Debian Bug report logs - #475733
acon: local root exploit

version graph

Package: acon; Maintainer for acon is (unknown);

Reported by: Helmut Grohne <helmut@subdivi.de>

Date: Sat, 12 Apr 2008 15:42:04 UTC

Severity: grave

Tags: patch, security

Merged with 476603

Found in versions acon/1.0.5-5, acon/1.0.5-6

Fixed in version acon/1.0.5-6.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: acon: local root exploit
Date: Sat, 12 Apr 2008 17:38:11 +0200
Package: acon
Version: 1.0.5-5
Severity: critical
Tags: security
Justification: root security hole

The package has a setuid binary acon. The binary never drops setuid. The
source code contains the following lines: (acon.c)

char tmp[300];
...
if((env=getenv("HOME")))
	sprintf(tmp,"%s/.acon.conf",env);

This can be easily exploited by a long $HOME.

Helmut

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.23.14 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #10 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Helmut Grohne <helmut@subdivi.de>, 475733@bugs.debian.org
Subject: Re: Bug#475733: acon: local root exploit
Date: Sat, 12 Apr 2008 18:21:31 +0200
[Message part 1 (text/plain, inline)]
Hi Helmut,
* Helmut Grohne <helmut@subdivi.de> [2008-04-12 17:47]:
> The package has a setuid binary acon. The binary never drops setuid.
[...] 
From the source code:
     35 int main(int argc,char **argv)
     36 {
     37         int i,tty,useunicode=0;
     38         char *fontf=0,*translationf=0,*keymapf=0;
     39 
     40         get_ids();
     41         set_user_id();
     ...
     301 int user_id;
     302 int acon_id;
     303 
     304 void get_ids(void)
     305 {
     306         user_id=getuid();
     307         acon_id=geteuid();
     308 }
     309 void set_user_id(void)
     310 {
     311         seteuid(user_id);
     312 }

So why do you think it does not drop setuid root, the code does?

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #15 received at 475733@bugs.debian.org (full text, mbox, reply):

From: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>
To: 475733@bugs.debian.org
Subject: Re: Bug#475733: acon: local root exploit
Date: Sat, 12 Apr 2008 19:15:45 +0200
Hello,

  Actually patch 05_setuid.dpatch that was introduced in 1.0.5-2 
  comments the line:

311         seteuid(user_id);

  which is the line to drop setuid root.
  The reason was to fix a bug that made some control keys not to work 
  when 'acon' was run without sudo.

  I will drop this patch, since there seems to be another bug that makes 
  control keys do work now anyways.

-- 
 أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
  SySDSoft, Inc.
 GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
 GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C  156E D325 C3C8 9DCA 0B27




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #20 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>
To: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>, 475733@bugs.debian.org
Cc: Kari Pahula <kaol@debian.org>, Mohammed Sameer <msameer@debian.org>, Daniel Baumann <daniel@debian.org>, Nico Golde <nion@debian.org>
Subject: Re: Bug#475733: acon: local root exploit
Date: Sat, 12 Apr 2008 19:51:22 +0200
On Sat, Apr 12, 2008 at 19:15:45 +0200, أحمد المحمودي wrote:

> Hello,
> 
>   Actually patch 05_setuid.dpatch that was introduced in 1.0.5-2 
>   comments the line:
> 
> 311         seteuid(user_id);
> 
>   which is the line to drop setuid root.
>   The reason was to fix a bug that made some control keys not to work 
>   when 'acon' was run without sudo.
> 
So you're building a package with a setuid root binary, comment out the
call to seteuid (so your binary doesn't drop privileges), and none of
the DDs who look at the package (and sponsor it into the archive) tell
you that's not acceptable?

That's... broken.

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #25 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Mohammed Sameer <msameer@foolab.org>
To: Julien Cristau <jcristau@debian.org>
Cc: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>, 475733@bugs.debian.org, Kari Pahula <kaol@debian.org>, Mohammed Sameer <msameer@debian.org>, Daniel Baumann <daniel@debian.org>, Nico Golde <nion@debian.org>
Subject: Re: Bug#475733: acon: local root exploit
Date: Sat, 12 Apr 2008 23:11:53 +0300
[Message part 1 (text/plain, inline)]
On Sat, Apr 12, 2008 at 07:51:22PM +0200, Julien Cristau wrote:
> On Sat, Apr 12, 2008 at 19:15:45 +0200, أحمد المحمودي wrote:
> 
> > Hello,
> > 
> >   Actually patch 05_setuid.dpatch that was introduced in 1.0.5-2 
> >   comments the line:
> > 
> > 311         seteuid(user_id);
> > 
> >   which is the line to drop setuid root.
> >   The reason was to fix a bug that made some control keys not to work 
> >   when 'acon' was run without sudo.
> > 
> So you're building a package with a setuid root binary, comment out the
> call to seteuid (so your binary doesn't drop privileges), and none of
> the DDs who look at the package (and sponsor it into the archive) tell
> you that's not acceptable?
> 
> That's... broken.

I have to admit. I did a mistake. I'm not going to find an excuse. I take full
responsibility.

Ahmed, do you have a deb or should I do an upload and drop the patch ?

-- 
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F  280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #30 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Mohammed Sameer <msameer@foolab.org>
Cc: Julien Cristau <jcristau@debian.org>, ???????? ???????????????? <aelmahmoudy@users.sourceforge.net>, 475733@bugs.debian.org, Kari Pahula <kaol@debian.org>, Mohammed Sameer <msameer@debian.org>, Daniel Baumann <daniel@debian.org>
Subject: Re: Bug#475733: acon: local root exploit
Date: Sat, 12 Apr 2008 23:08:46 +0200
[Message part 1 (text/plain, inline)]
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-12 22:14]:
> On Sat, Apr 12, 2008 at 07:51:22PM +0200, Julien Cristau wrote:
> > On Sat, Apr 12, 2008 at 19:15:45 +0200, ???????? ???????????????? wrote:
[...] 
> > So you're building a package with a setuid root binary, comment out the
> > call to seteuid (so your binary doesn't drop privileges), and none of
> > the DDs who look at the package (and sponsor it into the archive) tell
> > you that's not acceptable?
> > 
> > That's... broken.
> 
> I have to admit. I did a mistake. I'm not going to find an excuse. I take full
> responsibility.
> 
> Ahmed, do you have a deb or should I do an upload and drop the patch ?

http://mentors.debian.net/debian/pool/main/a/acon/acon_1.0.5-6.dsc 
is a fixed package provided by the maintainer (which I 
didn't check). Since I am pretty busy at the moment I would 
be happy if you could sponsor this.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #35 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>
To: Nico Golde <nion@debian.org>
Cc: 475733@bugs.debian.org
Subject: Re: Bug#475733: acon: local root exploit
Date: Sun, 13 Apr 2008 00:34:57 +0200
> From the source code:
>      35 int main(int argc,char **argv)
>      36 {
>      37         int i,tty,useunicode=0;
>      38         char *fontf=0,*translationf=0,*keymapf=0;
>      39 
>      40         get_ids();
>      41         set_user_id();
>      ...
>      301 int user_id;
>      302 int acon_id;
>      303 
>      304 void get_ids(void)
>      305 {
>      306         user_id=getuid();
>      307         acon_id=geteuid();
>      308 }
>      309 void set_user_id(void)
>      310 {
>      311         seteuid(user_id);
>      312 }

> So why do you think it does not drop setuid root, the code does?

You are right in that it drops seteuid. Given arbitrary code execution
(which looks possible by trashing the return address of main) one can
still seteuid back to root.

Helmut




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #40 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>
To: Nico Golde <nion@debian.org>
Cc: 475733@bugs.debian.org
Subject: Re: Bug#475733: acon: local root exploit
Date: Sun, 13 Apr 2008 01:38:01 +0200
> So why do you think it does not drop setuid root, the code does?

$ cat debian/patches/05_setuid.diff 
Index: acon-1.0.5/acon.c
Commented a statement that returns the user id to non-root. That made
some control keys to not work.
===================================================================
diff -ur acon/acon.c acon-1.0.5/acon.c
--- acon/acon.c 2003-07-18 22:09:06.000000000 +0300
+++ acon-1.0.5/acon.c   2007-02-23 08:16:32.000000000 +0200
@@ -308,7 +308,7 @@
 }
 void set_user_id(void)
 {
-       seteuid(user_id);
+       //seteuid(user_id); // aelmahmoudy
 }
 void set_acon_id(void)
 {
$

Helmut




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #45 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Mohammed Sameer <msameer@foolab.org>
To: Nico Golde <nion@debian.org>
Cc: Julien Cristau <jcristau@debian.org>, ???????? ???????????????? <aelmahmoudy@users.sourceforge.net>, 475733@bugs.debian.org, Kari Pahula <kaol@debian.org>, Mohammed Sameer <msameer@debian.org>, Daniel Baumann <daniel@debian.org>
Subject: Re: Bug#475733: acon: local root exploit
Date: Sun, 13 Apr 2008 03:10:19 +0300
[Message part 1 (text/plain, inline)]
On Sat, Apr 12, 2008 at 11:08:46PM +0200, Nico Golde wrote:
> Hi Mohammed,
> * Mohammed Sameer <msameer@foolab.org> [2008-04-12 22:14]:
> > On Sat, Apr 12, 2008 at 07:51:22PM +0200, Julien Cristau wrote:
> > > On Sat, Apr 12, 2008 at 19:15:45 +0200, ???????? ???????????????? wrote:
> [...] 
> > > So you're building a package with a setuid root binary, comment out the
> > > call to seteuid (so your binary doesn't drop privileges), and none of
> > > the DDs who look at the package (and sponsor it into the archive) tell
> > > you that's not acceptable?
> > > 
> > > That's... broken.
> > 
> > I have to admit. I did a mistake. I'm not going to find an excuse. I take full
> > responsibility.
> > 
> > Ahmed, do you have a deb or should I do an upload and drop the patch ?
> 
> http://mentors.debian.net/debian/pool/main/a/acon/acon_1.0.5-6.dsc 
> is a fixed package provided by the maintainer (which I 
> didn't check). Since I am pretty busy at the moment I would 
> be happy if you could sponsor this.

Uploaded.

Thanks.


-- 
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F  280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #50 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Helmut Grohne <helmut@subdivi.de>
Cc: 475733@bugs.debian.org
Subject: Re: Bug#475733: acon: local root exploit
Date: Sun, 13 Apr 2008 12:02:41 +0200
[Message part 1 (text/plain, inline)]
Hi Helmut,
* Helmut Grohne <helmut@subdivi.de> [2008-04-13 00:36]:
> > From the source code:
[...] 
> >      309 void set_user_id(void)
> >      310 {
> >      311         seteuid(user_id);
> >      312 }
> 
> > So why do you think it does not drop setuid root, the code does?
> 
> You are right in that it drops seteuid. Given arbitrary code execution
> (which looks possible by trashing the return address of main) one can
> still seteuid back to root.

Oh true, my bad. I totally missed that it only changes the 
effected user id.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (full text, mbox, link).


Message #55 received at 475733-close@bugs.debian.org (full text, mbox, reply):

From: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
To: 475733-close@bugs.debian.org
Subject: Bug#475733: fixed in acon 1.0.5-6
Date: Sun, 13 Apr 2008 13:47:02 +0000
Source: acon
Source-Version: 1.0.5-6

We believe that the bug you reported is fixed in the latest version of
acon, which is due to be installed in the Debian FTP archive:

acon_1.0.5-6.diff.gz
  to pool/main/a/acon/acon_1.0.5-6.diff.gz
acon_1.0.5-6.dsc
  to pool/main/a/acon/acon_1.0.5-6.dsc
acon_1.0.5-6_amd64.deb
  to pool/main/a/acon/acon_1.0.5-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475733@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net> (supplier of updated acon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 12 Apr 2008 11:40:43 +0200
Source: acon
Binary: acon
Architecture: source amd64
Version: 1.0.5-6
Distribution: unstable
Urgency: low
Maintainer: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
Changed-By: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
Description: 
 acon       - Text console arabization
Closes: 475733
Changes: 
 acon (1.0.5-6) unstable; urgency=low
 .
   * Added doc/readme* to docs.
   * Added doc/sample.glyph to examples.
   * Dropped 05_setuid.diff as it can cause a root exploit. (Closes: #475733)
Checksums-Sha1: 
 477c3713a83da5ed9cd6c9bb337c53eda17369e2 971 acon_1.0.5-6.dsc
 fc586f78d04385131964b002bbc959794227883c 4712 acon_1.0.5-6.diff.gz
 f23075a79608c32dfe02d79128453d07e2379c2c 36850 acon_1.0.5-6_amd64.deb
Checksums-Sha256: 
 de32c998a3c8120487aea8cf00ee48ba5e8eb8b80cdc0061916d5e9f8d4e6480 971 acon_1.0.5-6.dsc
 18bbf011530752859a1870f4faeed9cb831f954fe4a50be399ed4ab02acf1dac 4712 acon_1.0.5-6.diff.gz
 f390eb830071a6d128da5a015e62f5d81457501d3763853deb47ff8c78793808 36850 acon_1.0.5-6_amd64.deb
Files: 
 b299e3bf44bec8d389cb5126f37c530e 971 misc optional acon_1.0.5-6.dsc
 79c983475c96d29898cbbc9203014ee3 4712 misc optional acon_1.0.5-6.diff.gz
 8967b680c1d47eeccbd1f0182859ff1b 36850 misc optional acon_1.0.5-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIAgrsy2aOKaP9DfcRAp4lAJ9EVvYRfXvBPhAILtYBYQAI4tZdbwCcDij/
3X7KPOEtYLqQS2gy+5Gf0e4=
=P5Ac
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #60 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>
To: 475733@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#475733 closed by ???????? ???????????????? (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net> (Bug#475733: fixed in acon 1.0.5-6)
Date: Sun, 13 Apr 2008 16:14:02 +0200
found 475733 1.0.5-6
thanks

>    * Dropped 05_setuid.diff as it can cause a root exploit. (Closes: #475733)

This is not enough, because it still has seved set userid and is
exploitable:

> The package has a setuid binary acon. The binary never drops setuid. The
> source code contains the following lines: (acon.c)
> 
> char tmp[300];
> ...
> if((env=getenv("HOME")))
> 	sprintf(tmp,"%s/.acon.conf",env);
> 
> This can be easily exploited by a long $HOME.

Helmut




Bug marked as found in version 1.0.5-6 and reopened. Request was from Helmut Grohne <helmut@subdivi.de> to control@bugs.debian.org. (Sun, 13 Apr 2008 14:15:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #67 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 475733@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#475733: closed by ???????? ???????????????? (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net> (Bug#475733: fixed in acon 1.0.5-6)
Date: Sun, 13 Apr 2008 16:55:19 +0200
[Message part 1 (text/plain, inline)]
reopen 475733
thanks

Hi,
* Helmut Grohne <helmut@subdivi.de> [2008-04-13 16:36]:
> >    * Dropped 05_setuid.diff as it can cause a root exploit. (Closes: #475733)
> 
> This is not enough, because it still has seved set userid and is
> exploitable:
[...] 
As stated before the code only changes the effective user id 
and thus any overflow that ships a seteuid(0) in the shell 
code can get the privileges back. Please drop the privileges 
properly or fix the buffer overflow.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #72 received at 475733@bugs.debian.org (full text, mbox, reply):

From: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>
To: 475733@bugs.debian.org
Subject: Re: Bug#475733: closed by أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net> (Bug#475733: fixed in acon 1.0.5-6)
Date: Sun, 13 Apr 2008 17:38:17 +0200
Hello,

  I remove suid permissions in this upload:
  http://mentors.debian.net/debian/pool/main/a/acon/acon_1.0.5-7.dsc

On Sun, Apr 13, 2008 at 04:55:19PM +0200, Nico Golde wrote:
> reopen 475733
> thanks
> 
> Hi,
> * Helmut Grohne <helmut@subdivi.de> [2008-04-13 16:36]:
> > >    * Dropped 05_setuid.diff as it can cause a root exploit. (Closes: #475733)
> > 
> > This is not enough, because it still has seved set userid and is
> > exploitable:
> [...] 
> As stated before the code only changes the effective user id 
> and thus any overflow that ships a seteuid(0) in the shell 
> code can get the privileges back. Please drop the privileges 
> properly or fix the buffer overflow.
---end quoted text---

-- 
 أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
  SySDSoft, Inc.
 GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
 GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C  156E D325 C3C8 9DCA 0B27




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #77 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Mohammed Sameer <msameer@foolab.org>
To: 475733@bugs.debian.org
Subject: first attemp to fix
Date: Sun, 13 Apr 2008 18:42:15 +0300
[Message part 1 (text/plain, inline)]
Attached a patch.

The only problem is I don't free(tmp) but I guess it's not a big issue

-- 
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F  280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
[acon.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>.

Your message did not contain a Subject field. They are recommended and useful because the title of a $gBug is determined using this field. Please remember to include a Subject field in your messages in future.

(full text, mbox, link).


Message #82 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Mohammed Sameer <msameer@foolab.org>
To: 475733@bugs.debian.org
Date: Sun, 13 Apr 2008 18:50:53 +0300
[Message part 1 (text/plain, inline)]
I think I'm missing something.

Why do we need to make it not suid if the daemon drops it (-6 upload) ?

-- 
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F  280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #87 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Mohammed Sameer <msameer@foolab.org>, 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Mon, 14 Apr 2008 14:26:47 +0200
[Message part 1 (text/plain, inline)]
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-13 18:18]:
> I think I'm missing something.
> 
> Why do we need to make it not suid if the daemon drops it (-6 upload) ?

Cause it does drop it via seteuid and as long as the buffer 
overflow exists possible injected shellcode could do 
seteuid(0) to get it back.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #92 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Mohammed Sameer <msameer@foolab.org>
To: Nico Golde <nion@debian.org>
Cc: 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Mon, 14 Apr 2008 15:32:05 +0300
[Message part 1 (text/plain, inline)]
On Mon, Apr 14, 2008 at 02:26:47PM +0200, Nico Golde wrote:
> Hi Mohammed,
> * Mohammed Sameer <msameer@foolab.org> [2008-04-13 18:18]:
> > I think I'm missing something.
> > 
> > Why do we need to make it not suid if the daemon drops it (-6 upload) ?
> 
> Cause it does drop it via seteuid and as long as the buffer 
> overflow exists possible injected shellcode could do 
> seteuid(0) to get it back.
> Kind regards
> Nico

aha!

I sent a patch earlier as an attempt to fix the buffer overflow vulnerability.
I'd appreciate someone reviewing it. I can do an upload if it's OK.

Cheers,

-- 
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F  280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #97 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Mohammed Sameer <msameer@foolab.org>
Cc: 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Mon, 14 Apr 2008 14:54:21 +0200
[Message part 1 (text/plain, inline)]
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-14 14:33]:
> On Mon, Apr 14, 2008 at 02:26:47PM +0200, Nico Golde wrote:
> > Hi Mohammed,
> > * Mohammed Sameer <msameer@foolab.org> [2008-04-13 18:18]:
> > > I think I'm missing something.
> > > 
> > > Why do we need to make it not suid if the daemon drops it (-6 upload) ?
> > 
> > Cause it does drop it via seteuid and as long as the buffer 
> > overflow exists possible injected shellcode could do 
> > seteuid(0) to get it back.
> 
> aha!
> 
> I sent a patch earlier as an attempt to fix the buffer overflow vulnerability.
> I'd appreciate someone reviewing it. I can do an upload if it's OK.

Just saw it and I have to admit that I'm not really happy 
with it. Please just let the code as it is now and used 
snprintf instead with a length of sizeof(tmp). Please also 
check the other buffers.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to أحمد المحمودي <aelmahmoudy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #102 received at 475733@bugs.debian.org (full text, mbox, reply):

From: أحمد المحمودي <aelmahmoudy@users.sourceforge.net>
To: 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Wed, 16 Apr 2008 21:41:26 +0200
[Message part 1 (text/plain, inline)]
Hello,

  Thanks for the help. I have made a patch that would fix the possible 
  buffer overflows. Please check the attached patch.

On Mon, Apr 14, 2008 at 02:54:21PM +0200, Nico Golde wrote:
> Just saw it and I have to admit that I'm not really happy 
> with it. Please just let the code as it is now and used 
> snprintf instead with a length of sizeof(tmp). Please also 
> check the other buffers.
---end quoted text---

-- 
 أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
  SySDSoft, Inc.
 GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
 GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C  156E D325 C3C8 9DCA 0B27
[05_overflow.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #107 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: aelmahmoudy@users.sourceforge.net, 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Wed, 16 Apr 2008 22:21:13 +0200
[Message part 1 (text/plain, inline)]
Hi,
* aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
>   Thanks for the help. I have made a patch that would fix the possible 
>   buffer overflows. Please check the attached patch.
[...] 
>  	if(path[0]!='/')
> -		sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> +		snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);

off-by two. Why don't you just use sizeof(tmp)?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to aelmahmoudy@users.sourceforge.net:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #112 received at 475733@bugs.debian.org (full text, mbox, reply):

From: aelmahmoudy@users.sourceforge.net
To: Nico Golde <nion@debian.org>
Cc: 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Thu, 17 Apr 2008 06:53:21 +0200
Hello,

On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> >  	if(path[0]!='/')
> > -		sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > +		snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
> 
> off-by two. Why don't you just use sizeof(tmp)?
> Kind regards
> Nico
---end quoted text---

  Actually for this one, tmp is declared as: char tmp[302];

  I will use sizeof(tmp) anyways.

  So is this patch enough to close the bug ?

-- 
 أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
  SySDSoft, Inc.
 GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net)
 GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C  156E D325 C3C8 9DCA 0B27




Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #117 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Mohammed Sameer <msameer@foolab.org>
To: 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Thu, 17 Apr 2008 13:09:40 +0300
[Message part 1 (text/plain, inline)]
On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> Hi,
> * aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
> >   Thanks for the help. I have made a patch that would fix the possible 
> >   buffer overflows. Please check the attached patch.
> [...] 
> >  	if(path[0]!='/')
> > -		sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > +		snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
> 
> off-by two. Why don't you just use sizeof(tmp)?

And why use sizeof(tmp) with the possibility of truncating the resulting string while we can
properly malloc() enough size to hold the whole path ?


-- 
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F  280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #122 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Mohammed Sameer <msameer@foolab.org>, 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Thu, 17 Apr 2008 16:02:25 +0200
[Message part 1 (text/plain, inline)]
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-17 15:53]:
> On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> > * aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
> > >   Thanks for the help. I have made a patch that would fix the possible 
> > >   buffer overflows. Please check the attached patch.
> > [...] 
> > >  	if(path[0]!='/')
> > > -		sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > > +		snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
> > 
> > off-by two. Why don't you just use sizeof(tmp)?
> 
> And why use sizeof(tmp) with the possibility of truncating the resulting string while we can
> properly malloc() enough size to hold the whole path ?

Cause you have a maximum length for these values specified 
by the shell and malloc(foo + somelength) operations often 
lead to integer overflows (well not in this case).

Anyway, the 302 was fine since it was tmp from a different 
source file where it is specified to have 302 bytes.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Mohammed Sameer <msameer@foolab.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #127 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Mohammed Sameer <msameer@foolab.org>
To: Nico Golde <nion@debian.org>
Cc: 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Thu, 17 Apr 2008 23:32:46 +0300
[Message part 1 (text/plain, inline)]
On Thu, Apr 17, 2008 at 04:02:25PM +0200, Nico Golde wrote:
> Hi Mohammed,
> * Mohammed Sameer <msameer@foolab.org> [2008-04-17 15:53]:
> > On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> > > * aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
> > > >   Thanks for the help. I have made a patch that would fix the possible 
> > > >   buffer overflows. Please check the attached patch.
> > > [...] 
> > > >  	if(path[0]!='/')
> > > > -		sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > > > +		snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
> > > 
> > > off-by two. Why don't you just use sizeof(tmp)?
> > 
> > And why use sizeof(tmp) with the possibility of truncating the resulting string while we can
> > properly malloc() enough size to hold the whole path ?
> 
> Cause you have a maximum length for these values specified 
> by the shell and malloc(foo + somelength) operations often 
> lead to integer overflows (well not in this case).
> 
> Anyway, the 302 was fine since it was tmp from a different 
> source file where it is specified to have 302 bytes.


A maximum length for $HOME ? Never heard of that.
If you malloc(strlen(DATAPATH) + 1); then you won't overflow.

Cheers,

-- 
GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F  280E CB66 8E29 A3FD 0DF7
Debian User and Developer.
Homepage: www.foolab.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #132 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Mohammed Sameer <msameer@foolab.org>
Cc: 475733@bugs.debian.org
Subject: Re: Bug#475733: (no subject)
Date: Fri, 18 Apr 2008 00:16:58 +0200
[Message part 1 (text/plain, inline)]
Hi Mohammed,
* Mohammed Sameer <msameer@foolab.org> [2008-04-17 22:36]:
> On Thu, Apr 17, 2008 at 04:02:25PM +0200, Nico Golde wrote:
> > Hi Mohammed,
> > * Mohammed Sameer <msameer@foolab.org> [2008-04-17 15:53]:
> > > On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote:
> > > > * aelmahmoudy@users.sourceforge.net [2008-04-16 22:05]:
> > > > >   Thanks for the help. I have made a patch that would fix the possible 
> > > > >   buffer overflows. Please check the attached patch.
> > > > [...] 
> > > > >  	if(path[0]!='/')
> > > > > -		sprintf(tmp,"%s/translations/%s",DATAPATH,path);
> > > > > +		snprintf(tmp,302,"%s/translations/%s",DATAPATH,path);
> > > > 
> > > > off-by two. Why don't you just use sizeof(tmp)?
> > > 
> > > And why use sizeof(tmp) with the possibility of truncating the resulting string while we can
> > > properly malloc() enough size to hold the whole path ?
> > 
> > Cause you have a maximum length for these values specified 
> > by the shell and malloc(foo + somelength) operations often 
> > lead to integer overflows (well not in this case).
> > 
> > Anyway, the 302 was fine since it was tmp from a different 
> > source file where it is specified to have 302 bytes.
> 
> 
> A maximum length for $HOME ? Never heard of that.
> If you malloc(strlen(DATAPATH) + 1); then you won't overflow.

_POSIX_PATH_MAX should fit.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Merged 475733 476603. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 19 Apr 2008 13:21:03 GMT) (full text, mbox, link).


Severity set to `grave' from `critical' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 19 Apr 2008 13:21:11 GMT) (full text, mbox, link).


Bug no longer marked as found in version 1.0.5-7. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 30 Apr 2008 14:39:11 GMT) (full text, mbox, link).


Bug no longer marked as found in version 1.0.5-7. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 30 Apr 2008 14:39:13 GMT) (full text, mbox, link).


Severity set to `grave' from `grave' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 24 May 2008 19:30:06 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #147 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 476603@bugs.debian.org, 475733@bugs.debian.org
Cc: helmut@subdivi.de, sandals@crustytoothpaste.ath.cx, msameer@debian.org
Subject: acon patch
Date: Sat, 24 May 2008 22:20:56 +0200
[Message part 1 (text/plain, inline)]
tags 475733 + patch
tags 476603 + patch
thanks

Hi,
attached is a patch for acon which I can't test. Since this 
involves quite a few changes it would be nice if someone 
could review and/or test this patch.

Kind regards
Nico


-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[acon-1.0.5-6_1.0.5-6.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 24 May 2008 20:24:07 GMT) (full text, mbox, link).


Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 24 May 2008 20:24:09 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>:
Bug#475733; Package acon. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>. (full text, mbox, link).


Message #156 received at 475733@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 475733@bugs.debian.org, 476603@bugs.debian.org
Subject: intent to NMU
Date: Tue, 27 May 2008 10:53:21 +0200
[Message part 1 (text/plain, inline)]
Hi,
I'm going to upload this patch as an NMU.

As a sponsor please make sure these changes are not lost 
with the next upload. Please also forward those changes to 
the upstream developer.

The patch will be also archived on:
http://people.debian.org/~nion/nmu-diff/acon-1.0.5-6_1.0.5-6.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[acon-1.0.5-6_1.0.5-6.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (full text, mbox, link).


Message #161 received at 475733-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 475733-close@bugs.debian.org
Subject: Bug#475733: fixed in acon 1.0.5-6.1
Date: Tue, 27 May 2008 09:17:02 +0000
Source: acon
Source-Version: 1.0.5-6.1

We believe that the bug you reported is fixed in the latest version of
acon, which is due to be installed in the Debian FTP archive:

acon_1.0.5-6.1.diff.gz
  to pool/main/a/acon/acon_1.0.5-6.1.diff.gz
acon_1.0.5-6.1.dsc
  to pool/main/a/acon/acon_1.0.5-6.1.dsc
acon_1.0.5-6.1_amd64.deb
  to pool/main/a/acon/acon_1.0.5-6.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475733@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated acon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 24 May 2008 22:10:40 +0200
Source: acon
Binary: acon
Architecture: source amd64
Version: 1.0.5-6.1
Distribution: unstable
Urgency: high
Maintainer: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@users.sourceforge.net>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 acon       - Text console arabization
Closes: 475733 476603
Changes: 
 acon (1.0.5-6.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix various buffer overflows by doing proper bounds checking
     that could be exploited to get root access
     (CVE-2008-1994; Closes: #476603, #475733).
Checksums-Sha1: 
 4ce51b4f5b7f1e0f9bf2ce49cd6c9fa26e47820c 979 acon_1.0.5-6.1.dsc
 6efa907f422d5c31f54e215a724b91cb852dec09 7523 acon_1.0.5-6.1.diff.gz
 224b409735878939d11e00e0bbfeaa42a1e4a9f9 37534 acon_1.0.5-6.1_amd64.deb
Checksums-Sha256: 
 223a0c545214b0a59345141270f7448c2ac410a85df1ccb23822c8598a00af83 979 acon_1.0.5-6.1.dsc
 c6e75baf9185c064410de367844332b429bef1f9649ff727c15f221f9128cc84 7523 acon_1.0.5-6.1.diff.gz
 81f8b864474ca05675f2841afe20a1b70cffc977a94a0161938b0c853ce7dcc1 37534 acon_1.0.5-6.1_amd64.deb
Files: 
 74879b613bbe65a46f7a881223c743fa 979 misc optional acon_1.0.5-6.1.dsc
 60427635c5e7daadf80ed537a600fb06 7523 misc optional acon_1.0.5-6.1.diff.gz
 f22adbdacbd9736816d94fb40e1d2925 37534 misc optional acon_1.0.5-6.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIO8wKHYflSXNkfP8RAlG8AJwMD13igCZlrqodjuo6vOnUXxC1JQCglUAJ
5XJVV9UGMClMlFQelXhhOp0=
=sN1e
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Bug acknowledged by developer. (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 06 Jul 2008 07:25:46 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 11:03:21 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.