Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: acon: local root exploit
Date: Sat, 12 Apr 2008 17:38:11 +0200
Package: acon
Version: 1.0.5-5
Severity: critical
Tags: security
Justification: root security hole
The package has a setuid binary acon. The binary never drops setuid. The
source code contains the following lines: (acon.c)
char tmp[300];
...
if((env=getenv("HOME")))
sprintf(tmp,"%s/.acon.conf",env);
This can be easily exploited by a long $HOME.
Helmut
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.23.14 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi Helmut,
* Helmut Grohne <helmut@subdivi.de> [2008-04-12 17:47]:
> The package has a setuid binary acon. The binary never drops setuid.
[...]
From the source code:
35 int main(int argc,char **argv)
36 {
37 int i,tty,useunicode=0;
38 char *fontf=0,*translationf=0,*keymapf=0;
39
40 get_ids();
41 set_user_id();
...
301 int user_id;
302 int acon_id;
303
304 void get_ids(void)
305 {
306 user_id=getuid();
307 acon_id=geteuid();
308 }
309 void set_user_id(void)
310 {
311 seteuid(user_id);
312 }
So why do you think it does not drop setuid root, the code does?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
From: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>
To: 475733@bugs.debian.org
Subject: Re: Bug#475733: acon: local root exploit
Date: Sat, 12 Apr 2008 19:15:45 +0200
Hello,
Actually patch 05_setuid.dpatch that was introduced in 1.0.5-2
comments the line:
311 seteuid(user_id);
which is the line to drop setuid root.
The reason was to fix a bug that made some control keys not to work
when 'acon' was run without sudo.
I will drop this patch, since there seems to be another bug that makes
control keys do work now anyways.
--
أحمد المحمودي (Ahmed El-Mahmoudy)
Digital design engineer
SySDSoft, Inc.
GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C 156E D325 C3C8 9DCA 0B27
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
To: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>,
475733@bugs.debian.org
Cc: Kari Pahula <kaol@debian.org>, Mohammed Sameer <msameer@debian.org>,
Daniel Baumann <daniel@debian.org>, Nico Golde <nion@debian.org>
Subject: Re: Bug#475733: acon: local root exploit
Date: Sat, 12 Apr 2008 19:51:22 +0200
On Sat, Apr 12, 2008 at 19:15:45 +0200, أحمد المحمودي wrote:
> Hello,
>
> Actually patch 05_setuid.dpatch that was introduced in 1.0.5-2
> comments the line:
>
> 311 seteuid(user_id);
>
> which is the line to drop setuid root.
> The reason was to fix a bug that made some control keys not to work
> when 'acon' was run without sudo.
>
So you're building a package with a setuid root binary, comment out the
call to seteuid (so your binary doesn't drop privileges), and none of
the DDs who look at the package (and sponsor it into the archive) tell
you that's not acceptable?
That's... broken.
Cheers,
Julien
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Cc: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>,
475733@bugs.debian.org, Kari Pahula <kaol@debian.org>,
Mohammed Sameer <msameer@debian.org>,
Daniel Baumann <daniel@debian.org>, Nico Golde <nion@debian.org>
On Sat, Apr 12, 2008 at 07:51:22PM +0200, Julien Cristau wrote:
> On Sat, Apr 12, 2008 at 19:15:45 +0200, أحمد المحمودي wrote:
>
> > Hello,
> >
> > Actually patch 05_setuid.dpatch that was introduced in 1.0.5-2
> > comments the line:
> >
> > 311 seteuid(user_id);
> >
> > which is the line to drop setuid root.
> > The reason was to fix a bug that made some control keys not to work
> > when 'acon' was run without sudo.
> >
> So you're building a package with a setuid root binary, comment out the
> call to seteuid (so your binary doesn't drop privileges), and none of
> the DDs who look at the package (and sponsor it into the archive) tell
> you that's not acceptable?
>
> That's... broken.
I have to admit. I did a mistake. I'm not going to find an excuse. I take full
responsibility.
Ahmed, do you have a deb or should I do an upload and drop the patch ?
--
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F 280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-12 22:14]:
> On Sat, Apr 12, 2008 at 07:51:22PM +0200, Julien Cristau wrote:
> > On Sat, Apr 12, 2008 at 19:15:45 +0200, ???????? ???????????????? wrote:
[...]
> > So you're building a package with a setuid root binary, comment out the
> > call to seteuid (so your binary doesn't drop privileges), and none of
> > the DDs who look at the package (and sponsor it into the archive) tell
> > you that's not acceptable?
> >
> > That's... broken.
>
> I have to admit. I did a mistake. I'm not going to find an excuse. I take full
> responsibility.
>
> Ahmed, do you have a deb or should I do an upload and drop the patch ?
http://mentors.debian.net/debian/pool/main/a/acon/acon_1.0.5-6.dsc
is a fixed package provided by the maintainer (which I
didn't check). Since I am pretty busy at the moment I would
be happy if you could sponsor this.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
> From the source code:
> 35 int main(int argc,char **argv)
> 36 {
> 37 int i,tty,useunicode=0;
> 38 char *fontf=0,*translationf=0,*keymapf=0;
> 39
> 40 get_ids();
> 41 set_user_id();
> ...
> 301 int user_id;
> 302 int acon_id;
> 303
> 304 void get_ids(void)
> 305 {
> 306 user_id=getuid();
> 307 acon_id=geteuid();
> 308 }
> 309 void set_user_id(void)
> 310 {
> 311 seteuid(user_id);
> 312 }
> So why do you think it does not drop setuid root, the code does?
You are right in that it drops seteuid. Given arbitrary code execution
(which looks possible by trashing the return address of main) one can
still seteuid back to root.
Helmut
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
> So why do you think it does not drop setuid root, the code does?
$ cat debian/patches/05_setuid.diff
Index: acon-1.0.5/acon.c
Commented a statement that returns the user id to non-root. That made
some control keys to not work.
===================================================================
diff -ur acon/acon.c acon-1.0.5/acon.c
--- acon/acon.c 2003-07-18 22:09:06.000000000 +0300
+++ acon-1.0.5/acon.c 2007-02-23 08:16:32.000000000 +0200
@@ -308,7 +308,7 @@
}
void set_user_id(void)
{
- seteuid(user_id);
+ //seteuid(user_id); // aelmahmoudy
}
void set_acon_id(void)
{
$
Helmut
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
On Sat, Apr 12, 2008 at 11:08:46PM +0200, Nico Golde wrote:
> Hi Mohammed,
> * Mohammed Sameer <msameer@foolab.org> [2008-04-12 22:14]:
> > On Sat, Apr 12, 2008 at 07:51:22PM +0200, Julien Cristau wrote:
> > > On Sat, Apr 12, 2008 at 19:15:45 +0200, ???????? ???????????????? wrote:
> [...]
> > > So you're building a package with a setuid root binary, comment out the
> > > call to seteuid (so your binary doesn't drop privileges), and none of
> > > the DDs who look at the package (and sponsor it into the archive) tell
> > > you that's not acceptable?
> > >
> > > That's... broken.
> >
> > I have to admit. I did a mistake. I'm not going to find an excuse. I take full
> > responsibility.
> >
> > Ahmed, do you have a deb or should I do an upload and drop the patch ?
>
> http://mentors.debian.net/debian/pool/main/a/acon/acon_1.0.5-6.dsc
> is a fixed package provided by the maintainer (which I
> didn't check). Since I am pretty busy at the moment I would
> be happy if you could sponsor this.
Uploaded.
Thanks.
--
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F 280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi Helmut,
* Helmut Grohne <helmut@subdivi.de> [2008-04-13 00:36]:
> > From the source code:
[...]
> > 309 void set_user_id(void)
> > 310 {
> > 311 seteuid(user_id);
> > 312 }
>
> > So why do you think it does not drop setuid root, the code does?
>
> You are right in that it drops seteuid. Given arbitrary code execution
> (which looks possible by trashing the return address of main) one can
> still seteuid back to root.
Oh true, my bad. I totally missed that it only changes the
effected user id.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
From: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
To: 475733-close@bugs.debian.org
Subject: Bug#475733: fixed in acon 1.0.5-6
Date: Sun, 13 Apr 2008 13:47:02 +0000
Source: acon
Source-Version: 1.0.5-6
We believe that the bug you reported is fixed in the latest version of
acon, which is due to be installed in the Debian FTP archive:
acon_1.0.5-6.diff.gz
to pool/main/a/acon/acon_1.0.5-6.diff.gz
acon_1.0.5-6.dsc
to pool/main/a/acon/acon_1.0.5-6.dsc
acon_1.0.5-6_amd64.deb
to pool/main/a/acon/acon_1.0.5-6_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 475733@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net> (supplier of updated acon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 12 Apr 2008 11:40:43 +0200
Source: acon
Binary: acon
Architecture: source amd64
Version: 1.0.5-6
Distribution: unstable
Urgency: low
Maintainer: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
Changed-By: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
Description:
acon - Text console arabization
Closes: 475733
Changes:
acon (1.0.5-6) unstable; urgency=low
.
* Added doc/readme* to docs.
* Added doc/sample.glyph to examples.
* Dropped 05_setuid.diff as it can cause a root exploit. (Closes: #475733)
Checksums-Sha1:
477c3713a83da5ed9cd6c9bb337c53eda17369e2 971 acon_1.0.5-6.dsc
fc586f78d04385131964b002bbc959794227883c 4712 acon_1.0.5-6.diff.gz
f23075a79608c32dfe02d79128453d07e2379c2c 36850 acon_1.0.5-6_amd64.deb
Checksums-Sha256:
de32c998a3c8120487aea8cf00ee48ba5e8eb8b80cdc0061916d5e9f8d4e6480 971 acon_1.0.5-6.dsc
18bbf011530752859a1870f4faeed9cb831f954fe4a50be399ed4ab02acf1dac 4712 acon_1.0.5-6.diff.gz
f390eb830071a6d128da5a015e62f5d81457501d3763853deb47ff8c78793808 36850 acon_1.0.5-6_amd64.deb
Files:
b299e3bf44bec8d389cb5126f37c530e 971 misc optional acon_1.0.5-6.dsc
79c983475c96d29898cbbc9203014ee3 4712 misc optional acon_1.0.5-6.diff.gz
8967b680c1d47eeccbd1f0182859ff1b 36850 misc optional acon_1.0.5-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIAgrsy2aOKaP9DfcRAp4lAJ9EVvYRfXvBPhAILtYBYQAI4tZdbwCcDij/
3X7KPOEtYLqQS2gy+5Gf0e4=
=P5Ac
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Subject: Re: Bug#475733 closed by ???????? ???????????????? (Ahmed
El-Mahmoudy) <aelmahmoudy@users.sourceforge.net> (Bug#475733: fixed
in acon 1.0.5-6)
Date: Sun, 13 Apr 2008 16:14:02 +0200
found 475733 1.0.5-6
thanks
> * Dropped 05_setuid.diff as it can cause a root exploit. (Closes: #475733)
This is not enough, because it still has seved set userid and is
exploitable:
> The package has a setuid binary acon. The binary never drops setuid. The
> source code contains the following lines: (acon.c)
>
> char tmp[300];
> ...
> if((env=getenv("HOME")))
> sprintf(tmp,"%s/.acon.conf",env);
>
> This can be easily exploited by a long $HOME.
Helmut
Bug marked as found in version 1.0.5-6 and reopened.
Request was from Helmut Grohne <helmut@subdivi.de>
to control@bugs.debian.org.
(Sun, 13 Apr 2008 14:15:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
reopen 475733
thanks
Hi,
* Helmut Grohne <helmut@subdivi.de> [2008-04-13 16:36]:
> > * Dropped 05_setuid.diff as it can cause a root exploit. (Closes: #475733)
>
> This is not enough, because it still has seved set userid and is
> exploitable:
[...]
As stated before the code only changes the effective user id
and thus any overflow that ships a seteuid(0) in the shell
code can get the privileges back. Please drop the privileges
properly or fix the buffer overflow.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
From: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>
To: 475733@bugs.debian.org
Subject: Re: Bug#475733: closed by أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net> (Bug#475733: fixed in acon 1.0.5-6)
Date: Sun, 13 Apr 2008 17:38:17 +0200
Hello,
I remove suid permissions in this upload:
http://mentors.debian.net/debian/pool/main/a/acon/acon_1.0.5-7.dsc
On Sun, Apr 13, 2008 at 04:55:19PM +0200, Nico Golde wrote:
> reopen 475733
> thanks
>
> Hi,
> * Helmut Grohne <helmut@subdivi.de> [2008-04-13 16:36]:
> > > * Dropped 05_setuid.diff as it can cause a root exploit. (Closes: #475733)
> >
> > This is not enough, because it still has seved set userid and is
> > exploitable:
> [...]
> As stated before the code only changes the effective user id
> and thus any overflow that ships a seteuid(0) in the shell
> code can get the privileges back. Please drop the privileges
> properly or fix the buffer overflow.
---end quoted text---
--
أحمد المحمودي (Ahmed El-Mahmoudy)
Digital design engineer
SySDSoft, Inc.
GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C 156E D325 C3C8 9DCA 0B27
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Attached a patch.
The only problem is I don't free(tmp) but I guess it's not a big issue
--
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F 280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
Your message did not contain a Subject field. They are recommended and
useful because the title of a $gBug is determined using this field.
Please remember to include a Subject field in your messages in future.
I think I'm missing something.
Why do we need to make it not suid if the daemon drops it (-6 upload) ?
--
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F 280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-13 18:18]:
> I think I'm missing something.
>
> Why do we need to make it not suid if the daemon drops it (-6 upload) ?
Cause it does drop it via seteuid and as long as the buffer
overflow exists possible injected shellcode could do
seteuid(0) to get it back.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
On Mon, Apr 14, 2008 at 02:26:47PM +0200, Nico Golde wrote:
> Hi Mohammed,
> * Mohammed Sameer <msameer@foolab.org> [2008-04-13 18:18]:
> > I think I'm missing something.
> >
> > Why do we need to make it not suid if the daemon drops it (-6 upload) ?
>
> Cause it does drop it via seteuid and as long as the buffer
> overflow exists possible injected shellcode could do
> seteuid(0) to get it back.
> Kind regards
> Nico
aha!
I sent a patch earlier as an attempt to fix the buffer overflow vulnerability.
I'd appreciate someone reviewing it. I can do an upload if it's OK.
Cheers,
--
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F 280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-14 14:33]:
> On Mon, Apr 14, 2008 at 02:26:47PM +0200, Nico Golde wrote:
> > Hi Mohammed,
> > * Mohammed Sameer <msameer@foolab.org> [2008-04-13 18:18]:
> > > I think I'm missing something.
> > >
> > > Why do we need to make it not suid if the daemon drops it (-6 upload) ?
> >
> > Cause it does drop it via seteuid and as long as the buffer
> > overflow exists possible injected shellcode could do
> > seteuid(0) to get it back.
>
> aha!
>
> I sent a patch earlier as an attempt to fix the buffer overflow vulnerability.
> I'd appreciate someone reviewing it. I can do an upload if it's OK.
Just saw it and I have to admit that I'm not really happy
with it. Please just let the code as it is now and used
snprintf instead with a length of sizeof(tmp). Please also
check the other buffers.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hello,
Thanks for the help. I have made a patch that would fix the possible
buffer overflows. Please check the attached patch.
On Mon, Apr 14, 2008 at 02:54:21PM +0200, Nico Golde wrote:
> Just saw it and I have to admit that I'm not really happy
> with it. Please just let the code as it is now and used
> snprintf instead with a length of sizeof(tmp). Please also
> check the other buffers.
---end quoted text---
--
أحمد المحمودي (Ahmed El-Mahmoudy)
Digital design engineer
SySDSoft, Inc.
GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C 156E D325 C3C8 9DCA 0B27
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi,
* aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
> Thanks for the help. I have made a patch that would fix the possible
> buffer overflows. Please check the attached patch.
[...]
> if(path[0]!='/')
> - sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
off-by two. Why don't you just use sizeof(tmp)?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to aelmahmoudy@users.sourceforge.net:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hello,
On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> > if(path[0]!='/')
> > - sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
>
> off-by two. Why don't you just use sizeof(tmp)?
> Kind regards
> Nico
---end quoted text---
Actually for this one, tmp is declared as: char tmp[302];
I will use sizeof(tmp) anyways.
So is this patch enough to close the bug ?
--
أحمد المحمودي (Ahmed El-Mahmoudy)
Digital design engineer
SySDSoft, Inc.
GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C 156E D325 C3C8 9DCA 0B27
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> Hi,
> * aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
> > Thanks for the help. I have made a patch that would fix the possible
> > buffer overflows. Please check the attached patch.
> [...]
> > if(path[0]!='/')
> > - sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
>
> off-by two. Why don't you just use sizeof(tmp)?
And why use sizeof(tmp) with the possibility of truncating the resulting string while we can
properly malloc() enough size to hold the whole path ?
--
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F 280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-17 15:53]:
> On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> > * aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
> > > Thanks for the help. I have made a patch that would fix the possible
> > > buffer overflows. Please check the attached patch.
> > [...]
> > > if(path[0]!='/')
> > > - sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > > + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
> >
> > off-by two. Why don't you just use sizeof(tmp)?
>
> And why use sizeof(tmp) with the possibility of truncating the resulting string while we can
> properly malloc() enough size to hold the whole path ?
Cause you have a maximum length for these values specified
by the shell and malloc(foo + somelength) operations often
lead to integer overflows (well not in this case).
Anyway, the 302 was fine since it was tmp from a different
source file where it is specified to have 302 bytes.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
On Thu, Apr 17, 2008 at 04:02:25PM +0200, Nico Golde wrote:
> Hi Mohammed,
> * Mohammed Sameer <msameer@foolab.org> [2008-04-17 15:53]:
> > On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> > > * aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
> > > > Thanks for the help. I have made a patch that would fix the possible
> > > > buffer overflows. Please check the attached patch.
> > > [...]
> > > > if(path[0]!='/')
> > > > - sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > > > + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
> > >
> > > off-by two. Why don't you just use sizeof(tmp)?
> >
> > And why use sizeof(tmp) with the possibility of truncating the resulting string while we can
> > properly malloc() enough size to hold the whole path ?
>
> Cause you have a maximum length for these values specified
> by the shell and malloc(foo + somelength) operations often
> lead to integer overflows (well not in this case).
>
> Anyway, the 302 was fine since it was tmp from a different
> source file where it is specified to have 302 bytes.
A maximum length for $HOME ? Never heard of that.
If you malloc(strlen(DATAPATH) + 1); then you won't overflow.
Cheers,
--
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F 280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-17 22:36]:
> On Thu, Apr 17, 2008 at 04:02:25PM +0200, Nico Golde wrote:
> > Hi Mohammed,
> > * Mohammed Sameer <msameer@foolab.org> [2008-04-17 15:53]:
> > > On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> > > > * aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
> > > > > Thanks for the help. I have made a patch that would fix the possible
> > > > > buffer overflows. Please check the attached patch.
> > > > [...]
> > > > > if(path[0]!='/')
> > > > > - sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > > > > + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
> > > >
> > > > off-by two. Why don't you just use sizeof(tmp)?
> > >
> > > And why use sizeof(tmp) with the possibility of truncating the resulting string while we can
> > > properly malloc() enough size to hold the whole path ?
> >
> > Cause you have a maximum length for these values specified
> > by the shell and malloc(foo + somelength) operations often
> > lead to integer overflows (well not in this case).
> >
> > Anyway, the 302 was fine since it was tmp from a different
> > source file where it is specified to have 302 bytes.
>
>
> A maximum length for $HOME ? Never heard of that.
> If you malloc(strlen(DATAPATH) + 1); then you won't overflow.
_POSIX_PATH_MAX should fit.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Merged 475733476603.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 19 Apr 2008 13:21:03 GMT) (full text, mbox, link).
Severity set to `grave' from `critical'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 19 Apr 2008 13:21:11 GMT) (full text, mbox, link).
Bug no longer marked as found in version 1.0.5-7.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 30 Apr 2008 14:39:11 GMT) (full text, mbox, link).
Bug no longer marked as found in version 1.0.5-7.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 30 Apr 2008 14:39:13 GMT) (full text, mbox, link).
Severity set to `grave' from `grave'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 24 May 2008 19:30:06 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
tags 475733 + patch
tags 476603 + patch
thanks
Hi,
attached is a patch for acon which I can't test. Since this
involves quite a few changes it would be nice if someone
could review and/or test this patch.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 24 May 2008 20:24:07 GMT) (full text, mbox, link).
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 24 May 2008 20:24:09 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>: Bug#475733; Package acon.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.
(full text, mbox, link).
Hi,
I'm going to upload this patch as an NMU.
As a sponsor please make sure these changes are not lost
with the next upload. Please also forward those changes to
the upstream developer.
The patch will be also archived on:
http://people.debian.org/~nion/nmu-diff/acon-1.0.5-6_1.0.5-6.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Source: acon
Source-Version: 1.0.5-6.1
We believe that the bug you reported is fixed in the latest version of
acon, which is due to be installed in the Debian FTP archive:
acon_1.0.5-6.1.diff.gz
to pool/main/a/acon/acon_1.0.5-6.1.diff.gz
acon_1.0.5-6.1.dsc
to pool/main/a/acon/acon_1.0.5-6.1.dsc
acon_1.0.5-6.1_amd64.deb
to pool/main/a/acon/acon_1.0.5-6.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 475733@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated acon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 24 May 2008 22:10:40 +0200
Source: acon
Binary: acon
Architecture: source amd64
Version: 1.0.5-6.1
Distribution: unstable
Urgency: high
Maintainer: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
Changed-By: Nico Golde <nion@debian.org>
Description:
acon - Text console arabization
Closes: 475733476603
Changes:
acon (1.0.5-6.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix various buffer overflows by doing proper bounds checking
that could be exploited to get root access
(CVE-2008-1994; Closes: #476603, #475733).
Checksums-Sha1:
4ce51b4f5b7f1e0f9bf2ce49cd6c9fa26e47820c 979 acon_1.0.5-6.1.dsc
6efa907f422d5c31f54e215a724b91cb852dec09 7523 acon_1.0.5-6.1.diff.gz
224b409735878939d11e00e0bbfeaa42a1e4a9f9 37534 acon_1.0.5-6.1_amd64.deb
Checksums-Sha256:
223a0c545214b0a59345141270f7448c2ac410a85df1ccb23822c8598a00af83 979 acon_1.0.5-6.1.dsc
c6e75baf9185c064410de367844332b429bef1f9649ff727c15f221f9128cc84 7523 acon_1.0.5-6.1.diff.gz
81f8b864474ca05675f2841afe20a1b70cffc977a94a0161938b0c853ce7dcc1 37534 acon_1.0.5-6.1_amd64.deb
Files:
74879b613bbe65a46f7a881223c743fa 979 misc optional acon_1.0.5-6.1.dsc
60427635c5e7daadf80ed537a600fb06 7523 misc optional acon_1.0.5-6.1.diff.gz
f22adbdacbd9736816d94fb40e1d2925 37534 misc optional acon_1.0.5-6.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIO8wKHYflSXNkfP8RAlG8AJwMD13igCZlrqodjuo6vOnUXxC1JQCglUAJ
5XJVV9UGMClMlFQelXhhOp0=
=sN1e
-----END PGP SIGNATURE-----
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Bug acknowledged by developer.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 06 Jul 2008 07:25:46 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.