Debian Bug report logs - #506530
Remote command execution and the possibility of attack with the help of symlinks

version graph

Package: verlihub; Maintainer for verlihub is (unknown);

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Sat, 22 Nov 2008 10:48:01 UTC

Severity: grave

Tags: security

Fixed in version 0.9.8d~rc2+nojunk-1.1+rm

Done: Marco Rodrigues <gothicx@sapo.pt>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andrea Veri <bluekuja@ubuntu.com>:
Bug#506530; Package verlihub. (Sat, 22 Nov 2008 10:48:04 GMT) (full text, mbox, link).


Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andrea Veri <bluekuja@ubuntu.com>. (Sat, 22 Nov 2008 10:48:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Remote command execution and the possibility of attack with the help of symlinks
Date: Sat, 22 Nov 2008 11:43:36 +0100
Package: verlihub
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

An exploit[0] has been published for verlihub:

> Verlihub  does not sanitize user input passed to the shell via its
> "trigger"
>   mechanism.  Furthermore, the Verlihub daemon can optionally be
>   configured to
>   run  as  root.  This allows for the arbitrary execution of commands
>   by users
>   connected  to  the  hub  and,  in  the  case  of the daemon running
>   as root,
>   complete commandeering of the machine.


Also:

src/ctrigger.cpp line 108:
filename.append("/tmp/trigger.tmp"); 

Malicious user could prepare a /tmp/trigger.tmp file to cause serious
data loss or compromise a system.

Author provides a fix.

If you fix the vulnerability please also make sure to include the CVE id
(if available) in the changelog entry.


[0]http://milw0rm.com/exploits/7183

Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkn4lMACgkQNxpp46476ar09wCeMT8YoPI+tozAdDQqmwBjAkcX
uUUAoI5tBGEPAYP+O7sOzDAvyPCE+8W5
=ZfcS
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Andrea Veri <bluekuja@ubuntu.com>:
Bug#506530; Package verlihub. (Sat, 29 Nov 2008 17:42:05 GMT) (full text, mbox, link).


Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to Andrea Veri <bluekuja@ubuntu.com>. (Sat, 29 Nov 2008 17:42:12 GMT) (full text, mbox, link).


Message #10 received at 506530@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>
To: debian-release@lists.debian.org
Cc: 506530@bugs.debian.org
Subject: let's target verlihub for squeeze
Date: Sat, 29 Nov 2008 18:36:24 +0100
Hi,

verlihub has one of those pesky security bugs without response for a week.
It's not in stable.
It's not too popular.
How about removing the pressure on the maintainer to fix it for lenny?

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/




Information forwarded to debian-bugs-dist@lists.debian.org, Andrea Veri <bluekuja@ubuntu.com>:
Bug#506530; Package verlihub. (Thu, 04 Dec 2008 17:33:05 GMT) (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Andrea Veri <bluekuja@ubuntu.com>. (Thu, 04 Dec 2008 17:33:05 GMT) (full text, mbox, link).


Message #15 received at 506530@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thomas Viehmann <tv@beamnet.de>
Cc: debian-release@lists.debian.org, 506530@bugs.debian.org
Subject: Re: let's target verlihub for squeeze
Date: Thu, 4 Dec 2008 18:27:17 +0100
On Sat, Nov 29, 2008 at 06:36:24PM +0100, Thomas Viehmann wrote:
> Hi,
> 
> verlihub has one of those pesky security bugs without response for a week.
> It's not in stable.
> It's not too popular.
> How about removing the pressure on the maintainer to fix it for lenny?

It's been nearly two weeks now, so please remove it from Lenny.

Cheers,
         Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Andrea Veri <bluekuja@ubuntu.com>:
Bug#506530; Package verlihub. (Thu, 04 Dec 2008 18:33:02 GMT) (full text, mbox, link).


Acknowledgement sent to Adeodato Simó <dato@net.com.org.es>:
Extra info received and forwarded to list. Copy sent to Andrea Veri <bluekuja@ubuntu.com>. (Thu, 04 Dec 2008 18:33:02 GMT) (full text, mbox, link).


Message #20 received at 506530@bugs.debian.org (full text, mbox, reply):

From: Adeodato Simó <dato@net.com.org.es>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Thomas Viehmann <tv@beamnet.de>, debian-release@lists.debian.org, 506530@bugs.debian.org
Subject: Re: let's target verlihub for squeeze
Date: Thu, 4 Dec 2008 19:30:16 +0100
* Moritz Muehlenhoff [Thu, 04 Dec 2008 18:27:17 +0100]:

> On Sat, Nov 29, 2008 at 06:36:24PM +0100, Thomas Viehmann wrote:
> > Hi,

> > verlihub has one of those pesky security bugs without response for a week.
> > It's not in stable.
> > It's not too popular.
> > How about removing the pressure on the maintainer to fix it for lenny?

> It's been nearly two weeks now, so please remove it from Lenny.

Done.

Thanks, Thomas and everybody else.

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
                                              Listening to: Lolita - Mía





Reply sent to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility. (Sat, 25 Jul 2009 19:21:03 GMT) (full text, mbox, link).


Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sat, 25 Jul 2009 19:21:03 GMT) (full text, mbox, link).


Message #25 received at 506530-done@bugs.debian.org (full text, mbox, reply):

From: Marco Rodrigues <gothicx@sapo.pt>
To: 506530-done@bugs.debian.org
Subject: verlihub has been removed from Debian, closing #506530
Date: Sat, 25 Jul 2009 20:16:13 +0100
Version: 0.9.8d~rc2+nojunk-1.1+rm

The verlihub package has been removed from Debian so we are closing
the bugs that were still opened against it.

For more information about this package's removal, read
http://bugs.debian.org/529817 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

Kind regards,
--
Marco Rodrigues




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 23 Aug 2009 07:34:51 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:55:12 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.