Your message dated Thu, 17 Apr 2008 14:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#475227: fixed in audit 1.5.3-2+lenny1
has caused the Debian Bug report #475227,
regarding auditd: CVE-2008-1628 buffer overflow in audit_log_user_command 
function might lead to code execution
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
475227: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475227
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: auditd
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for auditd.


CVE-2008-1628[0]:
| Stack-based buffer overflow in the audit_log_user_command function in
| lib/audit_logging.c in Linux Audit before 1.7 might allow remote
| attackers to execute arbitrary code via a long command argument.
| NOTE: some of these details are obtained from third party information.

In the audit_log_user_command function the command line 
passed to the kernel for example if the command is used via 
sudo is copied via strcpy into a buffer without any bounds 
checking and leads to stack corruption.

Patch:
--- audit_logging.c     2007-04-09 23:50:01.000000000 +0200
+++ audit_logging.c.new 2008-04-09 19:35:21.000000000 +0200
@@ -607,7 +607,11 @@
        }
 
        p = cmd;
-       strcpy(commname, cmd);
+       if (len >= PATH_MAX) {
+               cmd[PATH_MAX] = 0;
+               len = PATH_MAX-1;
+       }
+
        while (*p) {
                if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) {
                        _audit_c2x(commname, cmd, len);



If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1628
    http://security-tracker.debian.net/tracker/CVE-2008-1628

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgp9MR4VXc1lM.pgp
Description: PGP signature


--- End Message ---
--- Begin Message ---
Source: audit
Source-Version: 1.5.3-2+lenny1

We believe that the bug you reported is fixed in the latest version of
audit, which is due to be installed in the Debian FTP archive:

audit_1.5.3-2+lenny1.diff.gz
  to pool/main/a/audit/audit_1.5.3-2+lenny1.diff.gz
audit_1.5.3-2+lenny1.dsc
  to pool/main/a/audit/audit_1.5.3-2+lenny1.dsc
auditd_1.5.3-2+lenny1_amd64.deb
  to pool/main/a/audit/auditd_1.5.3-2+lenny1_amd64.deb
libaudit-dev_1.5.3-2+lenny1_amd64.deb
  to pool/main/a/audit/libaudit-dev_1.5.3-2+lenny1_amd64.deb
libaudit0_1.5.3-2+lenny1_amd64.deb
  to pool/main/a/audit/libaudit0_1.5.3-2+lenny1_amd64.deb
python-audit_1.5.3-2+lenny1_amd64.deb
  to pool/main/a/audit/python-audit_1.5.3-2+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated audit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Apr 2008 15:06:25 +0200
Source: audit
Binary: auditd libaudit0 libaudit-dev python-audit
Architecture: source amd64
Version: 1.5.3-2+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Philipp Matthias Hahn <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 auditd     - User space tools for security auditing
 libaudit-dev - Header files and static library for security auditing
 libaudit0  - Dynamic library for security auditing
 python-audit - Python bindings for security auditing
Closes: 475227
Changes: 
 audit (1.5.3-2+lenny1) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Added CVE-2008-1628.patch to fix a stack-based buffer overflow
     in the audit_log_user_command function which can be triggered via
     a command argument that is passed to that function and might lead
     to execution of arbitrary code (Closes: #475227).
Files: 
 130bb5a49ced5762b58a45a89cc39aea 808 libs extra audit_1.5.3-2+lenny1.dsc
 e94acafeb5fe8cf581b013ee5f02d95c 293566 libs extra audit_1.5.3.orig.tar.gz
 9bdf1947af741730452464f3a90e02f1 6414 libs extra audit_1.5.3-2+lenny1.diff.gz
 aadb3085520ab06278c17ca200c4e8f7 230592 admin extra 
auditd_1.5.3-2+lenny1_amd64.deb
 e73fa310bd3ae988dd28762010548081 52844 libs extra 
libaudit0_1.5.3-2+lenny1_amd64.deb
 a83e25888b2222e7ea47215499b6c786 93728 libdevel extra 
libaudit-dev_1.5.3-2+lenny1_amd64.deb
 2acd5ff055d84adf018e4014981fd104 58084 python extra 
python-audit_1.5.3-2+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIBmfyHYflSXNkfP8RAuwDAJ9jcY080nzcGFgfEAVWcPvDPHXPTwCgr1eM
wy0425rdOZf3P5wEQRGQP/4=
=BzcS
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to