Acknowledgement sent
to David Ambrose-Griffith <d.e.ambrose-griffith@durham.ac.uk>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ludovic Drolez <ldrolez@debian.org>.
(Tue, 18 Aug 2009 14:06:04 GMT) (full text, mbox, link).
From: David Ambrose-Griffith <d.e.ambrose-griffith@durham.ac.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: backuppc: Security hole when using rsync and multiple users
Date: Tue, 18 Aug 2009 15:03:09 +0100
Package: backuppc
Version: 3.1.0-4
Severity: critical
Tags: security
Justification: root security hole
When using an SSH key and Rsync with BackupPC on a system with multiple users, Users (as opposed to admins) have the ability to change the ClientNameAlias on machines they are listed as owning.
As BackupPC user has one ssh key, which can be in the authorized keys of many machines (often as root), this allows a user to backup from and restore to any machines that key gives access to, by changing the ClientNameAlias to the target machine and initiating a backup.
I've just tested this, and as an unpriviledged user was able to change backing up /scratch on my desktop to /etc on a server and then read /etc/shadow from the server.
Whilst I haven't tested this, I see no reason I couldn't restore to the server as well, thus changing arbitrary files as root (and gaining root access).
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages backuppc depends on:
ii adduser 3.110 add and remove users and groups
ii apache2 2.2.9-10+lenny2 Apache HTTP Server metapackage
ii apache2-mpm-worker [http 2.2.9-10+lenny2 Apache HTTP Server - high speed th
ii bzip2 1.0.5-1 high-quality block-sorting file co
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii dpkg 1.14.25 Debian package management system
ii libarchive-zip-perl 1.18-1 Module for manipulation of ZIP arc
ii libcompress-zlib-perl 2.012-1 Perl module for creation and manip
ii perl [libdigest-md5-perl 5.10.0-19 Larry Wall's Practical Extraction
ii perl-suid 5.10.0-19 Runs setuid Perl scripts
ii samba-common 2:3.2.5-4lenny2 Samba common files used by both th
ii smbclient 2:3.2.5-4lenny2 a LanManager-like simple client fo
ii tar 1.20-1 GNU version of the tar archiving u
Versions of packages backuppc recommends:
ii libfile-rsyncp-perl 0.68-1.1+b1 A perl based implementation of an
ii openssh-client [ssh-client] 1:5.1p1-5 secure shell client, an rlogin/rsh
ii postfix [mail-transport-agen 2.5.5-1.1 High-performance mail transport ag
ii rrdtool 1.3.1-4 Time-series data storage and displ
ii rsync 3.0.3-2 fast remote file copy program (lik
Versions of packages backuppc suggests:
pn par2 <none> (no description available)
ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with excellent
-- debconf information excluded
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>: Bug#542218; Package backuppc.
(Thu, 20 Aug 2009 11:15:17 GMT) (full text, mbox, link).
Acknowledgement sent
to David Ambrose-Griffith <d.e.ambrose-griffith@durham.ac.uk>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>.
(Thu, 20 Aug 2009 11:15:17 GMT) (full text, mbox, link).
From: David Ambrose-Griffith <d.e.ambrose-griffith@durham.ac.uk>
To: 542218@bugs.debian.org
Subject: Re: Bug#542218: Acknowledgement (backuppc: Security hole when using
rsync and multiple users)
Date: Thu, 20 Aug 2009 12:05:38 +0100
Following up on this:
Having played around a little further, there is the option
CgiUserConfigEdit which specifies which options a user is permitted to
modify.
I think that this list needs trimming down in the default installs, and
certainly having ClientNameAlias removing from it.
By removing ClientNameAlias from the list specified in
CgiUserConfigEdit, users cannot change hostnames, thus closing this hole.
Regards,
David Ambrose-Griffith
--
David Ambrose-Griffith - d.e.ambrose-griffith@durham.ac.uk
Assistant Systems Programmer,
IPPP, Department of Physics, Durham University,
Science Laboratories, South Road, Durham, DH1 3LE
Direct Dial: +44 (0)191 3343704
Office: +44 (0)191 334 3811
Reply sent
to Ludovic Drolez <ldrolez@debian.org>:
You have taken responsibility.
(Mon, 14 Sep 2009 12:54:08 GMT) (full text, mbox, link).
Notification sent
to David Ambrose-Griffith <d.e.ambrose-griffith@durham.ac.uk>:
Bug acknowledged by developer.
(Mon, 14 Sep 2009 12:54:08 GMT) (full text, mbox, link).
Source: backuppc
Source-Version: 3.1.0-7
We believe that the bug you reported is fixed in the latest version of
backuppc, which is due to be installed in the Debian FTP archive:
backuppc_3.1.0-7.diff.gz
to pool/main/b/backuppc/backuppc_3.1.0-7.diff.gz
backuppc_3.1.0-7.dsc
to pool/main/b/backuppc/backuppc_3.1.0-7.dsc
backuppc_3.1.0-7_all.deb
to pool/main/b/backuppc/backuppc_3.1.0-7_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 542218@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Drolez <ldrolez@debian.org> (supplier of updated backuppc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 01 Sep 2009 14:43:36 +0200
Source: backuppc
Binary: backuppc
Architecture: source all
Version: 3.1.0-7
Distribution: unstable
Urgency: high
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Changed-By: Ludovic Drolez <ldrolez@debian.org>
Description:
backuppc - high-performance, enterprise-grade system for backing up PCs
Closes: 483573518554542218
Changes:
backuppc (3.1.0-7) unstable; urgency=high
.
* Disable the modification of the alias for normal users. Closes: #542218
* Recommends: libio-dirent-perl. Closes: #518554
* manage config.pl with ucf. Closes: #483573
Checksums-Sha1:
034a9ebd207c0f143a5a106f9fdd83c5b4ba93aa 1009 backuppc_3.1.0-7.dsc
d2181a8b005d967c8c8a25ac5c7362d59f258561 25650 backuppc_3.1.0-7.diff.gz
3175c039c0dd4a8f199657e55de23dd18949bd89 564426 backuppc_3.1.0-7_all.deb
Checksums-Sha256:
51d00019f8e5e0b760542d66de5abc2181832318be5af13aca319cb6dcfcaf55 1009 backuppc_3.1.0-7.dsc
f2422574d5a2ee17b893f18ea88193548a3337438c3d58afdebd744a1129fd61 25650 backuppc_3.1.0-7.diff.gz
d0f9963811f493d2f663f091005eb36c9a75cd6c1862c118bc1b76a3baf0bcc6 564426 backuppc_3.1.0-7_all.deb
Files:
5c643662a46797b44699758488707d13 1009 utils optional backuppc_3.1.0-7.dsc
ccd2e6709ee89fa7644c7688ab10016b 25650 utils optional backuppc_3.1.0-7.diff.gz
1b053d9e9900694ee0d0b1a1d8d88b42 564426 utils optional backuppc_3.1.0-7_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkquM2IACgkQsRlQAP1GppiifQCfaMsBng7RjB53TjXtPOGTDogX
6PcAoIuzEY4CsLJk8b+MfVA3zM1q48dl
=Nqbv
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>: Bug#542218; Package backuppc.
(Mon, 05 Oct 2009 14:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>.
(Mon, 05 Oct 2009 14:18:04 GMT) (full text, mbox, link).
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: 542218@bugs.debian.org
Subject: Re: backuppc: Security hole when using rsync and multiple users
Date: Mon, 05 Oct 2009 10:15:25 -0400
The patch included in 3.1.0-7 doesn't actually fix the problem. Normal
users can still set the ClientNameAlias by adding something like
"&override_ClientNameAlias=1&v_zZ_ClientNameAlias=xxxx" to their POST.
Marc.
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>: Bug#542218; Package backuppc.
(Mon, 05 Oct 2009 15:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>.
(Mon, 05 Oct 2009 15:18:03 GMT) (full text, mbox, link).
Bug No longer marked as fixed in versions backuppc/3.1.0-7 and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Oct 2009 22:06:02 GMT) (full text, mbox, link).
Bug Marked as found in versions backuppc/3.1.0-7.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Mon, 05 Oct 2009 22:06:03 GMT) (full text, mbox, link).
Reply sent
to Ludovic Drolez <ldrolez@debian.org>:
You have taken responsibility.
(Fri, 09 Oct 2009 19:57:13 GMT) (full text, mbox, link).
Notification sent
to David Ambrose-Griffith <d.e.ambrose-griffith@durham.ac.uk>:
Bug acknowledged by developer.
(Fri, 09 Oct 2009 19:57:13 GMT) (full text, mbox, link).
Source: backuppc
Source-Version: 3.1.0-8
We believe that the bug you reported is fixed in the latest version of
backuppc, which is due to be installed in the Debian FTP archive:
backuppc_3.1.0-8.diff.gz
to pool/main/b/backuppc/backuppc_3.1.0-8.diff.gz
backuppc_3.1.0-8.dsc
to pool/main/b/backuppc/backuppc_3.1.0-8.dsc
backuppc_3.1.0-8_all.deb
to pool/main/b/backuppc/backuppc_3.1.0-8_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 542218@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Drolez <ldrolez@debian.org> (supplier of updated backuppc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 09 Oct 2009 20:58:32 +0200
Source: backuppc
Binary: backuppc
Architecture: source all
Version: 3.1.0-8
Distribution: unstable
Urgency: high
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Changed-By: Ludovic Drolez <ldrolez@debian.org>
Description:
backuppc - high-performance, enterprise-grade system for backing up PCs
Closes: 542218
Changes:
backuppc (3.1.0-8) unstable; urgency=high
.
* Really fix the alias bug. Closes: #542218
* Small init.d file fix
Checksums-Sha1:
cd2fe86b1a01d088b758a987e4fb63ff3f6a61a3 1009 backuppc_3.1.0-8.dsc
b605c476e037d0df09c4f3bdc17d292a142b2ae8 25811 backuppc_3.1.0-8.diff.gz
43cd090c5f4894a17142d0f4de6f13f4f77a53c6 564508 backuppc_3.1.0-8_all.deb
Checksums-Sha256:
e598edd195e2e241a83f57bbe52ca7caf3de4e595b6c146f968edcff480c0cf2 1009 backuppc_3.1.0-8.dsc
f8bd7fc0dc2297658d07274f832c1e1bba5ece70c9ba11ab93e12c9b740eb94b 25811 backuppc_3.1.0-8.diff.gz
f761bc6ceb145b8822fdea1cc9e3d3cf16b5a526d7b6e2a842b81330004248cf 564508 backuppc_3.1.0-8_all.deb
Files:
5480bdf088cef89045ad1f01bba54e92 1009 utils optional backuppc_3.1.0-8.dsc
cf713bee0c011d1d35fcb94aab4f21f8 25811 utils optional backuppc_3.1.0-8.diff.gz
6bcfc0e4c3ba1642271b11dc0b656e0b 564508 utils optional backuppc_3.1.0-8_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkrPi8EACgkQsRlQAP1GppgYrQCfSn0mMsJ4X1pKE45/GvglSNsl
DygAn3mO5ZSUAUlRtTdLLaPfwkizYMHc
=xUZ5
-----END PGP SIGNATURE-----
Reply sent
to Ludovic Drolez <ldrolez@debian.org>:
You have taken responsibility.
(Fri, 16 Oct 2009 20:33:19 GMT) (full text, mbox, link).
Notification sent
to David Ambrose-Griffith <d.e.ambrose-griffith@durham.ac.uk>:
Bug acknowledged by developer.
(Fri, 16 Oct 2009 20:33:19 GMT) (full text, mbox, link).
Subject: Bug#542218: fixed in backuppc 3.1.0-4lenny2
Date: Fri, 16 Oct 2009 19:58:33 +0000
Source: backuppc
Source-Version: 3.1.0-4lenny2
We believe that the bug you reported is fixed in the latest version of
backuppc, which is due to be installed in the Debian FTP archive:
backuppc_3.1.0-4lenny2.diff.gz
to pool/main/b/backuppc/backuppc_3.1.0-4lenny2.diff.gz
backuppc_3.1.0-4lenny2.dsc
to pool/main/b/backuppc/backuppc_3.1.0-4lenny2.dsc
backuppc_3.1.0-4lenny2_all.deb
to pool/main/b/backuppc/backuppc_3.1.0-4lenny2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 542218@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Drolez <ldrolez@debian.org> (supplier of updated backuppc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 14 Sep 2009 16:47:20 +0200
Source: backuppc
Binary: backuppc
Architecture: source all
Version: 3.1.0-4lenny2
Distribution: stable-proposed-updates
Urgency: high
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Changed-By: Ludovic Drolez <ldrolez@debian.org>
Description:
backuppc - high-performance, enterprise-grade system for backing up PCs
Closes: 542218
Changes:
backuppc (3.1.0-4lenny2) stable-proposed-updates; urgency=high
.
* Disable the modification of the alias for normal users to close
a potential security hole. Closes: #542218
Checksums-Sha1:
03fcbd4313d82993ae200226651659c05e1e3e9f 1033 backuppc_3.1.0-4lenny2.dsc
c92a3187d5edaa97b3b65c089582d95735ae4019 25028 backuppc_3.1.0-4lenny2.diff.gz
f47baa899a33e3bc597480488c68679c0288aacd 541648 backuppc_3.1.0-4lenny2_all.deb
Checksums-Sha256:
7536f9026b7d29180cb755374cf1bf4c8b9582c004375d0baf092736c7ec96e4 1033 backuppc_3.1.0-4lenny2.dsc
fe626b738d6e162895c39a1c672144ada1286f69bb958007bed59a5cc56e1406 25028 backuppc_3.1.0-4lenny2.diff.gz
5c7384b2a67931a14f837d15c656512ffb86de4a32fded96e5b3a01d8acd6878 541648 backuppc_3.1.0-4lenny2_all.deb
Files:
4ed16b9c15f2fd2527cdebcd801f4398 1033 utils optional backuppc_3.1.0-4lenny2.dsc
67d1228979d2d5a96dcce8e85ccd5ab3 25028 utils optional backuppc_3.1.0-4lenny2.diff.gz
d57753ed043d004fa5a0c962362f1358 541648 utils optional backuppc_3.1.0-4lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkquWDsACgkQsRlQAP1GppifpwCfQXYJfWBImTgdrP0+IiSQYM1P
kF4An2CMPs8AT6G1uguSJU2HSXsQl0k8
=ZFfE
-----END PGP SIGNATURE-----
Reply sent
to Ludovic Drolez <ldrolez@debian.org>:
You have taken responsibility.
(Sat, 17 Oct 2009 02:06:06 GMT) (full text, mbox, link).
Notification sent
to David Ambrose-Griffith <d.e.ambrose-griffith@durham.ac.uk>:
Bug acknowledged by developer.
(Sat, 17 Oct 2009 02:06:07 GMT) (full text, mbox, link).
Subject: Bug#542218: fixed in backuppc 3.1.0-4lenny3
Date: Sat, 17 Oct 2009 01:58:05 +0000
Source: backuppc
Source-Version: 3.1.0-4lenny3
We believe that the bug you reported is fixed in the latest version of
backuppc, which is due to be installed in the Debian FTP archive:
backuppc_3.1.0-4lenny3.diff.gz
to pool/main/b/backuppc/backuppc_3.1.0-4lenny3.diff.gz
backuppc_3.1.0-4lenny3.dsc
to pool/main/b/backuppc/backuppc_3.1.0-4lenny3.dsc
backuppc_3.1.0-4lenny3_all.deb
to pool/main/b/backuppc/backuppc_3.1.0-4lenny3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 542218@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Drolez <ldrolez@debian.org> (supplier of updated backuppc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 09 Oct 2009 22:16:44 +0200
Source: backuppc
Binary: backuppc
Architecture: source all
Version: 3.1.0-4lenny3
Distribution: stable-proposed-updates
Urgency: high
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Changed-By: Ludovic Drolez <ldrolez@debian.org>
Description:
backuppc - high-performance, enterprise-grade system for backing up PCs
Closes: 542218
Changes:
backuppc (3.1.0-4lenny3) stable-proposed-updates; urgency=high
.
* Better fix for the "alias" security hole. Closes: #542218
Checksums-Sha1:
f78bbc27d42326351ef83129e171e39bb45c72ef 1033 backuppc_3.1.0-4lenny3.dsc
b4f23213b9452ce0620c5d44295aa66f6b312a63 25163 backuppc_3.1.0-4lenny3.diff.gz
19147788fce9f3441f799b06057c23fe383588ab 541660 backuppc_3.1.0-4lenny3_all.deb
Checksums-Sha256:
da98b3104473801323eadff1048b56f39f0ed284625350b158e985a7cf10c620 1033 backuppc_3.1.0-4lenny3.dsc
cc0c6418348d0d42923645db22c6a46cbb5417bf81af9ffca71cf71c15b757f9 25163 backuppc_3.1.0-4lenny3.diff.gz
1f62096a4125eb607949f37b8635f5353b4036214632bd48c984be628a221c16 541660 backuppc_3.1.0-4lenny3_all.deb
Files:
6f62eb1f0ef40c33170d9710c107f59c 1033 utils optional backuppc_3.1.0-4lenny3.dsc
e211a0d8752f720fa15ee09904f61775 25163 utils optional backuppc_3.1.0-4lenny3.diff.gz
f16c2b9efd5f44ab7c4c8e53cfd2e567 541660 utils optional backuppc_3.1.0-4lenny3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkrPmmYACgkQsRlQAP1GppjU+QCeKzg50TLD4YPmX51GNF3xob5e
nHoAnjcUO+rVzBFF8g5qUgz9FzD6F2bT
=6rGj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 Jan 2010 07:29:35 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.