Your message dated Sat, 28 Jan 2017 18:25:58 +0000
with message-id <[email protected]>
and subject line Re: Bug#852990: unblock: s-nail/14.8.16-1
has caused the Debian Bug report #852990,
regarding unblock: s-nail/14.8.16-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
852990: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852990
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi
Please unblock package s-nail
The upload to unstable with a new upstream version (but only
containing the changes to fix this issue), address #852934, a local
root privilege escalation.
Details were posted at
http://www.openwall.com/lists/oss-security/2017/01/27/7
>s-nail (14.8.16-1) unstable; urgency=medium
>
> * New upstream version 14.8.16
> - Fixes local root privilege escalation (Closes: #852934)
>
> -- Hilko Bengen <[email protected]> Sat, 28 Jan 2017 12:32:17 +0100
I'm attaching the debdiff from the current version in unstable. The
previous version should have mgirated to testing in time before the
release. But I can as well attach the debdiff to that version if
needed.
unblock s-nail/14.8.16-1
Regards,
Salvatore
diff -Nru s-nail-14.8.15/debian/changelog s-nail-14.8.16/debian/changelog
--- s-nail-14.8.15/debian/changelog 2017-01-19 16:40:01.000000000 +0100
+++ s-nail-14.8.16/debian/changelog 2017-01-28 12:32:17.000000000 +0100
@@ -1,3 +1,10 @@
+s-nail (14.8.16-1) unstable; urgency=medium
+
+ * New upstream version 14.8.16
+ - Fixes local root privilege escalation (Closes: #852934)
+
+ -- Hilko Bengen <[email protected]> Sat, 28 Jan 2017 12:32:17 +0100
+
s-nail (14.8.15-1) unstable; urgency=medium
* New upstream version 14.8.15
diff -Nru s-nail-14.8.15/nail.1 s-nail-14.8.16/nail.1
--- s-nail-14.8.15/nail.1 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/nail.1 2017-01-27 21:33:45.000000000 +0100
@@ -34,9 +34,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\"@ S-nail(1): v14.8.15 / 2017-01-17
-.Dd Jan 17, 2017
-.ds VV \\%v14.8.15
+.\"@ S-nail(1): v14.8.16 / 2017-01-27
+.Dd Jan 27, 2017
+.ds VV \\%v14.8.16
.\"--MKMAN-START--
.ds UU \\%S-NAIL
.ds UA \\%S-nail
diff -Nru s-nail-14.8.15/nail.rc s-nail-14.8.16/nail.rc
--- s-nail-14.8.15/nail.rc 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/nail.rc 2017-01-27 21:33:45.000000000 +0100
@@ -1,7 +1,7 @@
#--MKRC-START--
# /etc/s-nail.rc - configuration file for S-nail(1)
#--MKRC-END--
-#@ S-nail(1): v14.8.15 / 2017-01-17
+#@ S-nail(1): v14.8.16 / 2017-01-27
## The standard POSIX 2008/Cor 1-2013 mandates the following initial settings:
# (Keep in sync: ./main.c:_startup(), ./nail.rc, ./nail.1:"Initial settings"!)
diff -Nru s-nail-14.8.15/NEWS s-nail-14.8.16/NEWS
--- s-nail-14.8.15/NEWS 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/NEWS 2017-01-27 21:33:45.000000000 +0100
@@ -1,6 +1,28 @@
S - n a i l N e w s
====================
+v14.8.16 ("Copris lunaris"), 2017-01-27
+---------------------------------------
+
+Fixes an at least theoretical security vulnerability of the
+privilege-separated child, which does not strip path separators
+from arguments.
+
+It thus can be forced (by a local attacker) to create an exclusive
+file for a very short time -- if that happens to be in a PolicyKit
+directory, and if the supervising program is capable to inject
+some PolicyKit directives, and if PolicyKit reads those directives
+before the file is unlink(2)ed again (after an fchown(2) followed
+by link(2)), then the written directives could force PolicyKit to
+do bad things.
+
+Anyway inotifyd hooks could be triggered when they shouldn't.
+Sorry.
+
+Thanks to wapiflapi for reporting this issue!
+
+We welcome wapiflapi in THANKS!
+
v14.8.15 ("Scarabaeus sacer"), 2017-01-17
-----------------------------------------
diff -Nru s-nail-14.8.15/privsep.c s-nail-14.8.16/privsep.c
--- s-nail-14.8.15/privsep.c 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/privsep.c 2017-01-27 21:33:45.000000000 +0100
@@ -44,6 +44,7 @@
int
main(int argc, char **argv)
{
+ char hostbuf[64];
struct dotlock_info di;
struct stat stb;
sigset_t nset, oset;
@@ -58,6 +59,7 @@
strcmp(argv[ 4], "name") ||
strcmp(argv[ 6], "hostname") ||
strcmp(argv[ 8], "randstr") ||
+ strchr(argv[ 9], '/') != NULL /* Seal path injection vector */ ||
strcmp(argv[10], "pollmsecs") ||
fstat(STDIN_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode) ||
fstat(STDOUT_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode)) {
@@ -70,6 +72,21 @@
" fewest lines of code in order to reduce attack surface.\n"
" It cannot be run by itself.\n");
exit(EXIT_USE);
+ }else{
+ /* Prevent one more path injection attack vector, but be friendly */
+ char const *ccp;
+ size_t i;
+ char *cp, c;
+
+ for(ccp = argv[7], cp = hostbuf, i = 0; (c = *ccp) != '\0'; ++cp, ++ccp){
+ *cp = (c == '/' ? '_' : c);
+ if(++i == sizeof(hostbuf) -1)
+ break;
+ }
+ *cp = '\0';
+ if(cp == hostbuf)
+ goto jeuse;
+ argv[7] = hostbuf;
}
di.di_file_name = argv[3];
diff -Nru s-nail-14.8.15/THANKS s-nail-14.8.16/THANKS
--- s-nail-14.8.15/THANKS 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/THANKS 2017-01-27 21:33:45.000000000 +0100
@@ -55,6 +55,7 @@
Tim trondd at kagu-tsuchi dot com
Gavin Troy gavtroy at fastmail dot fm
Paul Vojta vojta at math dot berkeley dot edu
+wapiflapi wapiflapi at yahoo dot fr
William Yodlowsky william at OpenBSD dot org
Ypnose ypnx at mailoo dot org
diff -Nru s-nail-14.8.15/version.h s-nail-14.8.16/version.h
--- s-nail-14.8.15/version.h 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/version.h 2017-01-27 21:33:45.000000000 +0100
@@ -1,4 +1,4 @@
-#define VERSION "v14.8.15"
+#define VERSION "v14.8.16"
#define VERSION_MAJOR "14"
#define VERSION_MINOR "8"
-#define VERSION_UPDATE "15"
+#define VERSION_UPDATE "16"
--- End Message ---
--- Begin Message ---
Hi,
On Sat, Jan 28, 2017 at 07:03:15PM +0100, Salvatore Bonaccorso wrote:
> Please unblock package s-nail
>
> The upload to unstable with a new upstream version (but only
> containing the changes to fix this issue), address #852934, a local
> root privilege escalation.
Aged to two days instead, given the context.
Thanks,
--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- End Message ---
