Debian Bug report logs - #341394
Webmin miniserv.pl perl format string vulnerability - Perl syslog bug attack

version graph

Package: webmin; Maintainer for webmin is (unknown);

Reported by: Andreas Hallermann <andreas@hallermann.de>

Date: Wed, 30 Nov 2005 12:48:01 UTC

Severity: grave

Tags: patch, sarge, security

Found in version webmin/1.180-3

Fixed in version webmin/1.180-3sarge1

Done: Noah Meyerhans <noahm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>:
Bug#341394; Package webmin. Full text and rfc822 format available.

Acknowledgement sent to Andreas Hallermann <andreas@hallermann.de>:
New Bug report received and forwarded. Copy sent to Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andreas Hallermann <andreas@hallermann.de>
To: submit@bugs.debian.org
Subject: Webmin miniserv.pl perl format string vulnerability - Perl syslog bug attack
Date: Wed, 30 Nov 2005 13:43:57 +0100
Package: Webmin
Version: 1.180-3
Severity: grave
Tags: security

The webmin `miniserv.pl' web server component is vulnerable to a new class of
exploitable (remote code) perl format string vulnerabilities. During the login
process it is possible to trigger this vulnerability via a crafted username
parameter containing format string data. In the observed configuration the
process was running as the user root, so if remote code execution is
successful, it would lead to a full remote root compromise in a standard
configuration. A valid login is not required to trigger this vulnerability,
only access to the miniserv.pl port (default 10000).

Date Found: 	September 23, 2005.
Public Release: 	November 29, 2005.
Application: 	webmin miniserv.pl, *all versions below 1.250*
Credit: 	Jack Louis of Dyad Security

More information available at:
http://www.dyadsecurity.com/webmin-0001.html


There are new fixed versions available at http://www.webmin.com/

http://www.webmin.com/security.html says:
Perl syslog bug attack
Effects Webmin versions below 1.250 and Usermin versions below 1.180, with
syslog logging enabled.
When logging of failing login attempts via syslog is enabled, an attacker can
crash and possibly take over the Webmin webserver, due to a bug in Perl's
syslog function. Upgrading to the latest release of Webmin is recommended.
Thanks to Jack at Dyad Security for reporting this problem to me.


Since this is my first bug report to Debian I hope everything is correct..
I don't know if it is necessary to post this bug for other versions and
usermin as well. Thanks in advance!
Andreas



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>:
Bug#341394; Package webmin. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 341394@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 341394@bugs.debian.org
Subject: CVE assignment
Date: Thu, 1 Dec 2005 11:09:56 +0100
Hi,
this has been assigned CVE-2005-3912, please mention it in the
changelog when fixing it.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>:
Bug#341394; Package webmin. Full text and rfc822 format available.

Acknowledgement sent to Don Armstrong <don@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

Full text and rfc822 format available.


Message #15 received at 341394@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@debian.org>
To: 341394@bugs.debian.org
Date: Tue, 27 Dec 2005 04:02:40 -0800
[Message part 1 (text/plain, inline)]
tag 341394 sarge
thanks

I'm working on preparing a patch for this bug; note that this bug does
not affect any version of webmin in testing or unstable, so long as
perl on that system has been upgraded to 5.8.7 (or a version of perl
that contains Sys::Syslog >= 0.07).


Don Armstrong

-- 
A people living under the perpetual menace of war and invasion is very
easy to govern. It demands no social reforms. It does not haggle over
expenditures on armaments and military equipment. It pays without
discussion, it ruins itself, and that is an excellent thing for the
syndicates of financiers and manufacturers for whom patriotic terrors
are an abundant source of gain.
 -- Anatole France

http://www.donarmstrong.com              http://rzlab.ucr.edu
[signature.asc (application/pgp-signature, inline)]

Tags added: sarge Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>:
Bug#341394; Package webmin. Full text and rfc822 format available.

Acknowledgement sent to Don Armstrong <don@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #22 received at 341394@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@debian.org>
To: 341394@bugs.debian.org, team@security.debian.org
Subject: interdiff patch to fix 341394 CVE-2005-3912
Date: Tue, 27 Dec 2005 05:06:29 -0800
[Message part 1 (text/plain, inline)]
tag 341394 patch
thanks

webmin (1.180-3sarge0) stable-security; urgency=high

  * [SECURITY] CVE-2005-3912 Fix syslog format string vulnerability in
    miniserv.pl (Closes: #341394) This string vulnerability could be used
    to gain access to the account running miniserv.pl by creating a
    specialy crafted username. This vulnerability does not affect machines
    which are running Sys::Syslog >= 0.07.

 -- Don Armstrong <don@debian.org>  Tue, 27 Dec 2005 04:08:16 -0800


dsc and diff.gz are available if necessary at
http://rzlab.ucr.edu/debian/webmin/

(Note again that this vulernability does not affect testing or
unstable, as Sys::Syslog properly handles two argument syslog calls in
modern versions)


Don Armstrong

-- 
"I was thinking seven figures," he said, "but I would have taken a
hundred grand. I'm not a greedy person." [All for a moldy bottle of
tropicana.]
 -- Sammi Hadzovic [in Andy Newman's 2003/02/14 NYT article.]
 http://www.nytimes.com/2003/02/14/nyregion/14EYEB.html

http://www.donarmstrong.com              http://rzlab.ucr.edu
[patch_for_341394.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Noah Meyerhans <noahm@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Andreas Hallermann <andreas@hallermann.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 341394-close@bugs.debian.org (full text, mbox):

From: Noah Meyerhans <noahm@debian.org>
To: 341394-close@bugs.debian.org
Subject: Bug#341394: fixed in webmin 1.180-3sarge1
Date: Sat, 17 Feb 2007 12:10:32 +0000
Source: webmin
Source-Version: 1.180-3sarge1

We believe that the bug you reported is fixed in the latest version of
webmin, which is due to be installed in the Debian FTP archive:

webmin-core_1.180-3sarge1_all.deb
  to pool/main/w/webmin/webmin-core_1.180-3sarge1_all.deb
webmin_1.180-3sarge1.diff.gz
  to pool/main/w/webmin/webmin_1.180-3sarge1.diff.gz
webmin_1.180-3sarge1.dsc
  to pool/main/w/webmin/webmin_1.180-3sarge1.dsc
webmin_1.180-3sarge1_all.deb
  to pool/main/w/webmin/webmin_1.180-3sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 341394@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated webmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 23 Oct 2006 17:16:10 -0400
Source: webmin
Binary: webmin-core webmin
Architecture: source all
Version: 1.180-3sarge1
Distribution: stable-security
Urgency: high
Maintainer: noahm@debian.org
Changed-By: Noah Meyerhans <noahm@debian.org>
Description: 
 webmin     - web-based administration toolkit
 webmin-core - core modules for webmin
Closes: 341394
Changes: 
 webmin (1.180-3sarge1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * CVE-2005-3912 Fix syslog format string vulnerability in
     miniserv.pl (Closes: #341394) This string vulnerability could be used
     to gain access to the account running miniserv.pl by creating a
     specialy crafted username.
   * CVE-2006-3392 Fix input sanitization bug that could be exploited to allow
     an attacker to read arbitrary files.
   * CVE-2006-4542 Fix cross-site scripting vulnerability caused by the failure
     to properly cope with null characters in a URL.
Files: 
 5e723deaccb3db60794e0cb385666992 703 admin optional webmin_1.180-3sarge1.dsc
 f8fe363e7ccd8fe4072d84cd86a3510e 31458 admin optional webmin_1.180-3sarge1.diff.gz
 ff19d5500955302455e517cb2942c9d0 2261496 admin optional webmin_1.180.orig.tar.gz
 34d96210d581dde8ffea7be82e0897f4 1097552 admin optional webmin_1.180-3sarge1_all.deb
 8fa7064325ded44e7f8dbd226b81d9dd 1121200 admin optional webmin-core_1.180-3sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFPTqHYrVLjBFATsMRAjF5AJ9H5lDX9KqEMN7pWuc42/vsdYX7KwCcDyMC
CGUk1l4/6+7QEahXHSICc0M=
=gkIR
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 23:01:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:01:03 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.