Debian Bug report logs - #270359
net-acct: Local security hole as reported by upstream package author

version graph

Package: net-acct; Maintainer for net-acct is Stéphane Glondu <glondu@debian.org>; Source for net-acct is src:net-acct.

Reported by: Filip Sneppe <filip.sneppe@cronos.be>

Date: Mon, 6 Sep 2004 23:48:05 UTC

Severity: grave

Tags: security

Found in version 0.71-5

Fixed in version net-acct/0.71-7

Done: Bernd Eckenfels <be-mail2004@lina.inka.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#270359; Package net-acct. Full text and rfc822 format available.

Acknowledgement sent to Filip Sneppe <filip.sneppe@cronos.be>:
New Bug report received and forwarded. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Filip Sneppe <filip.sneppe@cronos.be>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: net-acct: Local security hole as reported by upstream package author
Date: Tue, 07 Sep 2004 01:41:33 +0200
Package: net-acct
Version: 0.71-5
Severity: normal
Tags: security

The upstream web page http://exorsus.net/projects/net-acct/ states as of september 2, 2004:

---snip---
SECURITY: Stefan Nordhausen has identified a local security hole in net-acct (all versions). 
It appears to be some redundant code from some time way back in the past although I'm not 
entirely sure. I have removed the code, since it doesn't actually appear to do anything other 
than create and delete a file that is referenced nowhere else. Use the patch at your own risk, 
until I've had some feedback telling me it works.
---snip---

If Debian ships the standard version of this package, Woody and Sarge are vulnerable...

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.25-mppe
Locale: LANG=C, LC_CTYPE=C

Versions of packages net-acct depends on:
ii  cron                        3.0pl1-86    management of regular background p
ii  libc6                       2.3.2.ds1-13 GNU C Library: Shared libraries an

-- no debconf information



Severity set to `grave'. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#270359; Package net-acct. Full text and rfc822 format available.

Acknowledgement sent to Bernd Eckenfels <be-mail2004@lina.inka.de>:
Extra info received and forwarded to list. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #12 received at 270359@bugs.debian.org (full text, mbox):

From: Bernd Eckenfels <be-mail2004@lina.inka.de>
To: control@bugs.debian.org
Cc: 125176@bugs.debian.org, 270359@bugs.debian.org, 226655@bugs.debian.org, 162664@bugs.debian.org
Subject: fix uploaded
Date: Tue, 7 Sep 2004 08:19:12 +0200
tag 270359 pending
thanks

Hello,

I have uploaded to anonymous, hopefully  it gets procsessed:

u net-acct_0.71-6.diff.gz ftp-master.debian.org Tue Sep  7 08:07:56 2004
u net-acct_0.71-6.dsc ftp-master.debian.org Tue Sep  7 08:07:56 2004
u net-acct_0.71-6_i386.deb ftp-master.debian.org Tue Sep  7 08:08:01 2004
u net-acct_0.71-6_i386.changes ftp-master.debian.org Tue Sep  7 08:08:02 2004
s net-acct_0.71-6_i386.changes ftp-master.debian.org Tue Sep  7 08:08:02 2004


net-acct (0.71-6) unstable; urgency=high

  * spelling fix (Closes Bug: #125176)
  * SECURITY: fixed insecure temp file creation/deletion reported
    by Stefan Nordhausen. This is net-acct-notempfiles.patch from
    Sep 2 2004 (Closes: Bug #270359) (simply remove the code)
  * include stdlib.h to declare strdup (Closes: Bug #226655) (not critical
    since the compiled object was not used)
  * removed compiler warning (undefined integer variable in capture-linux.c)
  * bumped standards version from 3.5.6 to 3.6.1 (no /usr/doc link)
  * fixed path to interpreter in sample (Closes: Bug #162664)
  * fixed endianess problem in protocol type detection.
  * fixed copyright-should-refer-to-common-license-file-for-gpl

 -- Bernd Eckenfels <ecki@debian.org>  Tue, 07 Sep 2004 07:31:22 +0200

this  is a quick note to let you know i go to bed now .)

Bernd



Tags added: pending Request was from Bernd Eckenfels <be-mail2004@lina.inka.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#270359; Package net-acct. Full text and rfc822 format available.

Acknowledgement sent to Bernd Eckenfels <be-mail2004@lina.inka.de>:
Extra info received and forwarded to list. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #19 received at 270359@bugs.debian.org (full text, mbox):

From: Bernd Eckenfels <be-mail2004@lina.inka.de>
To: Richard <richard@redspider.co.nz>, security-team@debian.org, 270359@bugs.debian.org
Subject: Re: net-acct security note
Date: Tue, 7 Sep 2004 08:35:43 +0200
[Message part 1 (text/plain, inline)]
Hello,

this patch is applied to 0.71-7, and hopefully it will get through the
upload process (on uk/UploadQueue) 

(I realy need to figure out my PGP  Key expiration, ssh
logins and upload quueue access stuff :)

Greetings
Bernd

On Thu, Sep 02, 2004 at 11:40:11AM +1200, Richard wrote:
> Just a note, I've put a patch up on http://exorsus.net/projects/net-acct/
> which should resolve a security issue relating to insecure creation of temporary
> files within net-acct. I haven't got anyone who can test the patch yet but once
> it's done I'll let you know so you can patch up the deb package?
> 
> -- 
> Richard Clark,
> Analysis and Design,
> Red Spider Ltd.
> (+64) 021 478 219
> 

-- 
  (OO)      -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
 ( .. )      ecki@{inka.de,linux.de,debian.org}  http://www.eckes.org/
  o--o     1024D/E383CD7E  eckes@IRCNet  v:+497211603874  f:+497211606754
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#270359; Package net-acct. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #24 received at 270359@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Bernd Eckenfels <be-mail2004@lina.inka.de>
Cc: Richard <richard@redspider.co.nz>, Debian Security Team <team@security.debian.org>, 270359@bugs.debian.org
Subject: Re: net-acct security note
Date: Sun, 12 Sep 2004 17:30:56 +0200
Bernd Eckenfels wrote:
> Hello,
> 
> this patch is applied to 0.71-7, and hopefully it will get through the
> upload process (on uk/UploadQueue) 
> 
> (I realy need to figure out my PGP  Key expiration, ssh
> logins and upload quueue access stuff :)

FWIW, the new version didn't end up in sid.

Regards,

	Joey

-- 
A mathematician is a machine for converting coffee into theorems.   Paul Erdös

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#270359; Package net-acct. Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #29 received at 270359@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: Martin Schulze <joey@infodrom.org>, 270359@bugs.debian.org
Cc: Bernd Eckenfels <be-mail2004@lina.inka.de>, Richard <richard@redspider.co.nz>, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#270359: net-acct security note
Date: Sun, 12 Sep 2004 18:42:18 +0200
* Martin Schulze (joey@infodrom.org) [040912 17:55]:
> Bernd Eckenfels wrote:
> > this patch is applied to 0.71-7, and hopefully it will get through the
> > upload process (on uk/UploadQueue) 
> > 
> > (I realy need to figure out my PGP  Key expiration, ssh
> > logins and upload quueue access stuff :)

> FWIW, the new version didn't end up in sid.

AFAIK, the uk-UploadQueue is still down. Please see the developers
reference on
http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload
for details.



Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C



Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#270359; Package net-acct. Full text and rfc822 format available.

Acknowledgement sent to Bernd Eckenfels <be-mail2004@lina.inka.de>:
Extra info received and forwarded to list. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #34 received at 270359@bugs.debian.org (full text, mbox):

From: Bernd Eckenfels <be-mail2004@lina.inka.de>
To: Andreas Barth <aba@not.so.argh.org>, 270359@bugs.debian.org
Subject: Re: Bug#270359: net-acct security note
Date: Mon, 13 Sep 2004 04:33:56 +0200
On Sun, Sep 12, 2004 at 06:42:18PM +0200, Andreas Barth wrote:
> AFAIK, the uk-UploadQueue is still down.

Yes, I tried others to.

> Please see the developers
> reference on
> http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload
> for details.

This is totally  outdated, but thanks for the link.

The problem I have is somewhat related to the fact that my old RSA Key which
I used to sign is not known anymore. I just reuploaded to
anonymous-ftp-master, we will see.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
 ( .. )      ecki@{inka.de,linux.de,debian.org}  http://www.eckes.org/
  o--o     1024D/E383CD7E  eckes@IRCNet  v:+497211603874  f:+497211606754
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!



Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#270359; Package net-acct. Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #39 received at 270359@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: Bernd Eckenfels <be-mail2004@lina.inka.de>
Cc: 270359@bugs.debian.org
Subject: Re: Bug#270359: net-acct security note
Date: Mon, 13 Sep 2004 10:54:36 +0200
* Bernd Eckenfels (be-mail2004@lina.inka.de) [040913 04:55]:
> On Sun, Sep 12, 2004 at 06:42:18PM +0200, Andreas Barth wrote:
> > Please see the developers
> > reference on
> > http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload
> > for details.
> 
> This is totally  outdated, but thanks for the link.

This information should all be uptodate, as I updated it not too long
ago. So, if there is anything wrong, please tell me.


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C



Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#270359; Package net-acct. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #44 received at 270359@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 270359@bugs.debian.org
Subject: Re: Bug#270359: net-acct security note
Date: Mon, 13 Sep 2004 23:12:10 +0200
Andreas Barth wrote:
> * Martin Schulze (joey@infodrom.org) [040912 17:55]:
> > Bernd Eckenfels wrote:
> > > this patch is applied to 0.71-7, and hopefully it will get through the
> > > upload process (on uk/UploadQueue) 
> > > 
> > > (I realy need to figure out my PGP  Key expiration, ssh
> > > logins and upload quueue access stuff :)
> 
> > FWIW, the new version didn't end up in sid.
> 
> AFAIK, the uk-UploadQueue is still down. Please see the developers
> reference on
> http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload
> for details.

This issue has been assigned CAN-2004-0851.

Regards,

	Joey

-- 
No question is too silly to ask, but, of course, some are too silly
to answer.   -- Perl book

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#270359; Package net-acct. Full text and rfc822 format available.

Acknowledgement sent to Bernd Eckenfels <be-mail2004@lina.inka.de>:
Extra info received and forwarded to list. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #49 received at 270359@bugs.debian.org (full text, mbox):

From: Bernd Eckenfels <be-mail2004@lina.inka.de>
To: Andreas Barth <aba@not.so.argh.org>, 270359@bugs.debian.org
Cc: Bernd Eckenfels <be-mail2004@lina.inka.de>
Subject: Re: Bug#270359: net-acct security note
Date: Tue, 14 Sep 2004 10:34:16 +0200
On Mon, Sep 13, 2004 at 10:54:36AM +0200, Andreas Barth wrote:
> * Bernd Eckenfels (be-mail2004@lina.inka.de) [040913 04:55]:
> > On Sun, Sep 12, 2004 at 06:42:18PM +0200, Andreas Barth wrote:
> > > Please see the developers
> > > reference on
> > > http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload
> > > for details.
> > 
> > This is totally  outdated, but thanks for the link.
> 
> This information should all be uptodate, as I updated it not too long
> ago. So, if there is anything wrong, please tell me.

it still contains non-us crypto regulation.

BTW:  should i file bug reports against dupload because the list of queues
is not up to date?

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
 ( .. )      ecki@{inka.de,linux.de,debian.org}  http://www.eckes.org/
  o--o     1024D/E383CD7E  eckes@IRCNet  v:+497211603874  f:+497211606754
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!



Reply sent to Bernd Eckenfels <be-mail2004@lina.inka.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Filip Sneppe <filip.sneppe@cronos.be>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #54 received at 270359-done@bugs.debian.org (full text, mbox):

From: Bernd Eckenfels <be-mail2004@lina.inka.de>
To: 125176-done@bugs.debian.org, 270359-done@bugs.debian.org, 226655--done@bugs.debian.org, 162664-done@bugs.debian.org
Subject: fixed in 0.71-6
Date: Tue, 14 Sep 2004 10:38:28 +0200
Hello,

the bug you have reported is fixed in the 0.71-6 verion, 0.71-7 is the
current accepted version in unstable:

net-acct (0.71-7) unstable; urgency=high

  * reupload for faster processing (resigned with correct GPG key)

 -- Bernd Eckenfels <ecki@debian.org>  Tue, 07 Sep 2004 08:29:22 +0200

net-acct (0.71-6) unstable; urgency=high

  * spelling fix (Closes Bug: #125176)
  * SECURITY: fixed insecure temp file creation/deletion reported
    by Stefan Nordhausen. This is net-acct-notempfiles.patch from
    Sep 2 2004 (Closes: Bug #270359) (simply remove the code)
  * include stdlib.h to declare strdup (Closes: Bug #226655) (not critical
    since the compiled object was not used)
  * removed compiler warning (undefined integer variable in capture-linux.c)
  * bumped standards version from 3.5.6 to 3.6.1 (no /usr/doc link)
  * fixed path to interpreter in sample (Closes: Bug #162664)
  * fixed endianess problem in protocol type detection.
  * fixed copyright-should-refer-to-common-license-file-for-gpl

 -- Bernd Eckenfels <ecki@debian.org>  Tue, 07 Sep 2004 07:31:22 +0200

-- 
  (OO)      -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
 ( .. )      ecki@{inka.de,linux.de,debian.org}  http://www.eckes.org/
  o--o     1024D/E383CD7E  eckes@IRCNet  v:+497211603874  f:+497211606754
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 13:21:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.