Debian Bug report logs - #362001
[security] Insecure semaphore permissions

version graph

Package: libfbembed1; Maintainer for libfbembed1 is (unknown);

Reported by: Damyan Ivanov <divanov@creditreform.bg>

Date: Tue, 11 Apr 2006 18:48:02 UTC

Severity: serious

Tags: patch, security, upstream

Found in version libfbembed1/1.5.1-1

Fixed in version firebird2/1.5.3.4870-4

Done: Damyan Ivanov <divanov@creditreform.bg>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#362001; Package libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <divanov@creditreform.bg>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <divanov@creditreform.bg>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [security] Insecure semaphore permissions
Date: Tue, 11 Apr 2006 21:44:50 +0300
Package: libfbembed1
Version: 1.5.1-1
Severity: serious
Tags: security patch upstream

Hi,

(The purpose of this bugreport is mainly to get it fixed in stable.
Upload to unstable is pending.)

This time the security-related bug in firebird2 is DoS. The "classic"
flavour of the server (contained in libfbembed1) uses semaphore array
for IPC and creates this array with world-writable permissions. This
allows a local attacker to lock all semaphores in the array effectively
blocking further requests.

I post the bug in the BTS without privatelly discussion with the team,
since the vulnerability is published in upstreams bugtracker[1].

[1]
http://sourceforge.net/tracker/index.php?func=detail&aid=1466193&group_id=9028&atid=593943

A fix to the vulnerability is to create semaphores with 0660
permissions. The patch to unstable package is in
separate-file-and-sem-perms.dpatch[2]. Patch to stable package may be
based on it (stable implements part of it). I can also prepare an
interdiff for stable if you prefer.

[2]
http://svn.debian.org/wsvn/pkg-firebird/trunk/debian/patches/separate-file-and-sem-perms.dpatch?op=file&rev=0&sc=0

A note about Version: in stable the libfbembed1 package is named
libfirebird2-classic. The vulnerability is present in all 1.5 versions.

Ah, there is also one file created with 0666, but it is in
/var/run/firebird2, which is accessable for firebird:firebird only and
thus poses no threats.


Please tell me if I can be of some help.


Greetings, dam



-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13+reiser4+dam.1
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)

Versions of packages libfbembed1 depends on:
ii  libc6                         2.3.6-4    GNU C Library: Shared libraries an
ii  libgcc1                       1:4.1.0-1  GCC support library
ii  libncurses5                   5.5-1      Shared libraries for terminal hand
ii  libstdc++6                    4.1.0-1    The GNU Standard C++ Library v3

libfbembed1 recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#362001; Package libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 362001@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Damyan Ivanov <divanov@creditreform.bg>, 362001@bugs.debian.org
Subject: Re: Bug#362001: [security] Insecure semaphore permissions
Date: Tue, 11 Apr 2006 16:39:40 -0700
[Message part 1 (text/plain, inline)]
severity 362001 important
thanks

On Tue, Apr 11, 2006 at 09:44:50PM +0300, Damyan Ivanov wrote:
> Package: libfbembed1
> Version: 1.5.1-1
> Severity: serious
> Tags: security patch upstream

> (The purpose of this bugreport is mainly to get it fixed in stable.
> Upload to unstable is pending.)

> This time the security-related bug in firebird2 is DoS.

A DoS does not normally qualify as a severity: grave security bug.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Severity set to `important'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#362001; Package libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <divanov@creditreform.bg>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #17 received at 362001@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <divanov@creditreform.bg>
To: Steve Langasek <vorlon@debian.org>
Cc: 362001@bugs.debian.org
Subject: Re: Bug#362001: [security] Insecure semaphore permissions
Date: Wed, 12 Apr 2006 09:29:59 +0300
[Message part 1 (text/plain, inline)]
Steve Langasek wrote:
> severity 362001 important
> thanks
> 
> On Tue, Apr 11, 2006 at 09:44:50PM +0300, Damyan Ivanov wrote:
>> Package: libfbembed1
>> Version: 1.5.1-1
>> Severity: serious
>> Tags: security patch upstream
> 
>> (The purpose of this bugreport is mainly to get it fixed in stable.
>> Upload to unstable is pending.)
> 
>> This time the security-related bug in firebird2 is DoS.
> 
> A DoS does not normally qualify as a severity: grave security bug.

It was serious, not grave :)

I've taken into account the RC-ness guidelines on [1] when considering
the severity ("in the maintainer's opinion, makes the package
unsuitable for release"), but perhaps I've overlooked something.

[1] http://release.debian.org/etch_rc_policy.txt


Thanks,
dam
-- 
Damyan Ivanov                              Creditreform Bulgaria
divanov@creditreform.bg              http://www.creditreform.bg/
phone: +359(2)928-2611, 929-3993            fax: +359(2)920-0994
mob. +359(88)856-6067               dam@jabber.minus273.org/Gaim

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#362001; Package libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #22 received at 362001@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Damyan Ivanov <divanov@creditreform.bg>
Cc: 362001@bugs.debian.org
Subject: Re: Bug#362001: [security] Insecure semaphore permissions
Date: Tue, 11 Apr 2006 23:40:45 -0700
[Message part 1 (text/plain, inline)]
severity 362001 serious
thanks
On Wed, Apr 12, 2006 at 09:29:59AM +0300, Damyan Ivanov wrote:
> > A DoS does not normally qualify as a severity: grave security bug.

> It was serious, not grave :)

> I've taken into account the RC-ness guidelines on [1] when considering
> the severity ("in the maintainer's opinion, makes the package
> unsuitable for release"), but perhaps I've overlooked something.

You're right, my mistake; severity re-raised.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Severity set to `serious'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#362001; Package libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #29 received at 362001@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Steve Langasek <vorlon@debian.org>
Cc: 362001@bugs.debian.org, Damyan Ivanov <divanov@creditreform.bg>
Subject: Re: Bug#362001: [security] Insecure semaphore permissions
Date: Wed, 12 Apr 2006 08:24:59 +0200
* Steve Langasek:

> A DoS does not normally qualify as a severity: grave security bug.

Why the sudden change in policy?

So far, only user-initiated denial-of-service conditions (e.g. editor
crashes when opening certain files) were not considered grave bugs.



Reply sent to Damyan Ivanov <divanov@creditreform.bg>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Damyan Ivanov <divanov@creditreform.bg>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #34 received at 362001-close@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <divanov@creditreform.bg>
To: 362001-close@bugs.debian.org
Subject: Bug#362001: fixed in firebird2 1.5.3.4870-4
Date: Wed, 12 Apr 2006 07:02:17 -0700
Source: firebird2
Source-Version: 1.5.3.4870-4

We believe that the bug you reported is fixed in the latest version of
firebird2, which is due to be installed in the Debian FTP archive:

firebird2-classic-server_1.5.3.4870-4_i386.deb
  to pool/main/f/firebird2/firebird2-classic-server_1.5.3.4870-4_i386.deb
firebird2-dev_1.5.3.4870-4_i386.deb
  to pool/main/f/firebird2/firebird2-dev_1.5.3.4870-4_i386.deb
firebird2-examples_1.5.3.4870-4_i386.deb
  to pool/main/f/firebird2/firebird2-examples_1.5.3.4870-4_i386.deb
firebird2-server-common_1.5.3.4870-4_i386.deb
  to pool/main/f/firebird2/firebird2-server-common_1.5.3.4870-4_i386.deb
firebird2-super-server_1.5.3.4870-4_i386.deb
  to pool/main/f/firebird2/firebird2-super-server_1.5.3.4870-4_i386.deb
firebird2-utils-classic_1.5.3.4870-4_i386.deb
  to pool/main/f/firebird2/firebird2-utils-classic_1.5.3.4870-4_i386.deb
firebird2-utils-super_1.5.3.4870-4_i386.deb
  to pool/main/f/firebird2/firebird2-utils-super_1.5.3.4870-4_i386.deb
firebird2_1.5.3.4870-4.diff.gz
  to pool/main/f/firebird2/firebird2_1.5.3.4870-4.diff.gz
firebird2_1.5.3.4870-4.dsc
  to pool/main/f/firebird2/firebird2_1.5.3.4870-4.dsc
libfbclient1_1.5.3.4870-4_i386.deb
  to pool/main/f/firebird2/libfbclient1_1.5.3.4870-4_i386.deb
libfbembed1_1.5.3.4870-4_i386.deb
  to pool/main/f/firebird2/libfbembed1_1.5.3.4870-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 362001@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <divanov@creditreform.bg> (supplier of updated firebird2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 12 Apr 2006 10:50:32 +0300
Source: firebird2
Binary: firebird2-utils-classic libfbclient1 firebird2-super-server libfbembed1 firebird2-dev firebird2-server-common firebird2-utils-super firebird2-examples firebird2-classic-server
Architecture: source i386
Version: 1.5.3.4870-4
Distribution: unstable
Urgency: high
Maintainer: Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <divanov@creditreform.bg>
Description: 
 firebird2-classic-server - Firebird Classic Server - an RDBMS based on InterBase 6.0 code
 firebird2-dev - Development files for Firebird - an RDBMS based on InterBase 6.0 
 firebird2-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 code
 firebird2-server-common - Common files for Firebird - an RDBMS based on InterBase 6.0 code
 firebird2-super-server - Firebird Super Server - an RDBMS based on InterBase 6.0 code
 firebird2-utils-classic - Utilities for Firebird - an RDBMS based on InterBase 6.0 code
 firebird2-utils-super - Utilities for Firebird - an RDBMS based on InterBase 6.0 code
 libfbclient1 - Firebird client library
 libfbembed1 - Firebird embedded client/server library
Closes: 358033 361227 362001
Changes: 
 firebird2 (1.5.3.4870-4) unstable; urgency=high
 .
   * High urgency because of a local DoS bug fixed.
 .
   * [security]
     Updated separate-file-and-sem-perms.dpatch to use 0660 for lock file,
     shared memory and semaphores. Fixes local denial-of-service attack.
     Closes: #362001
 .
   Important fixes:
   * debian/rules: clean more generated files. Closes: #361227
   * debian/make_packages.sh: move libib_util.so from /usr/lib to
     /usr/lib/firebird2/lib since ib_util is supposed to be only used by UDFs
     which are firebird-specific, i.e. not used by any other package.
     Fixes a lintian error.
 .
   * Remove build-start and build-end targets from rules. These were used to
     help determine build time. I should have used "time" or pbuilder and the
     like for this anyway. Reported by Santiago Vila <sanvila@unex.es>
     Closes: #358033
   * Fix regression from 1.5.2-series: auto-terminate idle lock manager
   * Add frankie in control.in's Uploaders:, not only in control
Files: 
 fe408181683e42d2a558684f88841095 1207 misc optional firebird2_1.5.3.4870-4.dsc
 2a46424221ea92642fa0515355e61087 368866 misc optional firebird2_1.5.3.4870-4.diff.gz
 2033b18b8c2859f97c2dafb6906cf1f4 1269436 misc optional firebird2-super-server_1.5.3.4870-4_i386.deb
 24beff3354816a009779417e234217bf 380900 misc optional firebird2-classic-server_1.5.3.4870-4_i386.deb
 ae995552126b9d5d2c9cd4d810758d6e 380344 libs optional libfbclient1_1.5.3.4870-4_i386.deb
 2bfdd2597766c268e26ece88e07d8ea8 1060756 libs optional libfbembed1_1.5.3.4870-4_i386.deb
 ff296708f8dda10174fda77fac2d248c 579866 misc optional firebird2-server-common_1.5.3.4870-4_i386.deb
 8e5b1b771512b40c507182ded4a485fe 1064502 utils optional firebird2-utils-super_1.5.3.4870-4_i386.deb
 e5207c1c41477192b374a07de336e860 1037704 utils optional firebird2-utils-classic_1.5.3.4870-4_i386.deb
 7ca886428be875211dc3b347e851c92d 272146 libdevel optional firebird2-dev_1.5.3.4870-4_i386.deb
 9ad1a17d7915173b8537818548eb8c7c 343370 doc optional firebird2-examples_1.5.3.4870-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEPQZSpFNRmenyx0cRAtBoAKCIaz30EUrhSFXsa2GDDB9sMm/4oQCfaXe8
OijaMN9peZ4IHUe5wbrVxqg=
=O/0b
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#362001; Package libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #39 received at 362001@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 362001@bugs.debian.org, Damyan Ivanov <divanov@creditreform.bg>
Subject: Re: Bug#362001: [security] Insecure semaphore permissions
Date: Wed, 12 Apr 2006 08:31:27 -0700
[Message part 1 (text/plain, inline)]
On Wed, Apr 12, 2006 at 08:24:59AM +0200, Florian Weimer wrote:
> * Steve Langasek:

> > A DoS does not normally qualify as a severity: grave security bug.

> Why the sudden change in policy?

> So far, only user-initiated denial-of-service conditions (e.g. editor
> crashes when opening certain files) were not considered grave bugs.

Hrm, it wasn't my understanding that this is a change in policy.  According
to <http://www.debian.org/Bugs/Developer#severities>, the severities for
security bugs are:

critical: introduces a security hole on systems where you install the
  package

grave: introduces a security hole allowing access to the accounts of users
  who use the package

... important: most other stuff

and I understood that these severities followed from the Security Team's
policies regarding stable updates, which I was trying to honor with my
adjusting of this bug.  If DoS bugs are being treated as grounds for issuing
DSAs, I'm fine with re-raising the severity on bugs like that; I just don't
want security bugs marked as "grave" if they don't qualify for security
updates in stable.

You can argue, depending on the type of service, that a remote DoS makes a
package unusable.  That doesn't seem to apply to a database server that is
unlikely to be on the public Internet, though.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#362001; Package libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <divanov@creditreform.bg>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #44 received at 362001@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <divanov@creditreform.bg>
To: Steve Langasek <vorlon@debian.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, 362001@bugs.debian.org
Subject: Re: Bug#362001: [security] Insecure semaphore permissions
Date: Wed, 12 Apr 2006 20:59:36 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Langasek wrote:
> You can argue, depending on the type of service, that a remote DoS makes a
> package unusable.  That doesn't seem to apply to a database server that is
> unlikely to be on the public Internet, though.

Plus, the vulnerability at hand is only local.


- --
dam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEPUAIHqjlqpcl9jsRAss6AJ4uMr9EazQXIKF9irTh4wRGR9sE+QCfaqJW
bO8pnGmkq3C4nPL/xR6kjbk=
=qMBF
-----END PGP SIGNATURE-----



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 08:27:55 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:39:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.