Bug#665696: gosa-sync breaks on passwords containing spaces
Steven Chamberlain a écrit, le 27/03/2012 01:54: Hi, On 26/03/12 10:05, Petter Reinholdtsen wrote: The fix for gosa.conf is not upgradable, so we need to come up with a better idea. The fix won't work. Using quotes in gosa.conf is no good if the %userPassword substitution could contain double quotes. yes the patch to gosa.conf I had first sent has to be reversed if GOsa is upgraded to escape userPassword (in functions.inc). With such an escaped %userPassword the variable can be sent to the gosa-sync script untampered, then the only thing to do is make sure gosa-sync handles it correctly : re-quote it to be used in kadmin, because kadmin only uses double quotes. Without that, it is possible, and fairly easy, for a user to exploit %userPassword to send any command to kadmin, run as root, which is a pretty big vulnerability at the moment. That's why I had send that patch to gosa-sync, which is the only thing to patch once GOsa's functions.inc is upgraded. --- /usr/share/debian-edu-config/tools/gosa-sync.orig 2012-03-25 09:28:32.0 +0200 +++ /usr/share/debian-edu-config/tools/gosa-sync2012-03-26 15:34:13.0 +0200 @@ -28,9 +28,10 @@ $USERPASSWORD EOF IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true` +EUSERPASSWORD=`cat $TMPFILE | sed -e 's/"/""/g'` # escapes " because kadmin need to use double quotes if [ "$IAM" = "dn:$USERDN" ] ; then cat > $TMPFILE <&1 | logger -t gosa-sync -p notice logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.
Bug#665696: gosa-sync breaks on passwords containing spaces
Petter Reinholdtsen a écrit, le 26/03/2012 11:05: The fix for gosa.conf is not upgradable, so we need to come up with a better idea. When upgrading squeeze-test to the new version of debian-edu-config with the new gosa.conf file, a conffile question is asked and both options (keeping the old or upgrading to the new file) are wrong. The old file have the password quoting issue and the correct LDAP password, the new file have a fix for the password quoting issue but lack the correct LDAP password. Personnally here I didn't take the time to upgrade GOsa, fearing other issues. But I did fix /usr/share/gosa/include/functions.inc with escapeshellarg($password), and then modified gosa-sync that needs specific escaping for kadmin : --- /usr/share/debian-edu-config/tools/gosa-sync.orig 2012-03-25 09:28:32.0 +0200 +++ /usr/share/debian-edu-config/tools/gosa-sync2012-03-26 15:34:13.0 +0200 @@ -28,9 +28,10 @@ $USERPASSWORD EOF IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true` +EUSERPASSWORD=`cat $TMPFILE | sed -e 's/"/""/g'` # escapes " because kadmin need to use double quotes if [ "$IAM" = "dn:$USERDN" ] ; then cat > $TMPFILE <&1 | logger -t gosa-sync -p notice logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed. And I verified it to handle spaces, double and single quotes, and backslashes. It only breaks on double backslashes, but that's at the PHP level replacing \\ with \, and does not lead to vulnerability AFAICT - it just means that password wont work. Is that good with you ? -- Samuel Krempp -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#665696: gosa-sync breaks on passwords containing spaces
Samuel Krempp a écrit, le 25/03/2012 11:41: I see GOsa devs noticed the security issue 19 months ago : https://oss.gonicus.de/labs/gosa/ticket/1026 "Additionally the script parameter are not escaped right now, somebody could do nasty thing with it. I will have a look at this too. " How serious is knowingly leaving such a vulnerability, with easy fix, open for 19 months ? Sorry, did not check before posting, the issue was indeed fixed 19 months ago in GOsa trunk, I shouldn't send emails with one hand while playing with my kids with the other : https://oss.gonicus.de/labs/gosa/changeset/19467 It's been present in releases since GOsa's 2.6.12, so SkoleLinux should upgrade. It's rather important to prevent malicious students to execute arbitrary commands as www-data, and hopefully there isn't any change that breaks skolelinux : https://oss.gonicus.de/labs/gosa/changeset?old_path=%2Ftags%2F2.6.12&old=20607&new_path=%2Ftags%2F2.6.11&new=20520 Once GOsa version is updated and %userPassword is properly escaped, my patch will likely have to reversed. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#665696: gosa-sync breaks on passwords containing spaces
Petter Reinholdtsen a écrit, le 25/03/2012 10:45: tags 665696 + pending thanks [Samuel Krempp] following patch just adds the quoting, and was verified to fix the issue. Thank you. I have commited the fix to svn. the issue remains for other special characters, at least quotes. But the only way to really solve the issue is in GOsa functions.inc : $command= preg_replace("/%userPassword/", $password, $command); $password should be properly escaped here otherwise there is no way to write a safe command-line using %userPassword. The proper solution seems to be http://php.net/manual/en/function.escapeshellarg.php once the script parameters are properly escaped in php, there should be no need for quoting in gosa.conf, and this patch might have to be reversed. I see GOsa devs noticed the security issue 19 months ago : https://oss.gonicus.de/labs/gosa/ticket/1026 "Additionally the script parameter are not escaped right now, somebody could do nasty thing with it. I will have a look at this too. " How serious is knowingly leaving such a vulnerability, with easy fix, open for 19 months ? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#665696: gosa-sync breaks on passwords containing spaces
package: debian-edu-config severity: important version: squeeze/r0 spaces need adequate quoting of the password variable in both gosa-sync and gosa.conf. It is also very likely a security hazard in letting the user-supplied password string unquoted in those two files, whence severity=important. following patch just adds the quoting, and was verified to fix the issue. -- Samuel Krempp --- /etc/gosa/gosa.conf.befSK 2012-03-25 09:45:33.0 +0200 +++ /etc/gosa/gosa.conf 2012-03-25 09:50:10.0 +0200 @@ -44,7 +44,7 @@ - + --- /usr/share/debian-edu-config/tools/gosa-sync.orig 2012-03-25 09:28:32.0 +0200 +++ /usr/share/debian-edu-config/tools/gosa-sync2012-03-25 09:56:04.0 +0200 @@ -15,7 +15,6 @@ ## principal's one. RETVAL=0 - USERDN=$1 USERID=`echo $USERDN | sed "s/^uid=\([^,]*\),.*$/\1/"` @@ -30,7 +29,7 @@ IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true` if [ "$IAM" = "dn:$USERDN" ] ; then cat > $TMPFILE <&1 | logger -t gosa-sync -p notice logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.
Bug#664596: So, how to fix this on installed systems ?
I don't know anything about kerberos stuff. How to fix on an installed system ? I installed shortly after the r0 release, and got hit by this "2 days later" killer bug. The discussion so far doesn't give a clear hint on a fix for non-experts in kerberos like me ... regards, -- Samuel Krempp -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#362269: x11-common: pgrade from 6.9.0.dfsg to 1:7.0.10 breaks many programs with "request_code 151 minor_code 23"
Package: x11-common Version: 1:7.0.10 Severity: important I just used aptitude to upgrade my debian/unstable box (the previous full update was on 2006-03-19), most notably this upgraded the X system to 7.0.10. And since then, many X programs are either crashing (mostly before even displaying anything), or reporting the same error code while functionning otherwise unaffected. for instance : gqview, firefox, thunderbird, emacs... all crash on launch and report : (emacs :) X protocol error: BadRequest (invalid request code or no such operation) on protocol request 151 (firefox/thunderbird :) The error was 'BadRequest (invalid request code or no such operation)'. (Details: serial 418 error_code 1 request_code 151 minor_code 23) gimp starts OK, but crashes when opening any kind of menu. While knode (and all kde/qt programs I tried so far) run without problem, though reporting the same errors a few times on startup : X Error: BadRequest (invalid request code or no such operation) 1 Major opcode: 151 Minor opcode: 23 -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (760, 'unstable'), (751, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.16.4 -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]