Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Oohara Yuuma <oohara@debian.org>: Bug#338312; Package osh.
(full text, mbox, link).
Acknowledgement sent to Charles Stevenson <core@bokeoa.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Oohara Yuuma <oohara@debian.org>.
(full text, mbox, link).
Package: osh
Version: 1.7-14
Severity: critical
Tags: security
Justification: root security hole
Due to a bug in the environment variable substitution code it is
possible to inject environment variables such as LD_PRELOAD and gain a
root shell.
Fully-functional local root exploit here:
http://pulltheplug.org/users/core/files/x_osh3.sh
Kind Regards,
Charles Stevenson
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-corezion
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages osh depends on:
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libncurses5 5.4-9 Shared libraries for terminal hand
ii logrotate 3.7.1-2 Log rotation utility
osh recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>: Bug#338312; Package osh.
(full text, mbox, link).
Acknowledgement sent to Oohara Yuuma <oohara@libra.interq.or.jp>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>.
(full text, mbox, link).
diff -u -rN osh-1.7-unmodified/debian/changelog osh-1.7/debian/changelog
--- osh-1.7-unmodified/debian/changelog 2005-11-09 23:34:25.000000000 +0900
+++ osh-1.7/debian/changelog 2005-11-09 23:34:41.000000000 +0900
@@ -1,3 +1,12 @@
+osh (1.7-15) unstable; urgency=high
+
+ * urgency set to high because this version fixes a bug that causes
+ unauthorized privilege escalation (thanks to Charles Stevenson
+ <core@bokeoa.com> for the bug report)
+ * main.c: don't overwrite the return value of getenv() (closes: #338312)
+
+ -- Oohara Yuuma <oohara@debian.org> Wed, 9 Nov 2005 23:05:52 +0900
+
osh (1.7-14) unstable; urgency=high
* urgency set to high because this version fixes a buffer overflow
diff -u -rN osh-1.7-unmodified/main.c osh-1.7/main.c
--- osh-1.7-unmodified/main.c 2005-11-09 23:34:25.000000000 +0900
+++ osh-1.7/main.c 2005-11-09 23:34:41.000000000 +0900
@@ -442,31 +442,33 @@
fprintf(stderr,"Illegal or too long environment variable\n");
break;
}
- if ((env2=getenv(env))==NULL) {
- char temp[255];
- char *temp2;
-
- strcpy(temp,env);
- if ((temp2=(char *)strrchr(temp,'/'))!=NULL) {
- if (temp2!=temp)
- *temp2='\0';
- else
- *(temp2+1)='\0';
- if ((env2=getenv(temp))!=NULL) {
- strcat(env2,"/");
- strcat(env2,temp2+1);
- }
- }
- }
- if (env2==NULL) {
- fprintf(stderr,"Nonexistent environment variable\n");
- break;
- }
- if ((argv[argc]=(char *)malloc(strlen(env2)+1))==NULL) {
- fprintf(stderr,"Out of arg memory\n");
- break;
- }
- strcpy(argv[argc],env2);
+ {
+ char temp[255];
+ /* temp2+1 is "" which is a valid string */
+ char *temp2 = "\0";
+
+ if ((env2=getenv(env))==NULL) {
+ strcpy(temp,env);
+ if ((temp2=(char *)strrchr(temp,'/'))!=NULL) {
+ if (temp2!=temp)
+ *temp2='\0';
+ else
+ *(temp2+1)='\0';
+ env2=getenv(temp);
+ }
+ }
+ if (env2==NULL) {
+ fprintf(stderr,"Nonexistent environment variable\n");
+ break;
+ }
+ if ((argv[argc]=(char *)malloc(strlen(env2)+strlen(temp2+1)+1))==NULL) {
+ fprintf(stderr,"Out of arg memory\n");
+ break;
+ }
+ strcpy(argv[argc],env2);
+ strcpy(argv[argc]+strlen(env2), temp2+1);
+ *(argv[argc]+strlen(env2)+strlen(temp2+1)) = '\0';
+ } /* of temp[] and *temp2 declaration */
argc++;
continue;
case TPIPE:
Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>: Bug#338312; Package osh.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>.
(full text, mbox, link).
On Wed, Nov 09, 2005 at 04:42:08AM -0800, Charles Stevenson wrote:
> Due to a bug in the environment variable substitution code it is
> possible to inject environment variables such as LD_PRELOAD and gain a
> root shell.
Confirmed.
Joey we'll need an ID for it.
I guess we need to use two buffers to handle the expansion correctly...
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>: Bug#338312; Package osh.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>.
(full text, mbox, link).
Steve Kemp wrote:
> On Wed, Nov 09, 2005 at 04:42:08AM -0800, Charles Stevenson wrote:
>
> > Due to a bug in the environment variable substitution code it is
> > possible to inject environment variables such as LD_PRELOAD and gain a
> > root shell.
>
> Confirmed.
>
> Joey we'll need an ID for it.
Please use CVE-2005-3344 and inform vendor-sec.
Regards,
Joey
--
This is GNU/Linux Country. On a quiet night, you can hear Windows reboot.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>: Bug#338312; Package osh.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>.
(full text, mbox, link).
Steve Kemp wrote:
> > Due to a bug in the environment variable substitution code it is
> > possible to inject environment variables such as LD_PRELOAD and gain a
> > root shell.
Charles Stevenson discovered that osh, the operator's shell for
executing defined programs in a privileged environment, does not
handle environment variables properly, allowing a local attacker to
open a root shell.
Please take care of the package for woody as well.
Regards,
Joey
--
This is GNU/Linux Country. On a quiet night, you can hear Windows reboot.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>: Bug#338312; Package osh.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>.
(full text, mbox, link).
Martin Schulze wrote:
> > > Due to a bug in the environment variable substitution code it is
> > > possible to inject environment variables such as LD_PRELOAD and gain a
> > > root shell.
> >
> > Confirmed.
> >
> > Joey we'll need an ID for it.
>
> Please use CVE-2005-3344 and inform vendor-sec.
^^^^^^^^^^^^^
You already used this for the insecure default configuration in horde3 (DSA-884).
Cheers,
Moritz
Reply sent to Oohara Yuuma <oohara@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Charles Stevenson <core@bokeoa.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: osh
Source-Version: 1.7-15
We believe that the bug you reported is fixed in the latest version of
osh, which is due to be installed in the Debian FTP archive:
osh_1.7-15.diff.gz
to pool/main/o/osh/osh_1.7-15.diff.gz
osh_1.7-15.dsc
to pool/main/o/osh/osh_1.7-15.dsc
osh_1.7-15_i386.deb
to pool/main/o/osh/osh_1.7-15_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 338312@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Oohara Yuuma <oohara@debian.org> (supplier of updated osh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 9 Nov 2005 23:05:52 +0900
Source: osh
Binary: osh
Architecture: source i386
Version: 1.7-15
Distribution: unstable
Urgency: high
Maintainer: Oohara Yuuma <oohara@debian.org>
Changed-By: Oohara Yuuma <oohara@debian.org>
Description:
osh - Operator's Shell
Closes: 338312
Changes:
osh (1.7-15) unstable; urgency=high
.
* urgency set to high because this version fixes a bug that causes
unauthorized privilege escalation (thanks to Charles Stevenson
<core@bokeoa.com> for the bug report)
* main.c: don't overwrite the return value of getenv() (closes: #338312)
Files:
ca036c5484091fa935e20df7b3b64b93 553 shells extra osh_1.7-15.dsc
2ceeb3cfac4dad6c0288365add91cc1e 12713 shells extra osh_1.7-15.diff.gz
05e6a964564264b5678db8c5c6a832ca 27782 shells extra osh_1.7-15_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDcgcsQNb0LvRkppURAusCAJ956mjDvnN4kIwBGzpYjDzSI5c+0ACgu7hg
StPD2xuDEJEnaGSZVWS0Uds=
=e15U
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Oohara Yuuma <oohara@debian.org>: Bug#338312; Package osh.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Oohara Yuuma <oohara@debian.org>.
(full text, mbox, link).
Moritz Muehlenhoff wrote:
> Martin Schulze wrote:
> > > > Due to a bug in the environment variable substitution code it is
> > > > possible to inject environment variables such as LD_PRELOAD and gain a
> > > > root shell.
> > >
> > > Confirmed.
> > >
> > > Joey we'll need an ID for it.
> >
> > Please use CVE-2005-3344 and inform vendor-sec.
> ^^^^^^^^^^^^^
>
> You already used this for the insecure default configuration in horde3 (DSA-884).
Stupid me. I must have been distracted somehow. Please use CVE-2005-3346
instead.
Moritz, thanks a lot for paying attention!
Regards,
Joey
--
Life is too short to run proprietary software. -- Bdale Garbee
Please always Cc to me when replying to me on the lists.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Jun 2007 14:27:58 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.