Bug#630699: marked as done (CVE-2011-1089: /etc/mtab corruption)

Thu, 30 Jun 2011 00:51:52 -0700 

Your message dated Thu, 30 Jun 2011 07:48:17 +0000
with message-id <e1qcbyz-000861...@franck.debian.org>
and subject line Bug#630699: fixed in eglibc 2.13-8
has caused the Debian Bug report #630699,
regarding CVE-2011-1089: /etc/mtab corruption
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
630699: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630699
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: libc6
Version: 2.13-4
Severity: normal
Tags: patch

>From the security tracker:

The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and
earlier does not report an error status for failed attempts to write to the
/etc/mtab file, which makes it easier for local users to trigger corruption
of this file, as demonstrated by writes from a process with a small
RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296.

A longer discussion is in http://seclists.org/oss-sec/2011/q1/368

A patch is in
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=e1fb097f447a89aa69a926e45e673a52d86a6c57
(which also means that will be gone with version 2.14)

cu

AW
-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.38 (PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libc-bin                      2.13-4     Embedded GNU C Library: Binaries
ii  libgcc1                       1:4.6.0-10 GCC support library

Versions of packages libc6 recommends:
pn  libc6-i686                    <none>     (no description available)

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]         1.5.39     Debian configuration management sy
pn  glibc-doc                     <none>     (no description available)
ii  locales                       2.13-4     Embedded GNU C Library: National L

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: eglibc
Source-Version: 2.13-8

We believe that the bug you reported is fixed in the latest version of
eglibc, which is due to be installed in the Debian FTP archive:

eglibc-source_2.13-8_all.deb
  to main/e/eglibc/eglibc-source_2.13-8_all.deb
eglibc_2.13-8.diff.gz
  to main/e/eglibc/eglibc_2.13-8.diff.gz
eglibc_2.13-8.dsc
  to main/e/eglibc/eglibc_2.13-8.dsc
glibc-doc_2.13-8_all.deb
  to main/e/eglibc/glibc-doc_2.13-8_all.deb
libc-bin_2.13-8_amd64.deb
  to main/e/eglibc/libc-bin_2.13-8_amd64.deb
libc-dev-bin_2.13-8_amd64.deb
  to main/e/eglibc/libc-dev-bin_2.13-8_amd64.deb
libc6-dbg_2.13-8_amd64.deb
  to main/e/eglibc/libc6-dbg_2.13-8_amd64.deb
libc6-dev-i386_2.13-8_amd64.deb
  to main/e/eglibc/libc6-dev-i386_2.13-8_amd64.deb
libc6-dev_2.13-8_amd64.deb
  to main/e/eglibc/libc6-dev_2.13-8_amd64.deb
libc6-i386_2.13-8_amd64.deb
  to main/e/eglibc/libc6-i386_2.13-8_amd64.deb
libc6-pic_2.13-8_amd64.deb
  to main/e/eglibc/libc6-pic_2.13-8_amd64.deb
libc6-prof_2.13-8_amd64.deb
  to main/e/eglibc/libc6-prof_2.13-8_amd64.deb
libc6-udeb_2.13-8_amd64.udeb
  to main/e/eglibc/libc6-udeb_2.13-8_amd64.udeb
libc6_2.13-8_amd64.deb
  to main/e/eglibc/libc6_2.13-8_amd64.deb
libnss-dns-udeb_2.13-8_amd64.udeb
  to main/e/eglibc/libnss-dns-udeb_2.13-8_amd64.udeb
libnss-files-udeb_2.13-8_amd64.udeb
  to main/e/eglibc/libnss-files-udeb_2.13-8_amd64.udeb
locales-all_2.13-8_amd64.deb
  to main/e/eglibc/locales-all_2.13-8_amd64.deb
locales_2.13-8_all.deb
  to main/e/eglibc/locales_2.13-8_all.deb
multiarch-support_2.13-8_amd64.deb
  to main/e/eglibc/multiarch-support_2.13-8_amd64.deb
nscd_2.13-8_amd64.deb
  to main/e/eglibc/nscd_2.13-8_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 630...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aure...@debian.org> (supplier of updated eglibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 30 Jun 2011 07:41:52 +0200
Source: eglibc
Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd 
multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb 
libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 
libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 
libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 
libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390x libc6-dev-s390x 
libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 
libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 
libc0.1-i386 libc0.1-dev-i386 libc6-i686 libc6-xen libc0.1-i686 libc0.3-i686 
libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
Architecture: source all amd64
Version: 2.13-8
Distribution: unstable
Urgency: low
Maintainer: Aurelien Jarno <aure...@debian.org>
Changed-By: Aurelien Jarno <aure...@debian.org>
Description: 
 eglibc-source - Embedded GNU C Library: sources
 glibc-doc  - Embedded GNU C Library: Documentation
 libc-bin   - Embedded GNU C Library: Binaries
 libc-dev-bin - Embedded GNU C Library: Development binaries
 libc0.1    - Embedded GNU C Library: Shared libraries
 libc0.1-dbg - Embedded GNU C Library: detached debugging symbols
 libc0.1-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - Embedded GNU C Library: 32bit development libraries for 
AMD64
 libc0.1-i386 - Embedded GNU C Library: 32bit shared libraries for AMD64
 libc0.1-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc0.1-pic - Embedded GNU C Library: PIC archive library
 libc0.1-prof - Embedded GNU C Library: Profiling Libraries
 libc0.1-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc0.3    - Embedded GNU C Library: Shared libraries
 libc0.3-dbg - Embedded GNU C Library: detached debugging symbols
 libc0.3-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc0.3-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc0.3-pic - Embedded GNU C Library: PIC archive library
 libc0.3-prof - Embedded GNU C Library: Profiling Libraries
 libc0.3-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - Embedded GNU C Library: Shared libraries [Xen version]
 libc6      - Embedded GNU C Library: Shared libraries
 libc6-amd64 - Embedded GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - Embedded GNU C Library: detached debugging symbols
 libc6-dev  - Embedded GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - Embedded GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - Embedded GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips64 - Embedded GNU C Library: 64bit Development Libraries for 
MIPS64
 libc6-dev-mipsn32 - Embedded GNU C Library: n32 Development Libraries for 
MIPS64
 libc6-dev-powerpc - Embedded GNU C Library: 32bit powerpc development 
libraries for p
 libc6-dev-ppc64 - Embedded GNU C Library: 64bit Development Libraries for 
PowerPC64
 libc6-dev-s390x - Embedded GNU C Library: 64bit Development Libraries for IBM 
zSeri
 libc6-dev-sparc64 - Embedded GNU C Library: 64bit Development Libraries for 
UltraSPAR
 libc6-i386 - Embedded GNU C Library: 32-bit shared libraries for AMD64
 libc6-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc6-loongson2f - Embedded GNU C Library: Shared libraries (Loongson 2F 
optimized)
 libc6-mips64 - Embedded GNU C Library: 64bit Shared libraries for MIPS64
 libc6-mipsn32 - Embedded GNU C Library: n32 Shared libraries for MIPS64
 libc6-pic  - Embedded GNU C Library: PIC archive library
 libc6-powerpc - Embedded GNU C Library: 32bit powerpc shared libraries for 
ppc64
 libc6-ppc64 - Embedded GNU C Library: 64bit Shared libraries for PowerPC64
 libc6-prof - Embedded GNU C Library: Profiling Libraries
 libc6-s390x - Embedded GNU C Library: 64bit Shared libraries for IBM zSeries
 libc6-sparc64 - Embedded GNU C Library: 64bit Shared libraries for UltraSPARC
 libc6-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc6-xen  - Embedded GNU C Library: Shared libraries [Xen version]
 libc6.1    - Embedded GNU C Library: Shared libraries
 libc6.1-alphaev67 - Embedded GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - Embedded GNU C Library: detached debugging symbols
 libc6.1-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc6.1-pic - Embedded GNU C Library: PIC archive library
 libc6.1-prof - Embedded GNU C Library: Profiling Libraries
 libc6.1-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libnss-dns-udeb - Embedded GNU C Library: NSS helper for DNS - udeb (udeb)
 libnss-files-udeb - Embedded GNU C Library: NSS helper for files - udeb (udeb)
 locales    - Embedded GNU C Library: National Language (locale) data [support]
 locales-all - Embedded GNU C Library: Precompiled locale data
 multiarch-support - Transitional package to ensure multiarch compatibility
 nscd       - Embedded GNU C Library: Name Service Cache Daemon
Closes: 535504 602291 626370 630608 630699 631867 631907
Changes: 
 eglibc (2.13-8) unstable; urgency=low
 .
   [ Samuel Thibault ]
   * Add patches/hurd-i386/submitted-ldsodefs.h.diff to fix loading binaries
     with GNU/Hurd-specific extensions, disabled for now.
   * patches/hurd-i386/local-sendmsg-SCM_RIGHTS.diff: Do not call getauth(),
     use the __USEPORT() cache macro instead. This should fix zsh FTBFS with
     duplicate getproc() symbol.
 .
   [ Aurelien Jarno ]
   * Add patches/any/cvs-addmntent.diff to correctly report errors status in
     addmntent().  Closes: #630699 / CVE-2011-1089.
   * Add patches/any/cvs-resolv-different-nameserver.diff to try a different
     nameserver if the first one returns REFUSED.  Closes: #535504, #602291.
   * Update patches/svn-updates to revision 14337:
     - Remove any/cvs-glro_dl_debug_mask.diff (merged).
     - Remove i386/cvs-memmove-static.diff (merged).
   * debian/control: clean-up Uploaders: .
   * Add patches/any/cvs-fnmatch.diff to fix an integer overflow in
     fnmatch() (CVE-2011-1659).  Closes: #626370.
   * Add an entry to NEWS.Debian about multiarch and passing flags to the
     compiler on pre-multiarch toolchains.
   * Replace sparc/submitted-ifunc2.diff by upstream version
     any/cvs-ifunc.diff.
   * Fix patches/hppa/submitted-nptl-carlos.diff to correctly pass
     --as-needed and --no-as-needed to the linker.
   * Update breaks on pre-multiarch packages.  Closes: #631907.
   * libc.preinst: improve and simplify search for old libraries, detect
     broken LD_LIBRARY_PATH.  Closes: #630608.
   * libc.postrm: remove support code from Sarge.
   * rules.d/debhelper.mk: install bug files using dh_bugfiles.
 .
   [ Petr Salinger ]
   * kfreebsd/local-sysdeps.diff: update to revision 3501 (from glibc-bsd).
     to fix <bits/siginfo.h>.  Closes: #631867.
   * Drop kfreebsd/local-ftw.diff, needed only for pre 8.0 kernels.
Checksums-Sha1: 
 7560a6739d03bbd2cdc209cf28852a3e49b71ee0 2571 eglibc_2.13-8.dsc
 e5d0d48c85dd1617423b4b163c7bd15e5412e4ae 858181 eglibc_2.13-8.diff.gz
 dbc9d6c70fecbd6a99183cda1e7a41bd33a3b23e 1884516 glibc-doc_2.13-8_all.deb
 a1b06c83f2c01e35f08b84468f12e5f3ecb0f9e9 12046812 eglibc-source_2.13-8_all.deb
 4ac2dd5def92fc70d97a7e3aaa45ef05e621d0ef 4805884 locales_2.13-8_all.deb
 d5d20a2f326c9062e2de012901ddc04c8cc264c0 4315440 libc6_2.13-8_amd64.deb
 fbac648e58e4de5ee1cc9613bd757881bd510db0 2633210 libc6-dev_2.13-8_amd64.deb
 80464fec6745c90bcb60429cc0061aacb2faf776 2076864 libc6-prof_2.13-8_amd64.deb
 d84d9f7cb92fbe4c6560ee4366ae0e09b141704f 1582086 libc6-pic_2.13-8_amd64.deb
 f268134c87bf2b49b30fc67fc341bc306c51aae9 1081842 libc-bin_2.13-8_amd64.deb
 0e490b20dddab8f843741d6c8d6c588d5b054b68 212746 libc-dev-bin_2.13-8_amd64.deb
 2981eaa9efbb142a8c00653d15f5fb6409d3feef 3781084 locales-all_2.13-8_amd64.deb
 589ae26a4604c44c1334cae471fcaf09152bbfc3 137992 
multiarch-support_2.13-8_amd64.deb
 b1ce3b6f46526eef7a8b0793729f56631c34c3fd 3833546 libc6-i386_2.13-8_amd64.deb
 69bf903091fddaa3514f5cb83e8a1d871d7097e3 1557780 
libc6-dev-i386_2.13-8_amd64.deb
 5be7fee44f6b18e857cc40473ded2425f2d08045 202080 nscd_2.13-8_amd64.deb
 0463e9103c103ad7507cef5688ad06fa94b15c73 10496422 libc6-dbg_2.13-8_amd64.deb
 b3303dc2b24295b01ee18a45fb1806500c26cc0d 1179680 libc6-udeb_2.13-8_amd64.udeb
 e25784ecaf4ba08cbcd3a0425d3c37036e7d7235 11106 
libnss-dns-udeb_2.13-8_amd64.udeb
 7792ec7144aa2bd56ecf229d733d25c83115cead 19280 
libnss-files-udeb_2.13-8_amd64.udeb
Checksums-Sha256: 
 43f461d29be1d88cba275fdf2a6d9661bd1090d30bff2107287760964dd73208 2571 
eglibc_2.13-8.dsc
 d5edc34d882cfe2366fa50bd272c30ad2f2f85a361df4a2cf67d26fd64c47893 858181 
eglibc_2.13-8.diff.gz
 26edba330f77a0882c1f8915dd78226047ca53481da6c50d66c859179574c07c 1884516 
glibc-doc_2.13-8_all.deb
 0eaf6320b22c1ca778a3d677419fa1caf324a1e16ccc0c61920fbaf0cea6088f 12046812 
eglibc-source_2.13-8_all.deb
 a4ca11b0dcbb7b4ad4232093af9375b6440f33c86f97961ffd4a443ef88c6566 4805884 
locales_2.13-8_all.deb
 c2e2f9a1dcc72c8791885a9d06e5a9e123074c305bad07092569c04017705542 4315440 
libc6_2.13-8_amd64.deb
 88ac38072bd162f9612f5860ad2c267ff08c6c975fb5619d6e531dc2624cc027 2633210 
libc6-dev_2.13-8_amd64.deb
 b11cfce3a7677dfcae640629585e306502464eb905e7fd2170827494b983f9b0 2076864 
libc6-prof_2.13-8_amd64.deb
 84633fc33cbd6e4fd45c88e4f05244a7397d8711fbce67b6ae36793988c8c516 1582086 
libc6-pic_2.13-8_amd64.deb
 ede3dee36c51def5c277559482ceb2c71b22ef9e047543b7f73684413ee7f9ea 1081842 
libc-bin_2.13-8_amd64.deb
 5e399c90255556f0a35112e0e45a09ebd77a12b0ee6dd3f59cef9b76616d607f 212746 
libc-dev-bin_2.13-8_amd64.deb
 211ac7a98f942c28b5de076ba763e1516c7c94ae6f64f4983bb887346dc8180e 3781084 
locales-all_2.13-8_amd64.deb
 5cc52d958de0bf9541c1fc281bba7c4de3d8eb5ddc042891429be8d8d67da5b4 137992 
multiarch-support_2.13-8_amd64.deb
 2d52a7195bb091d78357a2d5ea1aa7163e5c833b3095144da0534898b4f92603 3833546 
libc6-i386_2.13-8_amd64.deb
 fb4f7ebe2c53294ebfa59e8bc75d17ece399966d8f3391a89db48e865ffedecf 1557780 
libc6-dev-i386_2.13-8_amd64.deb
 a42329235da7071c51768290ca5ec473449401f3f9f30413b746bb5f86bbf6ae 202080 
nscd_2.13-8_amd64.deb
 16b2672300381b2fbdad93a2ede8d16592d74ef8b96dcf0a13d2eca91f9fe71f 10496422 
libc6-dbg_2.13-8_amd64.deb
 2de3cf798ef38ca439d43e93ee436f5a763052e5936e24ef8828d533f887aa70 1179680 
libc6-udeb_2.13-8_amd64.udeb
 092f0280d1317213b7ca9e203e8b1038d64b30e3da0dd8414a360127b353e877 11106 
libnss-dns-udeb_2.13-8_amd64.udeb
 737c337285327c4712fea350d95b770089e618a72f710af703776d65bf337996 19280 
libnss-files-udeb_2.13-8_amd64.udeb
Files: 
 d0d0280bc3d47db0ef5cd7e13b09f336 2571 libs required eglibc_2.13-8.dsc
 95a61b6b1a36565c8d9271f76a25cef5 858181 libs required eglibc_2.13-8.diff.gz
 1c9fd51a9e413f018bdd003a49b46bca 1884516 doc optional glibc-doc_2.13-8_all.deb
 046564156dc99430a431f78245c7850a 12046812 devel optional 
eglibc-source_2.13-8_all.deb
 8bb7aeb80c1e9b402e8987329ddf31f8 4805884 localization standard 
locales_2.13-8_all.deb
 dfff2cd585f8ce058788b8965b3d21ae 4315440 libs required libc6_2.13-8_amd64.deb
 90fe834b222529163032e7abd4734c12 2633210 libdevel optional 
libc6-dev_2.13-8_amd64.deb
 340134e451c009aa84b3f1605a30a072 2076864 libdevel extra 
libc6-prof_2.13-8_amd64.deb
 d4d6282c3cefffd45a764d93f051e0a3 1582086 libdevel optional 
libc6-pic_2.13-8_amd64.deb
 4d9e8d516f0127879b3db37b4d92c801 1081842 libs required 
libc-bin_2.13-8_amd64.deb
 77ead53c8c3f4ee12bfefa4329907b81 212746 libdevel optional 
libc-dev-bin_2.13-8_amd64.deb
 aa731b1eafa5d9146bb95be508c82af8 3781084 localization extra 
locales-all_2.13-8_amd64.deb
 42af843992cf5a036175b72378764a92 137992 libs standard 
multiarch-support_2.13-8_amd64.deb
 32ee6cb48a46592a1c2adf2815cf737d 3833546 libs optional 
libc6-i386_2.13-8_amd64.deb
 edba6193767223e2b8367190e7751b04 1557780 libdevel optional 
libc6-dev-i386_2.13-8_amd64.deb
 2100c15795d461810240263efec3fee3 202080 admin optional nscd_2.13-8_amd64.deb
 169a64a15ba4e083224e71c485087ccf 10496422 debug extra 
libc6-dbg_2.13-8_amd64.deb
 3a883fb23eee0f6009bb5ed8b821fc9b 1179680 debian-installer extra 
libc6-udeb_2.13-8_amd64.udeb
 3e48b15de121fcbc959fdf78d9a9c66b 11106 debian-installer extra 
libnss-dns-udeb_2.13-8_amd64.udeb
 5ede9bb9a80772b1b00901bb930bc966 19280 debian-installer extra 
libnss-files-udeb_2.13-8_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFODCODw3ao2vG823MRAkHSAJ9J3+NdWxk3OyGDIrOQMcV01abM1ACfSFHb
AC/xlIg+LMtsARE82kPmNiY=
=KiIW
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to