Debian Bug report logs - #58054
denial of service attack

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@snoopy.apana.org.au>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: denial of service attack

Date: Mon, 14 Feb 2000 18:54:38 +1100

Package: esound
Version: 0.2.16-5
Severity: important

Hello,

right now all programs trying to use esound fail, with the
following error:

Unable to connect to UNIX socket /tmp/.esd/socket

but /tmp/.esd is not owned by me - it is owned by the last person
who logged in.

I was debating whether or not to make this grave, but don't
think it "introduces a security hole allowing access to the accounts
of users who use the package.".

However, I have marked it as important as other people can use this
as a denial of service attack, which in turn really slows down
certain programs, eg enlightment and gnome-panel.

I think there are two problems:
1. /tmp/.esd wasn't deleted by log out from previous user.
2. that this can be used for denial of access attack.
3. Any user can claim /tmp/.esd and deny access to other users
(actually, I think X suffers the same problem here with /tmp/.X11-unix,
will report this to next).

-- System Information
Debian Release: 2.2
Architecture: i386
Kernel: Linux snoopy 2.2.14 #1 Sat Feb 12 07:49:10 EST 2000 i686

Versions of packages esound depends on:
ii  esound-common                 0.2.16-5   Enlightened Sound Daemon - Common 
ii  libaudiofile0                 0.1.9-0.1  The Audiofile Library             
ii  libc6                         2.1.3-2    GNU C Library: Shared libraries an
ii  libesd0                       0.2.16-5   Enlightened Sound Daemon - Shared 

Message #10 received at 58054@bugs.debian.org (full text, mbox, reply):

From: Brian Almeida <bma@debian.org>

To: bam@snoopy.apana.org.au, 58054@bugs.debian.org

Cc: gnome-devel-list@gnome.org

Subject: Bug#58054: esound: denial of service attack

Date: Mon, 14 Feb 2000 13:22:22 -0500

I agree with you that this is a serious problem.  However, I do not know
what the correct solution is to it.  I would say just remove it from
potato, but considering that all of gnome and enlightenment needs it that
is not acceptable.  I am open to suggestions on possible fixes.  It doesn't
help that esound is effectively orphaned upstream, the only work done on
it is maintaince by the gnome team. I'm Cc'ing it to them in the hopes
that they might have some ideas. 
[note: I'm not on the gnome-devel list, so please Cc me on replies.]

On Mon, Feb 14, 2000 at 06:54:38PM +1100, Brian May wrote:
> Package: esound
> Version: 0.2.16-5
> Severity: important
> 
> Hello,
> 
> right now all programs trying to use esound fail, with the
> following error:
> 
> Unable to connect to UNIX socket /tmp/.esd/socket
> 
> but /tmp/.esd is not owned by me - it is owned by the last person
> who logged in.
> 
> I was debating whether or not to make this grave, but don't
> think it "introduces a security hole allowing access to the accounts
> of users who use the package.".
> 
> However, I have marked it as important as other people can use this
> as a denial of service attack, which in turn really slows down
> certain programs, eg enlightment and gnome-panel.
> 
> I think there are two problems:
> 1. /tmp/.esd wasn't deleted by log out from previous user.
> 2. that this can be used for denial of access attack.
> 3. Any user can claim /tmp/.esd and deny access to other users
> (actually, I think X suffers the same problem here with /tmp/.X11-unix,
> will report this to next).
> 
> -- System Information
> Debian Release: 2.2
> Architecture: i386
> Kernel: Linux snoopy 2.2.14 #1 Sat Feb 12 07:49:10 EST 2000 i686
> 
> Versions of packages esound depends on:
> ii  esound-common                 0.2.16-5   Enlightened Sound Daemon - Common 
> ii  libaudiofile0                 0.1.9-0.1  The Audiofile Library             
> ii  libc6                         2.1.3-2    GNU C Library: Shared libraries an
> ii  libesd0                       0.2.16-5   Enlightened Sound Daemon - Shared 
> 

-- 
Brian M. Almeida
Linux Systems Engineer |  http://www.winstar.com | balmeida@winstar.com
Debian Developer       |  http://www.debian.org  | bma@debian.org
Scotty is smoking the dilithium crystals again, Jim 

Message #15 received at 58054@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@snoopy.apana.org.au>

To: Brian Almeida <bma@debian.org>

Cc: 58054@bugs.debian.org, gnome-devel-list@gnome.org

Subject: Re: Bug#58054: esound: denial of service attack

Date: 16 Feb 2000 09:32:03 +1100

>>>>> "Brian" == Brian Almeida <bma@debian.org> writes:

    Brian> I agree with you that this is a serious problem.  However,
    Brian> I do not know what the correct solution is to it.  I would
    Brian> say just remove it from potato, but considering that all of
    Brian> gnome and enlightenment needs it that is not acceptable.  I
    Brian> am open to suggestions on possible fixes.  It doesn't help
    Brian> that esound is effectively orphaned upstream, the only work
    Brian> done on it is maintaince by the gnome team. I'm Cc'ing it
    Brian> to them in the hopes that they might have some ideas.
    Brian> [note: I'm not on the gnome-devel list, so please Cc me on
    Brian> replies.]

I posted a similar message on debian-security. This is the response
I got (not sure I like it myself, but does solve part of the problem).

This doesn't prevent somebody creating/not-deleting a file/socket at
/tmp/.esd/socket though, denying others access.

>>>>> In article <20000214215115.A1840@llama.nslug.ns.ca>, Peter Cordes <peter@llama.nslug.ns.ca> writes:

[...]

    Peter>  Oh... even better idea: bootmisc.sh could check for the
    Peter> existence of /tmp/.X11-unix before cleaning out /tmp.  If
    Peter> it exists, then it is recreated with mode 1777

# replacement for /tmp cleaner in bootmisc.sh

[ -d /tmp/.X11-unix ] && make-x=yes
[ -d /tmp/.esd ] && make-esd=yes

# clean dot files + other files in /tmp
cd /tmp && ls  | egrep -v '^quota.(user|group)$|^lost+found' |
xargs rm -rf .[^.]* 
# maybe we should stick with the find command used currently, but since it
# checks UID on the preserved files, and cleans out /tmp/lost+found.
# I like my version for efficiency, though :)  somebody check that egrep
# command if you decide to use it, though :)  (I haven't tried this script.)

[ $make-x = yes ] && mkdir --mode=1777 .X11-unix
[ $make-esd = yes ] && mkdir --mode=1777 .esd

-- 
Brian May <bam@snoopy.apana.org.au>

Message #20 received at 58054@bugs.debian.org (full text, mbox, reply):

From: Brian Almeida <bma@debian.org>

To: Brian May <bam@snoopy.apana.org.au>

Cc: 58054@bugs.debian.org

Subject: Re: Bug#58054: esound: denial of service attack

Date: Tue, 15 Feb 2000 18:12:53 -0500

On Wed, Feb 16, 2000 at 09:32:03AM +1100, Brian May wrote:
> I posted a similar message on debian-security. This is the response
> I got (not sure I like it myself, but does solve part of the problem).
> 
> This doesn't prevent somebody creating/not-deleting a file/socket at
> /tmp/.esd/socket though, denying others access.
I know.   I don't see a way around this without a major design change in
esound, though..

-- 
Brian M. Almeida
Linux Systems Engineer |  http://www.winstar.com | balmeida@winstar.com
Debian Developer       |  http://www.debian.org  | bma@debian.org
Microsoft Windows:  Proof that P.T. Barnum was correct

Message #25 received at 58054-close@bugs.debian.org (full text, mbox, reply):

From: bma@debian.org (Brian M. Almeida)

To: 58054-close@bugs.debian.org

Subject: Bug#58054: fixed in esound 0.2.17-2

Date: 17 Feb 2000 10:16:46 -0000

We believe that the bug you reported is fixed in the latest version of
esound, which has been installed in the Debian FTP archive:
esound-alsa_0.2.17-2_i386.deb
  to dists/potato/main/binary-i386/sound/esound-alsa_0.2.17-2.deb
  replacing esound-alsa_0.2.17-1.deb
esound-alsa_0.2.17-2_i386.deb
  to dists/woody/main/binary-i386/sound/esound-alsa_0.2.17-2.deb
  replacing esound-alsa_0.2.17-1.deb
libesd-alsa0-dev_0.2.17-2_i386.deb
  to dists/potato/main/binary-i386/devel/libesd-alsa0-dev_0.2.17-2.deb
  replacing libesd-alsa0-dev_0.2.17-1.deb
libesd-alsa0-dev_0.2.17-2_i386.deb
  to dists/woody/main/binary-i386/devel/libesd-alsa0-dev_0.2.17-2.deb
  replacing libesd-alsa0-dev_0.2.17-1.deb
esound_0.2.17-2_i386.deb
  to dists/potato/main/binary-i386/sound/esound_0.2.17-2.deb
  replacing esound_0.2.17-1.deb
esound_0.2.17-2_i386.deb
  to dists/woody/main/binary-i386/sound/esound_0.2.17-2.deb
  replacing esound_0.2.17-1.deb
libesd0-dev_0.2.17-2_i386.deb
  to dists/potato/main/binary-i386/devel/libesd0-dev_0.2.17-2.deb
  replacing libesd0-dev_0.2.17-1.deb
libesd0-dev_0.2.17-2_i386.deb
  to dists/woody/main/binary-i386/devel/libesd0-dev_0.2.17-2.deb
  replacing libesd0-dev_0.2.17-1.deb
libesd-alsa0_0.2.17-2_i386.deb
  to dists/potato/main/binary-i386/libs/libesd-alsa0_0.2.17-2.deb
  replacing libesd-alsa0_0.2.17-1.deb
libesd-alsa0_0.2.17-2_i386.deb
  to dists/woody/main/binary-i386/libs/libesd-alsa0_0.2.17-2.deb
  replacing libesd-alsa0_0.2.17-1.deb
esound_0.2.17-2.diff.gz
  to dists/potato/main/source/sound/esound_0.2.17-2.diff.gz
  replacing esound_0.2.17-1.diff.gz
esound_0.2.17-2.diff.gz
  to dists/woody/main/source/sound/esound_0.2.17-2.diff.gz
  replacing esound_0.2.17-1.diff.gz
esound-common_0.2.17-2_all.deb
  to dists/potato/main/binary-all/sound/esound-common_0.2.17-2.deb
  replacing esound-common_0.2.17-1.deb
esound-common_0.2.17-2_all.deb
  to dists/woody/main/binary-all/sound/esound-common_0.2.17-2.deb
  replacing esound-common_0.2.17-1.deb
libesd0_0.2.17-2_i386.deb
  to dists/potato/main/binary-i386/libs/libesd0_0.2.17-2.deb
  replacing libesd0_0.2.17-1.deb
libesd0_0.2.17-2_i386.deb
  to dists/woody/main/binary-i386/libs/libesd0_0.2.17-2.deb
  replacing libesd0_0.2.17-1.deb
esound_0.2.17-2.dsc
  to dists/potato/main/source/sound/esound_0.2.17-2.dsc
  replacing esound_0.2.17-1.dsc
esound_0.2.17-2.dsc
  to dists/woody/main/source/sound/esound_0.2.17-2.dsc
  replacing esound_0.2.17-1.dsc

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 58054@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brian M. Almeida <bma@debian.org> (supplier of updated esound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Wed, 16 Feb 2000 16:14:33 -0500
Source: esound
Binary: libesd-alsa0-dev esound libesd0-dev libesd-alsa0 libesd0 esound-alsa esound-common
Architecture: source i386 all
Version: 0.2.17-2
Distribution: frozen unstable
Urgency: medium
Maintainer: Brian M. Almeida <bma@debian.org>
Description: 
 esound     - Enlightened Sound Daemon - Support binaries
 esound-alsa - Enlightened Sound Daemon (ALSA) - Support binaries
 esound-common - Enlightened Sound Daemon - Common files
 libesd-alsa0 - Enlightened Sound Daemon (ALSA) - Shared libraries
 libesd-alsa0-dev - Enlightened Sound Daemon (ALSA) - Development files (libc6)
 libesd0    - Enlightened Sound Daemon - Shared libraries
 libesd0-dev - Enlightened Sound Daemon - Development files (libc6)
Closes: 58054
Changes: 
 esound (0.2.17-2) frozen unstable; urgency=medium
 .
   * Security fix, needs to go into potato
   * Change esd to use TCP/IP and turn off UNIX domain sockets, closes: #58054
Files: 
 0b5be60442102bdb311139afe651341e 711 sound optional esound_0.2.17-2.dsc
 881eb6724cb154f731e69786f45ccb46 21845 sound optional esound_0.2.17-2.diff.gz
 e63e35d9ad8008e260c8b157c8af747b 55392 sound optional esound-common_0.2.17-2_all.deb
 09fe1789a161e6fbbd0d4108256d048d 48266 sound optional esound_0.2.17-2_i386.deb
 63f43176fbaae52849034ec815c11348 33220 libs optional libesd0_0.2.17-2_i386.deb
 303252e5e85d7ea1d28263d2ec286161 35758 devel optional libesd0-dev_0.2.17-2_i386.deb
 30fd6a6a5afe405591863bc918b28e04 48506 sound extra esound-alsa_0.2.17-2_i386.deb
 cbff09c5ba6f6873b0d242885b6b0c3a 34012 libs extra libesd-alsa0_0.2.17-2_i386.deb
 ded21bc23df5eb2d89aeb7212d239ba6 36558 devel extra libesd-alsa0-dev_0.2.17-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4qxRPvN0db6ENkYwRAlyeAJ0TlapPX4s0jgs/YU/ktp2i+8JsdgCfUmsj
hLw8HxM5AMqi6cO6howC/f0=
=9yL7
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.