Debian Bug report logs - #405342
libwrap0: hosts.deny becomes useless

version graph

Package: libwrap0; Maintainer for libwrap0 is Marco d'Itri <md@linux.it>; Source for libwrap0 is src:tcp-wrappers (PTS, buildd, popcon).

Reported by: "Jamin W. Collins" <jcollins@asgardsrealm.net>

Date: Tue, 2 Jan 2007 19:33:01 UTC

Severity: grave

Tags: patch, security

Found in version tcp-wrappers/7.6.dbs-11

Fixed in version tcp-wrappers/7.6.dbs-12

Done: Marco d'Itri <md@linux.it>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#405342; Package libwrap0. (full text, mbox, link).


Acknowledgement sent to "Jamin W. Collins" <jcollins@asgardsrealm.net>:
New Bug report received and forwarded. Copy sent to Anthony Towns <ajt@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Jamin W. Collins" <jcollins@asgardsrealm.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libwrap0: hosts.deny becomes useless
Date: Tue, 02 Jan 2007 14:24:14 -0500
Package: libwrap0
Version: 7.6.dbs-11
Severity: grave
Justification: renders package unusable

$ /usr/sbin/tcpdchk -v    
Using network configuration file: /etc/inetd.conf

>>> Rule /etc/hosts.allow line 15:
daemons:  SSHD
clients:  ALL
access:   granted

>>> Rule /etc/hosts.deny line 20:
daemons:  ALL
clients:  ALL EXCEPT 127.0.0.1
access:   denied

The above are the only rules in effect.

$ /usr/sbin/tcpdmatch vnc 127.0.0.1
warning: vnc: no such process name in /etc/inetd.conf
client:   address  127.0.0.1
server:   process  vnc
access:   granted

So far so good... the execption in hosts.deny should cause this one to
be allowed.

$ /usr/sbin/tcpdmatch vnc 192.168.10.178
warning: vnc: no such process name in /etc/inetd.conf
client:   address  192.168.10.178
server:   process  vnc
access:   granted

Why is this granted?  It shouldn't be.

The same is true if the exception is removed:

$ /usr/sbin/tcpdchk -v    
Using network configuration file: /etc/inetd.conf

>>> Rule /etc/hosts.allow line 15:
daemons:  SSHD
clients:  ALL
access:   granted

>>> Rule /etc/hosts.deny line 21:
daemons:  ALL
clients:  ALL
access:   denied

$ /usr/sbin/tcpdmatch vnc 192.168.10.178
warning: vnc: no such process name in /etc/inetd.conf
client:   address  192.168.10.178
server:   process  vnc
access:   granted

Still access granted.  However, moving back to the version of libwrap0
in stable (7.6.dbs-8) results in:

$ /usr/sbin/tcpdmatch vnc 192.168.10.178
warning: vnc: no such process name in /etc/inetd.conf
client:   address  192.168.10.178
server:   process  vnc
matched:  /etc/hosts.deny line 21
access:   denied

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (900, 'testing'), (400, 'stable'), (300, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-k7
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages libwrap0 depends on:
ii  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries

Versions of packages libwrap0 recommends:
ii  tcpd                          7.6.dbs-11 Wietse Venema's TCP wrapper utilit

-- no debconf information



Tags added: security Request was from "Alex Owen" <r.alex.owen@gmail.com> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#405342; Package libwrap0. (full text, mbox, link).


Acknowledgement sent to Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>:
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>. (full text, mbox, link).


Message #12 received at 405342@bugs.debian.org (full text, mbox, reply):

From: Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>
To: "Jamin W. Collins" <jcollins@asgardsrealm.net>
Cc: 405342@bugs.debian.org
Subject: Re: libwrap0: hosts.deny becomes useless
Date: Wed, 3 Jan 2007 00:56:25 +0100
[Message part 1 (text/plain, inline)]
package libwrap0
tags 405342 + patch
thanks

Dnia wtorek, 2 stycznia 2007 20:24, Jamin W. Collins napisał:
> ...
> $ /usr/sbin/tcpdmatch vnc 192.168.10.178
> warning: vnc: no such process name in /etc/inetd.conf
> client:   address  192.168.10.178
> server:   process  vnc
> access:   granted
> 
> Why is this granted?  It shouldn't be.

Try this:

$ /usr/sbin/tcpdmatch vnc@192.168.10.177 192.168.10.178
warning: vnc: no such process name in /etc/inetd.conf
warning: host address 192.168.10.177->name lookup failed
client:   address  192.168.10.178
server:   address  192.168.10.177
server:   process  vnc
matched:  /etc/hosts.deny line 21
access:   denied

Denied, as it should be. The bug exhibits only if there is no info on server socket.

The following patch corrects the problem for me.

diff -ruNp tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
--- tcp_wrappers_7.6.orig/hosts_access.c        2007-01-03 00:40:22.000000000 +0100
+++ tcp_wrappers_7.6/hosts_access.c     2007-01-03 00:40:14.000000000 +0100
@@ -242,14 +242,14 @@ static int daemon_or_port_match(char *to
     unsigned int port, sin_port;
     char junk;

-    if (!request->server->sin)
-       return (NO);
-
     /* daemon name */
     if (sscanf(tok, "%u%c", &port, &junk) != 1 || port > 65535)
        return (string_match(tok, eval_daemon(request)));

     /* port number */
+    if (!request->server->sin)
+       return (NO);
+
 #ifdef INET6
     sin_port = ntohs(((struct sockaddr_in *)request->server->sin)->sin_port);
 #else

Janusz
[debian.diff (text/x-diff, attachment)]

Tags added: patch Request was from Janusz Krzysztofik <jkrzyszt@tis.icnet.pl> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#405342; Package libwrap0. (full text, mbox, link).


Acknowledgement sent to "Jamin W. Collins" <jcollins@asgardsrealm.net>:
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>. (full text, mbox, link).


Message #19 received at 405342@bugs.debian.org (full text, mbox, reply):

From: "Jamin W. Collins" <jcollins@asgardsrealm.net>
To: Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>
Cc: 405342@bugs.debian.org
Subject: Re: libwrap0: hosts.deny becomes useless
Date: Tue, 02 Jan 2007 19:30:15 -0500
Janusz Krzysztofik wrote:
> 
> Denied, as it should be. The bug exhibits only if there is no info on server socket.
> 
> The following patch corrects the problem for me.

The patch does appear to correct the problem however, the lines it
changes are created as part of another patch (patches/match_port).  So,
the changes likely need to be reviewed to see if they revert whatever
the patch was originally added to correct.

Thanks for the quick solution.

--
Jamin W. Collins



Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#405342; Package libwrap0. (full text, mbox, link).


Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>. (full text, mbox, link).


Message #24 received at submit@bugs.debian.org (full text, mbox, reply):

From: md@Linux.IT (Marco d'Itri)
To: "Jamin W. Collins" <jcollins@asgardsrealm.net>, 405342@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#405342: libwrap0: hosts.deny becomes useless
Date: Wed, 3 Jan 2007 01:59:07 +0100
[Message part 1 (text/plain, inline)]
severity 405342 normal
found 405342 7.6.dbs-10
thanks

On Jan 02, "Jamin W. Collins" <jcollins@asgardsrealm.net> wrote:

> Severity: grave
> Justification: renders package unusable
I don't think so.

Tomorrow i will review the code.

-- 
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#405342; Package libwrap0. (full text, mbox, link).


Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#405342; Package libwrap0. (full text, mbox, link).


Acknowledgement sent to Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>:
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>. (full text, mbox, link).


Message #34 received at 405342@bugs.debian.org (full text, mbox, reply):

From: Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>
To: "Marco d'Itri" <md@linux.it>
Cc: "Jamin W. Collins" <jcollins@asgardsrealm.net>, 405342@bugs.debian.org
Subject: Re: Bug#405342: libwrap0: hosts.deny becomes useless
Date: Wed, 3 Jan 2007 11:14:33 +0100
I believe my patch is safe because for the old behaviour (process name) it 
only removes error provoking condition on request->server-:sim being set, 
introduced by port numbrer patch, and does not change anything else. This 
condition is only applicable in case of port number, I think.

On the other hand, I can not imagine a real-life example when 
request->server->sin is not set. I think this can only happen using 
tcpdmatch, so maybe correcting this utility to set request->server->sin 
instead of (or in addition to) patching the library would be more 
appropriate.

Janusz



Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#405342; Package libwrap0. (full text, mbox, link).


Acknowledgement sent to "Jamin W. Collins" <jcollins@asgardsrealm.net>:
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>. (full text, mbox, link).


Message #39 received at 405342@bugs.debian.org (full text, mbox, reply):

From: "Jamin W. Collins" <jcollins@asgardsrealm.net>
To: Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>
Cc: Marco d'Itri <md@linux.it>, 405342@bugs.debian.org
Subject: Re: Bug#405342: libwrap0: hosts.deny becomes useless
Date: Wed, 03 Jan 2007 07:06:12 -0500
Janusz Krzysztofik wrote:
> I believe my patch is safe because for the old behaviour (process name) it 
> only removes error provoking condition on request->server-:sim being set, 
> introduced by port numbrer patch, and does not change anything else. This 
> condition is only applicable in case of port number, I think.
> 
> On the other hand, I can not imagine a real-life example when 
> request->server->sin is not set. I think this can only happen using 
> tcpdmatch, so maybe correcting this utility to set request->server->sin 
> instead of (or in addition to) patching the library would be more 
> appropriate.

I can give you a real world example, after all that's how I found it.  I 
only use hosts.allow and hosts.deny to set the two rules I indicated in 
the initial bug report.  That is allowing ssh connections from any 
location and denying everything else except those connections from 
localhost.  Support for libwrap was recently added to vino.  With the 
existing libwrap0 package in testing/unstable connections to vino are 
allowed from any location (not just connections from localhost).  You 
may ask why this is useful.  Requiring that the connections come from 
localhost is a means of securing vnc connections. In my case the 
localost connection is achieved by tunneling vnc connections over ssh.

-- 
Jamin W. Collins



Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#405342; Package libwrap0. (full text, mbox, link).


Acknowledgement sent to Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>:
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>. (full text, mbox, link).


Message #44 received at 405342@bugs.debian.org (full text, mbox, reply):

From: Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>
To: "Jamin W. Collins" <jcollins@asgardsrealm.net>
Cc: Marco d'Itri <md@linux.it>, 405342@bugs.debian.org
Subject: Re: Bug#405342: libwrap0: hosts.deny becomes useless
Date: Wed, 03 Jan 2007 17:04:35 +0100
Jamin W. Collins napisał(a):
> ... With the 
> existing libwrap0 package in testing/unstable connections to vino are 
> allowed from any location (not just connections from localhost).

Maybe vino does not provide libwrap with valid server socket data, like 
in the case of tcpdmatch without server address specified? Maybe other 
applications don't do as well? If this is the case, I think libwrap must 
be patched for security.

Janusz



Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#405342; Package libwrap0. (full text, mbox, link).


Acknowledgement sent to "Jamin W. Collins" <jcollins@asgardsrealm.net>:
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>. (full text, mbox, link).


Message #49 received at 405342@bugs.debian.org (full text, mbox, reply):

From: "Jamin W. Collins" <jcollins@asgardsrealm.net>
To: Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>
Cc: Marco d'Itri <md@linux.it>, 405342@bugs.debian.org
Subject: Re: Bug#405342: libwrap0: hosts.deny becomes useless
Date: Wed, 03 Jan 2007 11:25:06 -0500
Janusz Krzysztofik wrote:
> 
> Maybe vino does not provide libwrap with valid server socket data, like
> in the case of tcpdmatch without server address specified? Maybe other
> applications don't do as well? If this is the case, I think libwrap must
> be patched for security.

That is why I filed the bug report and set the severity as high as I
did.  None of the tests I performed indicated that the version of
libwrap in testing/unstable were respecting hosts.deny at all.  As it
stands currently, you can utilized a valid documented method of calling
the hosts_ctl function (from the manpage):

 int hosts_ctl(daemon, client_name, client_addr, client_user)

 hosts_ctl()  is  a wrapper around the request_init() and hosts_access()
 routines with a perhaps more convenient interface (though it  does  not
 pass  on  enough  information  to  support  automated  client  username
 lookups).  The client host address, client host name and username argu-
 ments should contain valid data or STRING_UNKNOWN.  hosts_ctl() returns
 zero if access should be denied.

as vino does (server/libvncserver/sockets.c):

if(!hosts_ctl("vnc",STRING_UNKNOWN,inet_ntoa(addr.sin_addr),
        STRING_UNKNOWN)) {
   rfbLog("Rejected connection from client %s\n",
          inet_ntoa(addr.sin_addr));
   close(sock);
   return;
}

and the configuration in hosts.deny will be effectively ignored.

-- 
Jamin W. Collins



Reply sent to Marco d'Itri <md@linux.it>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "Jamin W. Collins" <jcollins@asgardsrealm.net>:
Bug acknowledged by developer. (full text, mbox, link).


Message #54 received at 405342-close@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>
To: 405342-close@bugs.debian.org
Subject: Bug#405342: fixed in tcp-wrappers 7.6.dbs-12
Date: Mon, 08 Jan 2007 01:02:04 +0000
Source: tcp-wrappers
Source-Version: 7.6.dbs-12

We believe that the bug you reported is fixed in the latest version of
tcp-wrappers, which is due to be installed in the Debian FTP archive:

libwrap0-dev_7.6.dbs-12_i386.deb
  to pool/main/t/tcp-wrappers/libwrap0-dev_7.6.dbs-12_i386.deb
libwrap0_7.6.dbs-12_i386.deb
  to pool/main/t/tcp-wrappers/libwrap0_7.6.dbs-12_i386.deb
tcp-wrappers_7.6.dbs-12.diff.gz
  to pool/main/t/tcp-wrappers/tcp-wrappers_7.6.dbs-12.diff.gz
tcp-wrappers_7.6.dbs-12.dsc
  to pool/main/t/tcp-wrappers/tcp-wrappers_7.6.dbs-12.dsc
tcpd_7.6.dbs-12_i386.deb
  to pool/main/t/tcp-wrappers/tcpd_7.6.dbs-12_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 405342@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marco d'Itri <md@linux.it> (supplier of updated tcp-wrappers package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  8 Jan 2007 01:37:59 +0100
Source: tcp-wrappers
Binary: libwrap0 tcpd libwrap0-dev
Architecture: source i386
Version: 7.6.dbs-12
Distribution: unstable
Urgency: high
Maintainer: Anthony Towns <ajt@debian.org>
Changed-By: Marco d'Itri <md@linux.it>
Description: 
 libwrap0   - Wietse Venema's TCP wrappers library
 libwrap0-dev - Wietse Venema's TCP wrappers library, development files
 tcpd       - Wietse Venema's TCP wrapper utilities
Closes: 393514 401908 405342
Changes: 
 tcp-wrappers (7.6.dbs-12) unstable; urgency=high
 .
   * Fixed the match_port patch to not break matching on daemon names in
     a corner case (when request->server->sin has not been initialised by
     the caller). Patch courtesy of Janusz Krzysztofik. (Closes: #405342)
   * New debconf translations: ro, es. (Closes: #393514, #401908)
Files: 
 d334a563c743885941d85729b733cb4a 682 net important tcp-wrappers_7.6.dbs-12.dsc
 03d2ee40fceb4f0e3ad7a9a04b7e0156 54362 net important tcp-wrappers_7.6.dbs-12.diff.gz
 1e1f302f25795c0c3b5aa48d782f953d 78080 net important tcpd_7.6.dbs-12_i386.deb
 22931f3edabc079ebcc724890cdbe6c8 28730 libs important libwrap0_7.6.dbs-12_i386.deb
 c54cf9ad37423f46c25f82a5bc6a90b2 34380 libdevel optional libwrap0-dev_7.6.dbs-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFoZZVFGfw2OHuP7ERAu7UAJ9wc+yUC6U7AAGS5E/K02+VIUXF5QCeI4l1
zqB4gQj/XL1smKBMXtzHKV0=
=uD6d
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 09:27:09 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:13:48 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.