Your message dated Tue, 29 May 2012 09:02:28 +0000
with message-id <e1szijw-0002uy...@franck.debian.org>
and subject line Bug#674715: fixed in arpwatch 2.1a15-1.2
has caused the Debian Bug report #674715,
regarding CVE-2012-2653: initgroups() adds gid 0 to the group list
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
674715: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674715
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: arpwatch
Version: 2.1a15-1.1
Severity: critical
Tags: security
Justification: root security hole
Hi,
as reported on oss-sec
(http://www.openwall.com/lists/oss-security/2012/05/24/12) the patch
added to arpwatch to drop privileges in fact adds the gid 0 (root) group
to the group list. This has been allocated CVE-2012-2653.
Can you prepare updates fixing this (using pw->pw_gid in the call) or
should the security team do it?
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: arpwatch
Source-Version: 2.1a15-1.2
We believe that the bug you reported is fixed in the latest version of
arpwatch, which is due to be installed in the Debian FTP archive:
arpwatch_2.1a15-1.2.diff.gz
to main/a/arpwatch/arpwatch_2.1a15-1.2.diff.gz
arpwatch_2.1a15-1.2.dsc
to main/a/arpwatch/arpwatch_2.1a15-1.2.dsc
arpwatch_2.1a15-1.2_amd64.deb
to main/a/arpwatch/arpwatch_2.1a15-1.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 674...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <cor...@debian.org> (supplier of updated arpwatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 May 2012 09:20:52 +0200
Source: arpwatch
Binary: arpwatch
Architecture: source amd64
Version: 2.1a15-1.2
Distribution: unstable
Urgency: high
Maintainer: KELEMEN Péter <f...@debian.org>
Changed-By: Yves-Alexis Perez <cor...@debian.org>
Description:
arpwatch - Ethernet/FDDI station activity monitor
Closes: 674715
Changes:
arpwatch (2.1a15-1.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix initgroups() adding the gid 0 group to the list. Instead of dropping
privileges it was in fact adding it. This is CVE-2012-2653. closes: #674715
* debian/rules:
- enable hardening flags.
* Makefile.in: add LDFLAGS support.
Checksums-Sha1:
a99f51eb621a0dbcb1d0a7b36cfa650c52b50d0d 1714 arpwatch_2.1a15-1.2.dsc
81b57ead3e4a3d4a8c10678109dfe8e4c03c7a02 147856 arpwatch_2.1a15-1.2.diff.gz
24ba4127de1801e3d24523babb7064e06c11c7dc 193364 arpwatch_2.1a15-1.2_amd64.deb
Checksums-Sha256:
9785e1f5ecbde302e8683cbc339aa04d452d3cbf20bd35bd06ed7fff9150ff78 1714
arpwatch_2.1a15-1.2.dsc
43fa24105594e0886aaa571d3ca2cc6a5c07d540b0b134d2b5923c688cc2a8f6 147856
arpwatch_2.1a15-1.2.diff.gz
8965e768c5de971c58335c9508b0cdbb24714a9c72fa4757d569aa4f21571a79 193364
arpwatch_2.1a15-1.2_amd64.deb
Files:
628e8c1445bc87dac730fe74c344e246 1714 admin optional arpwatch_2.1a15-1.2.dsc
ea6ac9531289f04219349d0faca7cde5 147856 admin optional
arpwatch_2.1a15-1.2.diff.gz
5459c8eba786e6ae3edaa3dcad3f977f 193364 admin optional
arpwatch_2.1a15-1.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPweTIAAoJEDBVD3hx7wuoEAQQAIGGJEehD1DabbFnH7HAPFXm
7dYsIQqAFEHnNdu4zvSaAiqpRJqnrhL/fClmp2+jkj1W1UrTG008ypNHV+9VI+mP
JejBSfKtcyVdvXCi1uUs5IzYGkczNN4Bk4/JrdXOLE+DHcJYpDgxA+8VHdvAk2jH
vE3/bpfqtctwWOuk0gHeh62YpVe8+pLDDSzr+uMTUvqtbIbiQmo6CzHSFi4Th9WR
3MKJPoPW5OfqT9c0Y0p4rFj9giTO+kbmQFwyU3jE7laSVlJUzftmNcvG/5TDPZv3
iAIGREMrzwoh4acGM7mEt2NAg3KenMyhgA8wRuhbfbI0J9tbV6s777HCUQL5mPk5
hR4IaXroAuGyejfzjRAbt6TDA4XKNxEc97N1Qvy6m6yIMC0h0tROaK7Q44Vm+V18
Vt1gC4HpfKamqlOwXE9t6eJGnOqNc+V2CWJV8DGsPGbboqnmQ/IZ0o5OCqkKuu7C
CdtiY8ffKDMLrqWh7UKEwjx6afoNp4ZGXigkn4hHf57i692hFxK4pVCNlv7GBag+
t2omyX9I/+yS2tlLk5jNPHBtG660HHP9lKSgHwEKpzgySRZYbHtmj/iR9o0ryr7i
joD84cmSaPZFrNBp0grNKDePka8R7VQZ3xqQAwDUn/BmrI5I331ehueJTdtIeIuF
ZzBuY7VTsI40z5c7iwZl
=gN9i
-----END PGP SIGNATURE-----
--- End Message ---
