Your message dated Fri, 27 May 2016 13:28:52 +0000 with message-id <e1b6hoq-00019z...@franck.debian.org> and subject line Bug#793465: fixed in libuser 1:0.62~dfsg-0.1 has caused the Debian Bug report #793465, regarding DoS and privilege escalation by local users (CVE-2015-3245 and CVE-2015-3246) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 793465: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793465 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libuser Version: 1:0.56.9.dfsg.1-1.2 Severity: grave Tags: security upstream patch During a code audit by Qualys, multiple libuser-related vulnerabilities were discovered that can allow local users to perform denial-of-service and privilege-escalation attacks: - Race condition in password file update (CVE-2015-3246, Important) A flaw was found in the way the libuser library handled the /etc/passwd file. Even though traditional programs like passwd, chfn, and chsh work on a temporary copy of /etc/passwd and eventually use the rename() function to rename the temporary copy, libuser modified /etc/passwd directly. Unfortunately, if anything went wrong during these modifications, libuser may have left/etc/passwd in an inconsistent state. This behavior could result in a local denial-of-service attack; in addition, when combined with a second vulnerability (CVE-2015-3245, described below), it could result in the escalation of privileges to the root user. - Lack of validation of GECOS field contents (CVE-2015-3245, Moderate) It was found that the chfn function of the userhelper utility did not properly filter out newline characters. The chfn function implemented by the userhelper utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters). Unfortunately, these forbidden characters (:,=) did not include the \n character and allowed local attackers to inject newline characters into the /etc/passwd file and alter this file in unexpected ways. A local attacker could use this flaw to corrupt the /etc/passwd file, which could result in a denial-of-service attack on the system. Both issues have been fixed upstream, and shipped in relase 0.62. Please mention the CVE numbers in the changelog when fixing the issue. References: * RedHat security bulletin https://access.redhat.com/articles/1537873 * PoC http://www.openwall.com/lists/oss-security/2015/07/23/16 * libuser 0.62 changelog https://fedorahosted.org/libuser/browser/NEWS?rev=libuser-0.62 * Fixing commit https://fedorahosted.org/libuser/changeset/d73aa2a5a9ce5bdd349dff46e3e4885f2b194a95/ Cheers, Luca
--- End Message ---
--- Begin Message ---Source: libuser Source-Version: 1:0.62~dfsg-0.1 We believe that the bug you reported is fixed in the latest version of libuser, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 793...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mattia Rizzolo <mat...@debian.org> (supplier of updated libuser package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 27 May 2016 12:56:43 +0000 Source: libuser Binary: libuser libuser1-dev libuser1 python-libuser Architecture: source Version: 1:0.62~dfsg-0.1 Distribution: unstable Urgency: high Maintainer: Ghe Rivero <g...@debian.org> Changed-By: Mattia Rizzolo <mat...@debian.org> Description: libuser - user and group account administration library - utilities libuser1 - user and group account administration library - shared libraries libuser1-dev - user and group account administration library - development files python-libuser - user and group account administration library - Python 2.7 bindin Closes: 793465 Changes: libuser (1:0.62~dfsg-0.1) unstable; urgency=high . * Non-maintainer upload. * Imported Upstream version 0.62~dfsg. + CVE-2015-3245 (Lack of validation of GECOS field contents) (low/local) + CVE-2015-3246 (Race condition in passwd file update) (high/local) + Closes: #793465 * d/copyright: + convert to copyright-format 1.0. + add a Files-Excluded field to drop docs/rfc2307.txt from the orig tarball. + add myself to the copyright for the debian part. * Add watch file. * Run wrap-and-sort -ast. * d/control: + add build-dependency on dh-python. + move python-libuser to section python, as it contains python bindings. + bump Standards-Version to 3.9.8, no changes needed. + add Vcs-* fields. * d/patches: + 0002-Try-harder-to-ignore-the-retunrn-of-ftuncate.patch: drop as obsolete. + use-pkg-config-for-python-include: add, otherwise it fails to look up the python headers. + refresh them all. * d/rules: + drop what seems to be useless code. + enable parallel build. + more robust .la removal using find(1). + enable DH_VERBOSE. + enable hardening. + use dh_install --fail-missing. * d/symbols: + rename to d/libuser1.symbols, so it is actually picked up and used. + update: add new symbols that have been there since at least 1:0.60~dfsg. * d/libuser.install: install /etc/libuser.conf. LP: #1387274 Checksums-Sha1: 2d7b8f55d9295b671afc10e17177d49360cf93cd 2205 libuser_0.62~dfsg-0.1.dsc 6ce429ed085d0798510ae539b419ed668d674e31 743616 libuser_0.62~dfsg.orig.tar.xz a89bd876009264d963cde6ed6ad4a29634b12dd3 6160 libuser_0.62~dfsg-0.1.debian.tar.xz Checksums-Sha256: 09f0fd814570cb8768562665835bf7b6cf4c3c6c865cb4626b837e843b068a8a 2205 libuser_0.62~dfsg-0.1.dsc 30c40e6dceffa3c67065cb86f62262f297e3398528faef7e770c46e093cfa15e 743616 libuser_0.62~dfsg.orig.tar.xz f7ccb255ebc3541b991ea26e979500b00be68fcd1b060904271869e07dd9ab2d 6160 libuser_0.62~dfsg-0.1.debian.tar.xz Files: f38e50c81653d6c0f97a4c8d2c7f507f 2205 admin optional libuser_0.62~dfsg-0.1.dsc 08daadb21f017c0b1dc8a2f1a81abca8 743616 admin optional libuser_0.62~dfsg.orig.tar.xz a9da81f4ed955a235c4916078fc695ef 6160 admin optional libuser_0.62~dfsg-0.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXSEWBAAoJEEsEP825REVAVuEQAJSHMjzZZ1J5o8eJt6Fq17O0 D+KLgBa1vmbOLUtmQh9GiCFQLQ3kc3yBY9WtCo/PEfx71UZxkhDZYnfGYL9K1mpS UFBrZBJ7NKKD2xQOwg63ad6aQCi9+UU1T5imiXyYjzmVoZCSvMAWP40+LJmKDkQ2 Cr0wgu3Hs+CrbYjc5CFhfIX3jv6rkki2V6Em/LY3IUgGjxk8gPbHRLLrPgzV+jNC 02jqILY/nPP2W1K7odFmnkjOmOrdL56CD6+aXXK0wo+SqsIWz4qlCpN00SVVB4i/ VAXuNRmIqYsYbYiD9dQ4ZzMLJCF1IMd8d563Bm8bIAoyuEpDhtPu+3EgxDXfelXU iT/d14XBPDx1oL1/keNavuM4OaIISZKsgVaj6gD30UNNoPdZlyF95TxTXad+Kp5c e7HOJccwWXoDqg+sensMMzmo7ymIOljVcgGEs9e1W9R80it02U8J02SnR/mUhyLb H2I4FejgAvGWguFyuv7Qom9yzn9sttUeEWepzywDM2ByB1K1BTWXljckXL1v1TNp hOHXIU+QTwsULY/TcsZrLwocMcjyIlnFzv07nvF48WquwObEt3uap5sraPRkNx8Z 6vlXvhGMnfM/4A3rDhVzy4E02M0QqYU4rpjaAxLAezg3o/uleVHpwy37arlE0pG5 AiUJRmohdl2J+xPOwZEP =iqZu -----END PGP SIGNATURE-----
--- End Message ---
