Debian Bug report logs - #287889
renattach: --pipe security weakness

version graph

Package: renattach; Maintainer for renattach is Mats Rynge <mats@rynge.net>; Source for renattach is src:renattach.

Reported by: Mats Rynge <mats@rynge.net>

Date: Thu, 30 Dec 2004 20:03:02 UTC

Severity: grave

Found in version 1.2.2-1

Done: Mats Rynge <mats@rynge.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#287889; Package renattach. Full text and rfc822 format available.

Acknowledgement sent to Mats Rynge <mats@rynge.net>:
New Bug report received and forwarded. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Mats Rynge <mats@rynge.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: renattach: --pipe security weakness
Date: Thu, 30 Dec 2004 11:45:04 -0800
Package: renattach
Version: 1.2.2-1
Severity: normal


>From http://www.pc-tools.net/unix/renattach/2004-10-03.txt

EXECUTIVE SUMMARY
    A security weakness exists in renattach 1.2.0 and 1.2.1, although
    there DOES NOT appear to be a practical way to exploit the code for
    remote access, arbitrary execution, or other immediate damage. The
    weakness only applies to the --pipe facility. The problem has been
    fixed in beta version 1.2.1e (soon to become 1.2.2 release). Sites
    testing 1.2.1e should read the new instructions for --pipe, below.
    Your feedback on the 1.2.1e build is requested, as we prepare 1.2.2.

DESCRIPTION OF PROBLEM

    renattach 1.2.0 and 1.2.1 used the popen() function in order to provide
    the --pipe facility, to send output to an external command. Internally,
    popen() used sh which introduces shell manipulation risks. renattach
    removes dangerous shell characters from the command line to reduce this
    risk, but execution via shell is still inherently risky. Note that the
    author has not been informed of any actual exploit or demonstration of an
    attack that could lead to remote access. Immediate risk appears to be low.


To fix this, I'm preparing 1.2.2 for upload.



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages renattach depends on:
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared libraries an
ii  postfix [mail-transport-age 2.1.4-5      A high-performance mail transport 

-- no debconf information



Severity set to `grave'. Request was from Mats Rynge <mats@rynge.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Mats Rynge <mats@rynge.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Mats Rynge <mats@rynge.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 287889-done@bugs.debian.org (full text, mbox):

From: Mats Rynge <mats@rynge.net>
To: 287889-done@bugs.debian.org
Subject: 1.2.2 uploaded
Date: Sat, 1 Jan 2005 11:53:16 -0800
1.2.2 has been uploaded to unstable, and will enter testing shortly.

-- 
Mats Rynge

   ,''`.         Got Woody?
  : :' :    http://www.debian.org
  `. `'
    `-



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 05:54:02 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.