Debian Bug report logs - #226103
CAN-2003-0848: heap overflow in slocate

version graph

Package: slocate; Maintainer for slocate is (unknown);

Reported by: Matt Zimmerman <mdz@debian.org>

Date: Sun, 4 Jan 2004 13:18:02 UTC

Severity: grave

Tags: patch, security

Found in version 2.7-2

Fixed in version slocate/2.7-3

Done: Kevin Lindsay <klindsay@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kevin Lindsay <klindsay@debian.org>:
Bug#226103; Package slocate. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
New Bug report received and forwarded. Copy sent to Kevin Lindsay <klindsay@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2003-0848: heap overflow in slocate
Date: Sun, 4 Jan 2004 01:24:25 -0800
Package: slocate
Version: 2.7-2
Severity: grave
Tags: security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0848
http://www.ebitech.sk/patrik/SA/SA-20031006.txt
http://www.ebitech.sk/patrik/SA/SA-20031006-A.txt

The strange thing is, this advisory claims that slocate 2.7 is not
vulnerable.  However, I see no changelog entries, nor actual code changes,
to indicate that this bug has been fixed.  Neither the advisory's suggested
change, nor any other that I can see which would affect this bug, has been
made.  So, I currently have little confidence that this bug is actually
fixed in 2.7.  Furthermore, we ship slocate 2.6 in woody, which would seem
to be certainly affected by this bug.

Any additional information or assistance that you can provide would be
appreciated.  See:

http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-bug-security

for some guidelines.

-- System Information:
Debian Release: unstable
Architecture: i386
Kernel: Linux mizar 2.4.22-deb5-evms2.1.1-skas3-1 #1 Mon Dec 22 14:08:31 PST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages slocate depends on:
ii  adduser                     3.51         Add and remove users and groups
ii  dpkg                        1.10.18      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-10 GNU C Library: Shared libraries an

-- no debconf information


-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Lindsay <klindsay@debian.org>:
Bug#226103; Package slocate. Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Kevin Lindsay <klindsay@debian.org>. Full text and rfc822 format available.

Message #10 received at 226103@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 226103@bugs.debian.org
Subject: Re: CAN-2003-0848: heap overflow in slocate
Date: Mon, 05 Jan 2004 01:34:00 +0100
This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
DSA-005-1. <URL: http://www.debian.org/security/2000/20001217a >.

Perhaps there are more problems with the database handling in slocate?



Reply sent to Kevin Lindsay <klindsay@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Matt Zimmerman <mdz@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 226103-done@bugs.debian.org (full text, mbox):

From: Kevin Lindsay <klindsay@debian.org>
To: 226103-done@bugs.debian.org
Subject: Bug#226103: CAN-2003-0848: heap overflow in slocate
Date: Sun, 4 Jan 2004 18:07:33 -0800
[Message part 1 (text/plain, inline)]
This bug was the same as CAN-2003-0056 which was fixed in 2.6-1.3.1 in woody
and 2.7-1 in unstable/testing.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0056

There never was a bug report assigned to the package since it was found and
fixed quickly.

If there is a way to cause a heap overflow in these versions please let me
know, until then I know it to be safe.

---------------------------------------------------
Kevin Lindsay
Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4
Key Id:      746C51F4
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Lindsay <klindsay@debian.org>:
Bug#226103; Package slocate. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Lindsay <klindsay@debian.org>. Full text and rfc822 format available.

Message #20 received at 226103@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: 226103@bugs.debian.org
Subject: Re: Bug#226103 acknowledged by developer (Bug#226103: CAN-2003-0848: heap overflow in slocate)
Date: Sun, 4 Jan 2004 23:38:01 -0800
reopen 226103
thanks

On Sun, Jan 04, 2004 at 09:49:00PM -0600, Debian Bug Tracking System wrote:

> This bug was the same as CAN-2003-0056 which was fixed in 2.6-1.3.1 in woody
> and 2.7-1 in unstable/testing.
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0056
> 
> There never was a bug report assigned to the package since it was found and
> fixed quickly.

No, this is not the same bug.  CAN-2003-0056 is about a buffer overflow
caused by a long command line argument.  CAN-2003-0848 is about an overflow
caused by the contents of a user-supplied database.

-- 
 - mdz



Bug reopened, originator not changed. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Lindsay <klindsay@debian.org>:
Bug#226103; Package slocate. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Lindsay <klindsay@debian.org>. Full text and rfc822 format available.

Message #27 received at 226103@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Petter Reinholdtsen <pere@hungry.com>, 226103@bugs.debian.org
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate
Date: Wed, 7 Jan 2004 11:04:22 -0800
On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:

> This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> DSA-005-1. <URL: http://www.debian.org/security/2000/20001217a >.
> 
> Perhaps there are more problems with the database handling in slocate?

Probably.  I think that it is not a good idea for slocate to read and
interpret a user-supplied database while running with setgid privileges.
Since slocate indexes all files on the system, I don't see why this should
be needed either.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#226103; Package slocate. Full text and rfc822 format available.

Acknowledgement sent to Kevin Lindsay <klindsay@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #32 received at 226103@bugs.debian.org (full text, mbox):

From: Kevin Lindsay <klindsay@debian.org>
To: Matt Zimmerman <mdz@debian.org>, 226103@bugs.debian.org
Cc: Petter Reinholdtsen <pere@hungry.com>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate
Date: Wed, 7 Jan 2004 12:56:53 -0800
On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:

> On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
> 
> > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > DSA-005-1. <URL: http://www.debian.org/security/2000/20001217a >.
> > 
> > Perhaps there are more problems with the database handling in slocate?
> 
> Probably.  I think that it is not a good idea for slocate to read and
> interpret a user-supplied database while running with setgid privileges.
> Since slocate indexes all files on the system, I don't see why this should
> be needed either.

I agree. I took a more careful look at the advisory and I will be doing an
audit on the necessary code. User defined databases were requested to handle
lookups on remote file systems which had their own databases. I think a
good plan would be to drop privileges when searching databases which do not
have the 'slocate' group assigned. Let me know if I'm missing anything.

Kevin-

---------------------------------------------------
Kevin Lindsay
Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4
Key Id:      746C51F4



Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Lindsay <klindsay@debian.org>:
Bug#226103; Package slocate. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Lindsay <klindsay@debian.org>. Full text and rfc822 format available.

Message #37 received at 226103@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Kevin Lindsay <klindsay@debian.org>
Cc: 226103@bugs.debian.org, Petter Reinholdtsen <pere@hungry.com>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate
Date: Wed, 7 Jan 2004 13:20:18 -0800
On Wed, Jan 07, 2004 at 12:56:53PM -0800, Kevin Lindsay wrote:

> On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:
> 
> > On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
> > 
> > > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > > DSA-005-1. <URL: http://www.debian.org/security/2000/20001217a >.
> > > 
> > > Perhaps there are more problems with the database handling in slocate?
> > 
> > Probably.  I think that it is not a good idea for slocate to read and
> > interpret a user-supplied database while running with setgid privileges.
> > Since slocate indexes all files on the system, I don't see why this should
> > be needed either.
> 
> I agree. I took a more careful look at the advisory and I will be doing an
> audit on the necessary code. User defined databases were requested to handle
> lookups on remote file systems which had their own databases. I think a
> good plan would be to drop privileges when searching databases which do not
> have the 'slocate' group assigned. Let me know if I'm missing anything.

Ah, that makes sense.  In that case, yes, it would be ideal if slocate
could:

1. Read the system slocate database

2. Drop privileges irrevocably

3. Read the user-supplied database and continue

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Lindsay <klindsay@debian.org>:
Bug#226103; Package slocate. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Lindsay <klindsay@debian.org>. Full text and rfc822 format available.

Message #42 received at 226103@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: 226103@bugs.debian.org
Subject: Status?
Date: Sun, 18 Jan 2004 13:28:06 -0800
Have you had a chance to look into this bug further?  If it is not feasible
to implement relinquishing privileges, we need to at least fix the overflow.

-- 
 - mdz



Tags added: fixed Request was from Kevin Lindsay <klindsay@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Kevin Lindsay <klindsay@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Lindsay <klindsay@debian.org>:
Bug#226103; Package slocate. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Lindsay <klindsay@debian.org>. Full text and rfc822 format available.

Message #51 received at 226103@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 226103@bugs.debian.org, control@bugs.debian.org
Subject: not fixed in unstable
Date: Mon, 9 Aug 2004 22:11:14 -0300
[Message part 1 (text/plain, inline)]
tag 226103 - fixed
thanks

This bug was tagged fixed with an upload to "stable-security", whatever
that is. Since I can see no evidence of 2.6-1.3.2 in the archive, I
assume it was rejected or fell into a black hole. However, I see no
indication that CAN-2003-0848 is fixed in unstable. As noted at the top
of the bug, 2.7 is probably vulnerable. The sgid dropping should
certainly be forward ported from 2.6-1.3.2.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Tags removed: fixed Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Lindsay <klindsay@debian.org>:
Bug#226103; Package slocate. Full text and rfc822 format available.

Acknowledgement sent to Florian Ernst <florian@uni-hd.de>:
Extra info received and forwarded to list. Copy sent to Kevin Lindsay <klindsay@debian.org>. Full text and rfc822 format available.

Message #58 received at 226103@bugs.debian.org (full text, mbox):

From: Florian Ernst <florian@uni-hd.de>
To: 226103@bugs.debian.org
Subject: Re: not fixed in unstable
Date: Fri, 20 Aug 2004 22:42:12 +0200
[Message part 1 (text/plain, inline)]
package slocate
tags 226103 patch
thanks

On Mon, 9 Aug 2004 22:11:14 -0300, Joey Hess wrote:
> However, I see no
> indication that CAN-2003-0848 is fixed in unstable. As noted at the top
> of the bug, 2.7 is probably vulnerable. The sgid dropping should
> certainly be forward ported from 2.6-1.3.2.

Forward porting the patch is easy, it applies cleanly (just some
offset), except for the debian/changelog part. I don't know whether
this patch will be sufficient for v2.7, though, but I'd assume so as
the attached patch and the diff between v2.6 and v2.7 don't seem to
intersect...
Find attached the patch from DSA-428-1 (diff between v2.6-1.3.1 and
v2.6-1.3.2)

Cheers,
Flo


PS: Please lart me if I went to far in tagging this bug "patch".
[DSA-428-1.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Florian Ernst <florian@uni-hd.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Kevin Lindsay <klindsay@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Matt Zimmerman <mdz@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #65 received at 226103-close@bugs.debian.org (full text, mbox):

From: Kevin Lindsay <klindsay@debian.org>
To: 226103-close@bugs.debian.org
Subject: Bug#226103: fixed in slocate 2.7-3
Date: Tue, 07 Sep 2004 02:32:03 -0400
Source: slocate
Source-Version: 2.7-3

We believe that the bug you reported is fixed in the latest version of
slocate, which is due to be installed in the Debian FTP archive:

slocate_2.7-3.dsc
  to pool/main/s/slocate/slocate_2.7-3.dsc
slocate_2.7-3.tar.gz
  to pool/main/s/slocate/slocate_2.7-3.tar.gz
slocate_2.7-3_i386.deb
  to pool/main/s/slocate/slocate_2.7-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 226103@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kevin Lindsay <klindsay@debian.org> (supplier of updated slocate package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  7 Sep 2004 03:20:42 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.7-3
Distribution: unstable
Urgency: high
Maintainer: Kevin Lindsay <klindsay@debian.org>
Changed-By: Kevin Lindsay <klindsay@debian.org>
Description: 
 slocate    - A secure replacment of findutil's locate
Closes: 226103 234563
Changes: 
 slocate (2.7-3) unstable; urgency=high
 .
   * 'slocate' sgid privileges are now dropped when searching databases that
      are not apart of the 'slocate' group. This will prevent malicious user
      supplied databases from elevating user access to the 'slocate' group.
      See CAN-2003-0848, (closes: #226103)
   * Changed diversion /etc/cron.daily.find.notslocate to
     /etc/cron.daily/find.notslocate (closes: #234563)
   * I also made the database creation feature drop privileges so that the
     SGID binary can't chown the group of the database to 'slocate' unless
     the user has explicit access.
   * Added a patch which caused LOCATE_PATH to be ignored when '-d' was used,
     and vice versa. This also fixed an off by 1 overflow bug.
Files: 
 2223bfb26ade197154ce17f424e84743 482 utils optional slocate_2.7-3.dsc
 b5b1997b35abbd56db737bca8f54a174 101576 utils optional slocate_2.7-3.tar.gz
 c95e2195a2da8660f935bf4485ebcce6 26896 utils optional slocate_2.7-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBPUSUUZpV8HRsUfQRAp8GAJkByTZwF+XRVrcYtoMC9bp1crRVTACg2ql3
RoAH22JMDBQeYXJqIEx0SD0=
=prVz
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:28:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.