Bug#674715: marked as done (CVE-2012-2653: initgroups() adds gid 0 to the group list)
Your message dated Mon, 04 Jun 2012 20:47:14 + with message-id e1sbebg-0001dm...@franck.debian.org and subject line Bug#674715: fixed in arpwatch 2.1a15-1.1+squeeze1 has caused the Debian Bug report #674715, regarding CVE-2012-2653: initgroups() adds gid 0 to the group list to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 674715: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674715 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: arpwatch Version: 2.1a15-1.1 Severity: critical Tags: security Justification: root security hole Hi, as reported on oss-sec (http://www.openwall.com/lists/oss-security/2012/05/24/12) the patch added to arpwatch to drop privileges in fact adds the gid 0 (root) group to the group list. This has been allocated CVE-2012-2653. Can you prepare updates fixing this (using pw-pw_gid in the call) or should the security team do it? Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-grsec-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash ---End Message--- ---BeginMessage--- Source: arpwatch Source-Version: 2.1a15-1.1+squeeze1 We believe that the bug you reported is fixed in the latest version of arpwatch, which is due to be installed in the Debian FTP archive: arpwatch_2.1a15-1.1+squeeze1.diff.gz to main/a/arpwatch/arpwatch_2.1a15-1.1+squeeze1.diff.gz arpwatch_2.1a15-1.1+squeeze1.dsc to main/a/arpwatch/arpwatch_2.1a15-1.1+squeeze1.dsc arpwatch_2.1a15-1.1+squeeze1_amd64.deb to main/a/arpwatch/arpwatch_2.1a15-1.1+squeeze1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 674...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yves-Alexis Perez cor...@debian.org (supplier of updated arpwatch package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 26 May 2012 23:53:19 +0200 Source: arpwatch Binary: arpwatch Architecture: source amd64 Version: 2.1a15-1.1+squeeze1 Distribution: stable-security Urgency: high Maintainer: KELEMEN Péter f...@debian.org Changed-By: Yves-Alexis Perez cor...@debian.org Description: arpwatch - Ethernet/FDDI station activity monitor Closes: 674715 Changes: arpwatch (2.1a15-1.1+squeeze1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix initgroups() adding the gid 0 group to the list. Instead of dropping privileges it was in fact adding it. This is CVE-2012-2653. closes: #674715 Checksums-Sha1: 7e6ecaefcf64542424499406833c9b4c1006df79 1706 arpwatch_2.1a15-1.1+squeeze1.dsc 9dffaec0f132e5bb7aedfc840c5c67068bfbce69 202729 arpwatch_2.1a15.orig.tar.gz 94161e464ce50967b71f07fe865010a4230f5fec 150105 arpwatch_2.1a15-1.1+squeeze1.diff.gz 75c9d036f5a71a1769d62cda333b827b4863c2a2 188294 arpwatch_2.1a15-1.1+squeeze1_amd64.deb Checksums-Sha256: d02dace3f9b3e2075efb9a7bb14b3649f16d783ba6a6e005cb2d9ed1d943f021 1706 arpwatch_2.1a15-1.1+squeeze1.dsc c1df9737e208a96a61fa92ddad83f4b4d9be66f8992f3c917e9edf4b05ff5898 202729 arpwatch_2.1a15.orig.tar.gz 289873de4fc24a836d6219a1e272aa9df253255d5b6e1434ff74e28f3af8 150105 arpwatch_2.1a15-1.1+squeeze1.diff.gz e694736b69f5571a093d5cba773ea8b88cb679ee9368ec9c54019a0ed4d763bd 188294 arpwatch_2.1a15-1.1+squeeze1_amd64.deb Files: a8728af287fa60c61a7d89cfd9e61fb3 1706 admin optional arpwatch_2.1a15-1.1+squeeze1.dsc cebfeb99c4a7c2a6cee2564770415fe7 202729 admin optional arpwatch_2.1a15.orig.tar.gz ebd379d4f7f4ae7782e00e5f86aeea9f 150105 admin optional arpwatch_2.1a15-1.1+squeeze1.diff.gz 5436f25de47de028726db436def5dea8 188294 admin optional arpwatch_2.1a15-1.1+squeeze1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJPxnQlAAoJEDBVD3hx7wuouVAP/0x++u8um6wz9QL6v15FeeaE Z4WZT9fg75zNZ5vVAdXX9UgZw3g7y/cJjXVF2phRvaiV1gJZueVmB8CPi07PqyNP 8tRFm3dIcoNunb4LTPakntJpqly7dQSTCxpWT4cWcdnNQM5UB4AaERxFR8kLAwSl tp/zclODMc3LvVWgzfpFQek+6KwOnkFMuIwl46NbCResD2iFESECGd9g//RRUeDw
Bug#674715: marked as done (CVE-2012-2653: initgroups() adds gid 0 to the group list)
Your message dated Tue, 29 May 2012 09:02:28 + with message-id e1szijw-0002uy...@franck.debian.org and subject line Bug#674715: fixed in arpwatch 2.1a15-1.2 has caused the Debian Bug report #674715, regarding CVE-2012-2653: initgroups() adds gid 0 to the group list to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 674715: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674715 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: arpwatch Version: 2.1a15-1.1 Severity: critical Tags: security Justification: root security hole Hi, as reported on oss-sec (http://www.openwall.com/lists/oss-security/2012/05/24/12) the patch added to arpwatch to drop privileges in fact adds the gid 0 (root) group to the group list. This has been allocated CVE-2012-2653. Can you prepare updates fixing this (using pw-pw_gid in the call) or should the security team do it? Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-grsec-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash ---End Message--- ---BeginMessage--- Source: arpwatch Source-Version: 2.1a15-1.2 We believe that the bug you reported is fixed in the latest version of arpwatch, which is due to be installed in the Debian FTP archive: arpwatch_2.1a15-1.2.diff.gz to main/a/arpwatch/arpwatch_2.1a15-1.2.diff.gz arpwatch_2.1a15-1.2.dsc to main/a/arpwatch/arpwatch_2.1a15-1.2.dsc arpwatch_2.1a15-1.2_amd64.deb to main/a/arpwatch/arpwatch_2.1a15-1.2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 674...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yves-Alexis Perez cor...@debian.org (supplier of updated arpwatch package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 27 May 2012 09:20:52 +0200 Source: arpwatch Binary: arpwatch Architecture: source amd64 Version: 2.1a15-1.2 Distribution: unstable Urgency: high Maintainer: KELEMEN Péter f...@debian.org Changed-By: Yves-Alexis Perez cor...@debian.org Description: arpwatch - Ethernet/FDDI station activity monitor Closes: 674715 Changes: arpwatch (2.1a15-1.2) unstable; urgency=high . * Non-maintainer upload by the Security Team. * Fix initgroups() adding the gid 0 group to the list. Instead of dropping privileges it was in fact adding it. This is CVE-2012-2653. closes: #674715 * debian/rules: - enable hardening flags. * Makefile.in: add LDFLAGS support. Checksums-Sha1: a99f51eb621a0dbcb1d0a7b36cfa650c52b50d0d 1714 arpwatch_2.1a15-1.2.dsc 81b57ead3e4a3d4a8c10678109dfe8e4c03c7a02 147856 arpwatch_2.1a15-1.2.diff.gz 24ba4127de1801e3d24523babb7064e06c11c7dc 193364 arpwatch_2.1a15-1.2_amd64.deb Checksums-Sha256: 9785e1f5ecbde302e8683cbc339aa04d452d3cbf20bd35bd06ed7fff9150ff78 1714 arpwatch_2.1a15-1.2.dsc 43fa24105594e0886aaa571d3ca2cc6a5c07d540b0b134d2b5923c688cc2a8f6 147856 arpwatch_2.1a15-1.2.diff.gz 8965e768c5de971c58335c9508b0cdbb24714a9c72fa4757d569aa4f21571a79 193364 arpwatch_2.1a15-1.2_amd64.deb Files: 628e8c1445bc87dac730fe74c344e246 1714 admin optional arpwatch_2.1a15-1.2.dsc ea6ac9531289f04219349d0faca7cde5 147856 admin optional arpwatch_2.1a15-1.2.diff.gz 5459c8eba786e6ae3edaa3dcad3f977f 193364 admin optional arpwatch_2.1a15-1.2_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJPweTIAAoJEDBVD3hx7wuoEAQQAIGGJEehD1DabbFnH7HAPFXm 7dYsIQqAFEHnNdu4zvSaAiqpRJqnrhL/fClmp2+jkj1W1UrTG008ypNHV+9VI+mP JejBSfKtcyVdvXCi1uUs5IzYGkczNN4Bk4/JrdXOLE+DHcJYpDgxA+8VHdvAk2jH vE3/bpfqtctwWOuk0gHeh62YpVe8+pLDDSzr+uMTUvqtbIbiQmo6CzHSFi4Th9WR 3MKJPoPW5OfqT9c0Y0p4rFj9giTO+kbmQFwyU3jE7laSVlJUzftmNcvG/5TDPZv3 iAIGREMrzwoh4acGM7mEt2NAg3KenMyhgA8wRuhbfbI0J9tbV6s777HCUQL5mPk5 hR4IaXroAuGyejfzjRAbt6TDA4XKNxEc97N1Qvy6m6yIMC0h0tROaK7Q44Vm+V18 Vt1gC4HpfKamqlOwXE9t6eJGnOqNc+V2CWJV8DGsPGbboqnmQ/IZ0o5OCqkKuu7C CdtiY8ffKDMLrqWh7UKEwjx6afoNp4ZGXigkn4hHf57i692hFxK4pVCNlv7GBag+ t2omyX9I/+yS2tlLk5jNPHBtG660HHP9lKSgHwEKpzgySRZYbHtmj/iR9o0ryr7i