Your message dated Mon, 04 Jun 2012 20:47:14 +0000
with message-id <e1sbebg-0001dm...@franck.debian.org>
and subject line Bug#674715: fixed in arpwatch 2.1a15-1.1+squeeze1
has caused the Debian Bug report #674715,
regarding CVE-2012-2653: initgroups() adds gid 0 to the group list
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
674715: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674715
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: arpwatch
Version: 2.1a15-1.1
Severity: critical
Tags: security
Justification: root security hole
Hi,
as reported on oss-sec
(http://www.openwall.com/lists/oss-security/2012/05/24/12) the patch
added to arpwatch to drop privileges in fact adds the gid 0 (root) group
to the group list. This has been allocated CVE-2012-2653.
Can you prepare updates fixing this (using pw->pw_gid in the call) or
should the security team do it?
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: arpwatch
Source-Version: 2.1a15-1.1+squeeze1
We believe that the bug you reported is fixed in the latest version of
arpwatch, which is due to be installed in the Debian FTP archive:
arpwatch_2.1a15-1.1+squeeze1.diff.gz
to main/a/arpwatch/arpwatch_2.1a15-1.1+squeeze1.diff.gz
arpwatch_2.1a15-1.1+squeeze1.dsc
to main/a/arpwatch/arpwatch_2.1a15-1.1+squeeze1.dsc
arpwatch_2.1a15-1.1+squeeze1_amd64.deb
to main/a/arpwatch/arpwatch_2.1a15-1.1+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 674...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <cor...@debian.org> (supplier of updated arpwatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 26 May 2012 23:53:19 +0200
Source: arpwatch
Binary: arpwatch
Architecture: source amd64
Version: 2.1a15-1.1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: KELEMEN Péter <f...@debian.org>
Changed-By: Yves-Alexis Perez <cor...@debian.org>
Description:
arpwatch - Ethernet/FDDI station activity monitor
Closes: 674715
Changes:
arpwatch (2.1a15-1.1+squeeze1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix initgroups() adding the gid 0 group to the list. Instead of dropping
privileges it was in fact adding it. This is CVE-2012-2653. closes: #674715
Checksums-Sha1:
7e6ecaefcf64542424499406833c9b4c1006df79 1706 arpwatch_2.1a15-1.1+squeeze1.dsc
9dffaec0f132e5bb7aedfc840c5c67068bfbce69 202729 arpwatch_2.1a15.orig.tar.gz
94161e464ce50967b71f07fe865010a4230f5fec 150105
arpwatch_2.1a15-1.1+squeeze1.diff.gz
75c9d036f5a71a1769d62cda333b827b4863c2a2 188294
arpwatch_2.1a15-1.1+squeeze1_amd64.deb
Checksums-Sha256:
d02dace3f9b3e2075efb9a7bb14b3649f16d783ba6a6e005cb2d9ed1d943f021 1706
arpwatch_2.1a15-1.1+squeeze1.dsc
c1df9737e208a96a61fa92ddad83f4b4d9be66f8992f3c917e9edf4b05ff5898 202729
arpwatch_2.1a15.orig.tar.gz
289873de4fc24a836d6219a1e272aa9df253255d5b6e1434ff74e284444f3af8 150105
arpwatch_2.1a15-1.1+squeeze1.diff.gz
e694736b69f5571a093d5cba773ea8b88cb679ee9368ec9c54019a0ed4d763bd 188294
arpwatch_2.1a15-1.1+squeeze1_amd64.deb
Files:
a8728af287fa60c61a7d89cfd9e61fb3 1706 admin optional
arpwatch_2.1a15-1.1+squeeze1.dsc
cebfeb99c4a7c2a6cee2564770415fe7 202729 admin optional
arpwatch_2.1a15.orig.tar.gz
ebd379d4f7f4ae7782e00e5f86aeea9f 150105 admin optional
arpwatch_2.1a15-1.1+squeeze1.diff.gz
5436f25de47de028726db436def5dea8 188294 admin optional
arpwatch_2.1a15-1.1+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPxnQlAAoJEDBVD3hx7wuouVAP/0x++u8um6wz9QL6v15FeeaE
Z4WZT9fg75zNZ5vVAdXX9UgZw3g7y/cJjXVF2phRvaiV1gJZueVmB8CPi07PqyNP
8tRFm3dIcoNunb4LTPakntJpqly7dQSTCxpWT4cWcdnNQM5UB4AaERxFR8kLAwSl
tp/zclODMc3LvVWgzfpFQek+6KwOnkFMuIwl46NbCResD2iFESECGd9g//RRUeDw
heWLND+xBvXkFztnk6etaGPlJ+ERW5USKwLGyTyE4lK9rfpb1ib5C97e+NYweOJy
L8DgvnxwScs632L7wGraCAXMxzqoqbyXS+st7a+mNItF3tGxWNwYnmhzSk6Rtx9r
bCejdIm92zRL4BQ9TbJ6ySk/n8c6ZXUsBzoD5jep1oK1xvuDmvmLTQtugk+QMPLn
F5/8VfX6OZBAqfTsUD2Q/qMcYeBKQEoGUcy4G9AWGJBNeHFpNFAD0mMUBiGgynSO
J0YYCCANmK8mQsRX/vdmKkSxH0P2b2AP5925DX4lEg7xEeCvsjxk6LCVZCYbk9C/
eS0gXOeX5xyuVLHTUw0fIyQnSAwqbMC4pKyEnDZIuSrYfsTZ1Y5vLirmeRP38krj
eggUovyTfCshCmnzk6U8npR3Rumxd7S5n2unzzZRHxvgqTedjQunHOrCoTVNNSEa
8tZQdsayNqPv/kJEU/c+
=+5E6
-----END PGP SIGNATURE-----
--- End Message ---
