Bug#665696: gosa-sync breaks on passwords containing spaces

2012-03-27 Thread Samuel Krempp 

Steven Chamberlain a écrit, le 27/03/2012 01:54:

Hi,

On 26/03/12 10:05, Petter Reinholdtsen wrote:

The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.


The fix won't work.  Using quotes in gosa.conf is no good if the
%userPassword substitution could contain double quotes.


yes the patch to gosa.conf I had first sent has to be reversed if GOsa 
is upgraded to escape userPassword (in functions.inc).
With such an escaped %userPassword the variable can be sent to the 
gosa-sync script untampered, then the only thing to do is make sure 
gosa-sync handles it correctly : re-quote it to be used in kadmin, 
because kadmin only uses double quotes.
Without that, it is possible, and fairly easy, for a user to exploit 
%userPassword to send any command to kadmin, run as root, which is a 
pretty big vulnerability at the moment.
That's why I had send that patch to gosa-sync, which is the only thing 
to patch once GOsa's functions.inc is upgraded.
--- /usr/share/debian-edu-config/tools/gosa-sync.orig   2012-03-25 
09:28:32.0 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync2012-03-26 
15:34:13.0 +0200
@@ -28,9 +28,10 @@
 $USERPASSWORD
 EOF
 IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
+EUSERPASSWORD=`cat $TMPFILE | sed -e 's/"/""/g'` # escapes " because kadmin 
need to use  double quotes
 if [ "$IAM" = "dn:$USERDN" ] ; then
 cat > $TMPFILE <&1 | logger -t gosa-sync -p notice
 logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.

Bug#665696: gosa-sync breaks on passwords containing spaces

2012-03-26 Thread Samuel Krempp 

Petter Reinholdtsen a écrit, le 26/03/2012 11:05:

The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.

When upgrading squeeze-test to the new version of debian-edu-config
with the new gosa.conf file, a conffile question is asked and both
options (keeping the old or upgrading to the new file) are wrong.

The old file have the password quoting issue and the correct LDAP
password, the new file have a fix for the password quoting issue but
lack the correct LDAP password.
Personnally here I didn't take the time to upgrade GOsa, fearing other 
issues. But I did fix /usr/share/gosa/include/functions.inc with 
escapeshellarg($password), and then modified gosa-sync that needs 
specific escaping for kadmin :
--- /usr/share/debian-edu-config/tools/gosa-sync.orig   2012-03-25 
09:28:32.0 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync2012-03-26 
15:34:13.0 +0200

@@ -28,9 +28,10 @@
 $USERPASSWORD
 EOF
 IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
+EUSERPASSWORD=`cat $TMPFILE | sed -e 's/"/""/g'` # escapes " because 
kadmin need to use  double quotes

 if [ "$IAM" = "dn:$USERDN" ] ; then
 cat > $TMPFILE <&1 | logger -t gosa-sync -p notice
 logger -t gosa-sync -p notice Kerberos password for \'$USERID\' 
changed.


And I verified it to handle spaces, double and single quotes, and 
backslashes.
It only breaks on double backslashes, but that's at the PHP level 
replacing \\ with \, and does not lead to vulnerability AFAICT - it just 
means that password wont work.


Is that good with you ?

--
Samuel Krempp




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#665696: gosa-sync breaks on passwords containing spaces

2012-03-25 Thread Samuel Krempp 

Samuel Krempp a écrit, le 25/03/2012 11:41:

I see GOsa devs noticed the security issue 19 months ago :
https://oss.gonicus.de/labs/gosa/ticket/1026
"Additionally the script parameter are not escaped right now, somebody
could do nasty thing with it. I will have a look at this too. "

How serious is knowingly leaving such a vulnerability, with easy fix,
open for 19 months ?



Sorry, did not check before posting, the issue was indeed fixed 19 
months ago in GOsa trunk, I shouldn't send emails with one hand while 
playing with my kids with the other :

https://oss.gonicus.de/labs/gosa/changeset/19467
It's been present in releases since GOsa's 2.6.12, so SkoleLinux should 
upgrade. It's rather important to prevent malicious students to execute 
arbitrary commands as www-data, and hopefully there isn't any change 
that breaks skolelinux : 
https://oss.gonicus.de/labs/gosa/changeset?old_path=%2Ftags%2F2.6.12&old=20607&new_path=%2Ftags%2F2.6.11&new=20520


Once GOsa version is updated and %userPassword is properly escaped, my 
patch will likely have to reversed.





--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#665696: gosa-sync breaks on passwords containing spaces

2012-03-25 Thread Samuel Krempp 

Petter Reinholdtsen a écrit, le 25/03/2012 10:45:

tags 665696 + pending
thanks

[Samuel Krempp]

following patch just adds the quoting, and was verified to fix the
issue.


Thank you.  I have commited the fix to svn.


the issue remains for other special characters, at least quotes. But the 
only way to really solve the issue is in GOsa  functions.inc :

 $command= preg_replace("/%userPassword/", $password, $command);
$password should be properly escaped here otherwise there is no way to 
write a safe command-line using %userPassword.


The proper solution seems to be 
http://php.net/manual/en/function.escapeshellarg.php
once the script parameters are properly escaped in php, there should be 
no need for quoting in gosa.conf, and this patch might have to be reversed.


I see GOsa devs noticed the security issue 19 months ago : 
https://oss.gonicus.de/labs/gosa/ticket/1026
"Additionally the script parameter are not escaped right now, somebody 
could do nasty thing with it. I will have a look at this too. "


How serious is knowingly leaving such a vulnerability, with easy fix, 
open for 19 months ?




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#665696: gosa-sync breaks on passwords containing spaces

2012-03-25 Thread Samuel Krempp 

package: debian-edu-config
severity: important
version: squeeze/r0

spaces need adequate quoting of the password variable in both gosa-sync 
and gosa.conf.


It is also very likely a security hazard in letting the user-supplied 
password string unquoted in those two files, whence severity=important.


following patch just adds the quoting, and was verified to fix the issue.


--
Samuel Krempp
--- /etc/gosa/gosa.conf.befSK   2012-03-25 09:45:33.0 +0200
+++ /etc/gosa/gosa.conf 2012-03-25 09:50:10.0 +0200
@@ -44,7 +44,7 @@
   
   
   
-  
+  
 

 
--- /usr/share/debian-edu-config/tools/gosa-sync.orig   2012-03-25 
09:28:32.0 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync2012-03-25 
09:56:04.0 +0200
@@ -15,7 +15,6 @@
 ## principal's one.

 RETVAL=0
-
 USERDN=$1
 USERID=`echo $USERDN | sed "s/^uid=\([^,]*\),.*$/\1/"`

@@ -30,7 +29,7 @@
 IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
 if [ "$IAM" = "dn:$USERDN" ] ; then
 cat > $TMPFILE <&1 | logger -t gosa-sync -p notice
 logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.

Bug#664596: So, how to fix this on installed systems ?

2012-03-21 Thread Samuel Krempp 

I don't know anything about kerberos stuff.
How to fix on an installed system ? I installed shortly after the r0 
release, and got hit by this "2 days later" killer bug.
The discussion so far doesn't give a clear hint on a fix for non-experts 
in kerberos like me ...


regards,

--
Samuel Krempp




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#362269: x11-common: pgrade from 6.9.0.dfsg to 1:7.0.10 breaks many programs with "request_code 151 minor_code 23"

2006-04-12 Thread Samuel Krempp 
Package: x11-common
Version: 1:7.0.10
Severity: important

I just used aptitude to upgrade my debian/unstable box (the previous
full update was on 2006-03-19), most notably this upgraded the X system
to 7.0.10. And since then, many X programs are either crashing (mostly
before even displaying anything), or reporting the same error code while
functionning otherwise unaffected.

for instance : gqview, firefox, thunderbird, emacs... all crash on
launch and report :
(emacs :)
X protocol error: BadRequest (invalid request code or no such operation)
on protocol request 151

(firefox/thunderbird :)
The error was 'BadRequest (invalid request code or no such operation)'.
 (Details: serial 418 error_code 1 request_code 151 minor_code 23)

gimp starts OK, but crashes when opening any kind of menu.

While knode (and all kde/qt programs I tried so far) run without
problem, though reporting the same errors a few times on startup :
X Error: BadRequest (invalid request code or no such operation) 1
 Major opcode:  151
 Minor opcode:  23


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (760, 'unstable'), (751, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.16.4

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]