Your message dated Sun, 12 Jun 2005 16:53:37 +1000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#303300: and woody?
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Apr 2005 21:56:10 +0000
>From [EMAIL PROTECTED] Tue Apr 05 14:56:10 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DIw1q-0004Mg-00; Tue, 05 Apr 2005 14:56:10 -0700
Received: from dragon.kitenet.net (unknown [66.168.94.177])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id B672E18006
for <[EMAIL PROTECTED]>; Tue, 5 Apr 2005 21:56:08 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 762166E28F; Tue, 5 Apr 2005 17:59:06 -0400 (EDT)
Date: Tue, 5 Apr 2005 17:59:05 -0400
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: file permissions modification race (CAN-2005-0953)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5"
Content-Disposition: inline
X-Reportbug-Version: 3.9
User-Agent: Mutt/1.5.8i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--FL5UXtIhxfXey3p5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: bzip2
Version: 1.0.2-5
Severity: normal
Tags: security
According to
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D111229375217633&w=3D2:
If a malicious local user has write access to a directory in which a
target user is using bzip2 to extract or compress a file to then a
TOCTOU bug can be exploited to change the permission of any file
belonging to that user.
On decompressing bzip2 copies the permissions from the compressed
bzip2 file to the
uncompressed file. However there is a gap between the uncompressed
file being written (and it's file handler being close) and the
permissions of the file being changed.
During this gap a malicious user can remove the decompressed file and
replace it with a hard-link to another file belonging to the user.
bzip2 will then change the permissions on the hard-linked file to be
the same as that of the bzip2 file.
This is a low impact security hole as it requires a local user to
exploit a race, and bzip2 must be run in a directory that the attacker
can write to (and +t directories probably don't work), and all you
can do is change a file permissions.=20
If you fix this hole, please refer to CAN-2005-0953 in your changelog.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Versions of packages bzip2 depends on:
ii libbz2-1.0 1.0.2-5 high-quality block-sorting fil=
e co
ii libc6 2.3.2.ds1-20 GNU C Library: Shared librarie=
s an
-- no debconf information
--=20
see shy jo
--FL5UXtIhxfXey3p5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCUwopd8HHehbQuO8RAhnfAJ4g7Eg/vVwNZ5QglR3Hj0pjCLv2EwCgoHNl
n+iQxlNnoMWQaieV69NZ9UU=
=/2Yv
-----END PGP SIGNATURE-----
--FL5UXtIhxfXey3p5--
---------------------------------------
Received: (at 303300-done) by bugs.debian.org; 12 Jun 2005 06:53:40 +0000
>From [EMAIL PROTECTED] Sat Jun 11 23:53:40 2005
Return-path: <[EMAIL PROTECTED]>
Received: from cpe-138-217-160-143.vic.bigpond.net.au (nukak.apana.org.au)
[138.217.160.143]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DhMLj-0001Vz-00; Sat, 11 Jun 2005 23:53:39 -0700
Received: by nukak.apana.org.au (Postfix, from userid 1000)
id 58E7F68428F; Sun, 12 Jun 2005 16:53:37 +1000 (EST)
Date: Sun, 12 Jun 2005 16:53:37 +1000
From: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: Helge Kreutzmann <[EMAIL PROTECTED]>
Subject: Re: Bug#303300: and woody?
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="fckbADODYWZD5TdN"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--fckbADODYWZD5TdN
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, May 20, 2005 at 07:10:57PM +0200, Helge Kreutzmann wrote:
>reopen 303300
>tags =3D security, woody
>thanks
Thanks Helge. Your contribution is very much appreciated.
>I find no traces on http://www.nl.debian.org/security/nonvulns-woody.
Maybe you should ask the debian-security mailing list.
>Btw. http://lwn.net/Articles/136284/ also talks about CAN-2005-1260,
>but there is no info yet. Please check how they relate.
This is fixed with bzip2 1.0.2-1.woody3 available at:
http://people.debian.org/~anibal/debian/bzip2/
>Greetings
>
> Helge
>--=20
>Dr. Helge Kreutzmann, Dipl.-Phys. [EMAIL PROTECTED]
ver.de
> gpg signed mail preferred=20
> 64bit GNU powered http://www.itp.uni-hannover.de/~kre=
utzm
> Help keep free software "libre": http://www.ffii.de/
The fix for #303300 is in 1.0.2-1.woody2. The version before
1.0.2-1.woody2 is 1.0.2-1.1 which actually closed #303300 for
woody.
More information about the recent fixes for bzip2 in woody is in
the following mail thread:
http://lists.debian.org/debian-security/2005/06/msg00029.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 26 May 2005 13:57:17 +0200
Source: bzip2
Binary: libbz2-dev bzip2 libbz2-1.0
Architecture: source i386
Version: 1.0.2-1.woody2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <[EMAIL PROTECTED]>
Changed-By: Martin Schulze <[EMAIL PROTECTED]>
Description:=20
bzip2 - A high-quality block-sorting file compressor - utilities
libbz2-1.0 - A high-quality block-sorting file compressor library - runtime
libbz2-dev - A high-quality block-sorting file compressor library - develo=
pmen
Changes:=20
bzip2 (1.0.2-1.woody2) stable-security; urgency=3Dhigh
.
* Non-maintainer upload by the Security Team
* No changes rebuild because maintainer prevented distribution of
security fix, thanks a lot!
Files:=20
096bfd852f8d33c3e14d3988982a1569 577 utils optional bzip2_1.0.2-1.woody2.d=
sc
edf89c2f7477c6bf7c326cd498c93cf6 8674 utils optional bzip2_1.0.2-1.woody2.=
diff.gz
c96ec29b510971a9f1043c68055643dc 35610 libs optional libbz2-1.0_1.0.2-1.wo=
ody2_i386.deb
da5e7f1f21027869052f17ac01fd5a44 28286 devel optional libbz2-dev_1.0.2-1.w=
oody2_i386.deb
644eab4e2e3ca86af9712bf4965b4d08 228718 utils optional bzip2_1.0.2-1.woody=
2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFClbpQW5ql+IAeqTIRAkPxAJ9AbEfAO3v8nfFf2Qbue8OH62Fj6QCfQoxY
+iNlZegqy8yMw9c8vy554h0=3D
=3DMXxZ
-----END PGP SIGNATURE-----
Accepted:
bzip2_1.0.2-1.woody2.diff.gz
to pool/main/b/bzip2/bzip2_1.0.2-1.woody2.diff.gz
bzip2_1.0.2-1.woody2.dsc
to pool/main/b/bzip2/bzip2_1.0.2-1.woody2.dsc
bzip2_1.0.2-1.woody2_i386.deb
to pool/main/b/bzip2/bzip2_1.0.2-1.woody2_i386.deb
libbz2-1.0_1.0.2-1.woody2_i386.deb
to pool/main/b/bzip2/libbz2-1.0_1.0.2-1.woody2_i386.deb
libbz2-dev_1.0.2-1.woody2_i386.deb
to pool/main/b/bzip2/libbz2-dev_1.0.2-1.woody2_i386.deb
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 23 May 2005 18:31:01 +1000
Source: bzip2
Binary: libbz2-dev bzip2 libbz2-1.0
Architecture: source i386
Version: 1.0.2-1.1
Distribution: stable
Urgency: medium
Maintainer: Philippe Troin <[EMAIL PROTECTED]>
Changed-By: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Description:=20
bzip2 - A high-quality block-sorting file compressor - utilities
libbz2-1.0 - A high-quality block-sorting file compressor library - runtime
libbz2-dev - A high-quality block-sorting file compressor library - develo=
pmen
Closes: 303300
Changes:=20
bzip2 (1.0.2-1.1) stable; urgency=3Dmedium
.
* Fixed RC bug "file permissions modification race (CAN-2005-0953)", clo=
ses:
#303300. Patch by Santiago Ruano Rincon <[EMAIL PROTECTED]>.
Original patch available at
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D111352423504277&w=3D2
Files:=20
579849cc71ee9fe0eff9624ea44c821d 567 utils optional bzip2_1.0.2-1.1.dsc
55d252cc8e7f6521563318eec4c0b1e4 8828 utils optional bzip2_1.0.2-1.1.diff.=
gz
2c1cc471e38fbd1ce10983e1d4baca6a 35558 libs optional libbz2-1.0_1.0.2-1.1_=
i386.deb
01c86a8be105c8796401f1c57f943772 28290 devel optional libbz2-dev_1.0.2-1.1=
_i386.deb
9883b8172fd5b69e861e9c7b2840f10c 228734 utils optional bzip2_1.0.2-1.1_i38=
6.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCkaGjgY5NIXPNpFURAgJEAJ0QFb+RzkBVt5WvguVJyo94Bb84kACaAgEQ
3m0BbBGwE9LkZJO5kXA+f/Q=3D
=3Ddu/r
-----END PGP SIGNATURE-----
Accepted:
bzip2_1.0.2-1.1.diff.gz
to pool/main/b/bzip2/bzip2_1.0.2-1.1.diff.gz
bzip2_1.0.2-1.1.dsc
to pool/main/b/bzip2/bzip2_1.0.2-1.1.dsc
bzip2_1.0.2-1.1_i386.deb
to pool/main/b/bzip2/bzip2_1.0.2-1.1_i386.deb
libbz2-1.0_1.0.2-1.1_i386.deb
to pool/main/b/bzip2/libbz2-1.0_1.0.2-1.1_i386.deb
libbz2-dev_1.0.2-1.1_i386.deb
to pool/main/b/bzip2/libbz2-dev_1.0.2-1.1_i386.deb
Anibal Monsalve Salazar
--
.''`. Debian GNU/Linux
: :' : Free Operating System
`. `' http://debian.org/
`- http://v7w.com/anibal
--fckbADODYWZD5TdN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCq9vxgY5NIXPNpFURAhcQAJ4uuxPm3LHHjMw5SepP+TkaZkF8ugCdFy6T
s6Cw+kpUxmRZCOn3nfPNVZU=
=CEa/
-----END PGP SIGNATURE-----
--fckbADODYWZD5TdN--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
