Bug#499076: marked as done (CVE-2009-4411: Physical walk no longer ignores all symlinks)
Your message dated Wed, 03 Feb 2010 06:47:13 + with message-id and subject line Bug#499076: fixed in acl 2.2.49-2 has caused the Debian Bug report #499076, regarding CVE-2009-4411: Physical walk no longer ignores all symlinks to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 499076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: acl Version: 2.2.47-2 After upgrading a system from Etch to Lenny, we are having some problems with our backup scripts which rely on getfacl/getfattr. Previously we had been using "getfacl -RP ..." to recursively dump all the ACLs in a number of directories which are also Samba shares. Because we use the DFS features of Samba, we have numerous intentional "dangling" symlinks in these directories. However, now this is causing getfacl to exit with non-zero status and spew lots of unwanted output to stderr. A simple test case to reproduce the problem: #!/bin/sh ln -f -s no_such_file foo getfacl -RP . > dev/null echo $? Output on Etch: 0 Output on Lenny: getfacl: ./foo: No such file or directory 1 I realise that upstream changed the behaviour at some point there, as the manpage description of the -P option differs between Etch/Lenny. However, we still need a way to ignore all symlinks - if the current behaviour is be design (I don't understand why this would be desirable), then can we have another option to completely ignore symlinks? Thanks, Kevin. --- End Message --- --- Begin Message --- Source: acl Source-Version: 2.2.49-2 We believe that the bug you reported is fixed in the latest version of acl, which is due to be installed in the Debian FTP archive: acl_2.2.49-2.debian.tar.bz2 to main/a/acl/acl_2.2.49-2.debian.tar.bz2 acl_2.2.49-2.dsc to main/a/acl/acl_2.2.49-2.dsc acl_2.2.49-2_amd64.deb to main/a/acl/acl_2.2.49-2_amd64.deb libacl1-dev_2.2.49-2_amd64.deb to main/a/acl/libacl1-dev_2.2.49-2_amd64.deb libacl1_2.2.49-2_amd64.deb to main/a/acl/libacl1_2.2.49-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 499...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Anibal Monsalve Salazar (supplier of updated acl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 02 Feb 2010 11:40:55 +1100 Source: acl Binary: acl libacl1-dev libacl1 Architecture: source amd64 Version: 2.2.49-2 Distribution: unstable Urgency: low Maintainer: Nathan Scott Changed-By: Anibal Monsalve Salazar Description: acl- Access control list utilities libacl1- Access control list shared library libacl1-dev - Access control list static libraries and headers Closes: 499076 Changes: acl (2.2.49-2) unstable; urgency=low . * Debian source format is 3.0 (quilt) Add 01-Makefile.patch * Fix CVE-2009-4411 Refer to https://savannah.nongnu.org/bugs/?28131 Add 02-499076-physical-walk.patch Patch by Markus Steinborn Closes: 499076 * Fix debhelper-but-no-misc-depends * Fix out-of-date-standards-version * Fix no-upstream-changelog Checksums-Sha1: 96df8d8914069820fa18fb35c96b900b3fbf9fe2 1877 acl_2.2.49-2.dsc 151c9f0918e3c2a009377b1642f02b68e6a7ed0b 6381 acl_2.2.49-2.debian.tar.bz2 3f918a194af9b1ff3701bb6388150bc1d73b096e 64480 acl_2.2.49-2_amd64.deb 28feace19539a9f9fb8e3a23d347845d4b746d8d 90282 libacl1-dev_2.2.49-2_amd64.deb c8fe41a31927de984fe81e9c6706fa417bab3009 28164 libacl1_2.2.49-2_amd64.deb Checksums-Sha256: 1d87ce4533f0eb3d7b5a113f1343ad96fc51f560a082bf94948825dab486d0e8 1877 acl_2.2.49-2.dsc 8af6f97cde3288a77ca7d0d78f29fb4c5b8f1e0a8ed0d15d2711d3521532f18a 6381 acl_2.2.49-2.debian.tar.bz2 fae89b3fbdc91916501d358208db2b1223bc018296defdc47c9112d99bd26734 64480 acl_2.2.49-2_amd64.deb 5821a2dcb9c6cedbfcc1f6a42d1ee8e266d4982400afa1d6630dcb16a0668a8b 90282 libacl1-dev_2.2.49-2_amd64.deb 9c0a5d07d278689b558579262141d8e00b08299ba895aa78a75fd4e7784a940c 28164 libacl1_2.2.49-2_amd64.deb Files: 4ba53c3be66f9241927aa8b5ca119ce9 1877 utils optional acl_2.2.49-2.dsc 98f9c3ff5b03addd1f2ee7f6e603b75a 6381 utils optional acl_2.2.49-2.debian.tar.bz2 447955e3e7c4ecddcd25c62eb80e6404 64480 utils
Bug#499076: marked as done (CVE-2009-4411: Physical walk no longer ignores all symlinks)
Your message dated Sun, 27 Dec 2009 05:04:24 + with message-id <20091227050424.ga4...@master.debian.org> and subject line Re: CVE-2009-4411 has caused the Debian Bug report #499076, regarding CVE-2009-4411: Physical walk no longer ignores all symlinks to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 499076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: acl Version: 2.2.47-2 After upgrading a system from Etch to Lenny, we are having some problems with our backup scripts which rely on getfacl/getfattr. Previously we had been using "getfacl -RP ..." to recursively dump all the ACLs in a number of directories which are also Samba shares. Because we use the DFS features of Samba, we have numerous intentional "dangling" symlinks in these directories. However, now this is causing getfacl to exit with non-zero status and spew lots of unwanted output to stderr. A simple test case to reproduce the problem: #!/bin/sh ln -f -s no_such_file foo getfacl -RP . > dev/null echo $? Output on Etch: 0 Output on Lenny: getfacl: ./foo: No such file or directory 1 I realise that upstream changed the behaviour at some point there, as the manpage description of the -P option differs between Etch/Lenny. However, we still need a way to ignore all symlinks - if the current behaviour is be design (I don't understand why this would be desirable), then can we have another option to completely ignore symlinks? Thanks, Kevin. --- End Message --- --- Begin Message --- Version 2.2.49-1 On Sat, Dec 26, 2009 at 06:42:15PM +0100, Giuseppe Iuculano wrote: >retitle 499076 CVE-2009-4411: Physical walk no longer ignores all symlinks >tags 499076 security >severity 499076 serious >thanks > >Hi, > >this issue got a CVE id: > >CVE-2009-4411[0]: >| The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when >| running in recursive (-R) mode, follow symbolic links even when the >| --physical (aka -P) or -L option is specified, which might allow local >| users to modify the ACL for arbitrary files or directories via a >| symlink attack. > >If you fix the vulnerability please also make sure to include the >CVE id in your changelog entry. > >For further information see: > >[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411 >http://security-tracker.debian.org/tracker/CVE-2009-4411 > Already fixed in 2.2.49-1, which was uploaded on 24 Nov 2009, more than a month ago. signature.asc Description: Digital signature --- End Message ---