 27 May 2012 09:20:52 +0200
+
arpwatch (2.1a15-1.1) unstable; urgency=high
* Non-maintainer upload.
signature.asc
Description: This is a digitally signed message part
