Debian Bug report logs - #576308
OpenDcHub 0.8.1 Remote Code Execution Exploit

version graph

Package: opendchub; Maintainer for opendchub is Zak B. Elep <zakame@zakame.net>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Fri, 2 Apr 2010 20:57:01 UTC

Severity: grave

Tags: confirmed, patch, security

Fixed in version opendchub/0.8.2-2

Done: zakame@zakame.net (Zak B. Elep)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, zakame@zakame.net (Zak B. Elep):
Bug#576308; Package opendchub. (Fri, 02 Apr 2010 20:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, zakame@zakame.net (Zak B. Elep).

Your message had a Version: pseudo-header with an invalid package version:

OpenDcHub 0.8.1 Remote Code Execution Exploit

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Fri, 02 Apr 2010 20:57:04 GMT) Full text and rfc822 format available.


Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: OpenDcHub 0.8.1 Remote Code Execution Exploit
Date: Fri, 02 Apr 2010 22:13:42 +0200
Package: opendchub
Version: OpenDcHub 0.8.1 Remote Code Execution Exploit
Severity: grave
Tags: security

This was reported to full-disclosure:

http://www.indahax.com/exploits/opendchub-0-8-1-remote-code-execution-exploit#more-600

Please get in touch with upstream for a fix.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages opendchub depends on:
ii  libc6                         2.10.2-6   Embedded GNU C Library: Shared lib
pn  libcap1                       <none>     (no description available)
ii  libperl5.10                   5.10.1-11  shared Perl library

opendchub recommends no packages.

opendchub suggests no packages.




Information forwarded to debian-bugs-dist@lists.debian.org, zakame@zakame.net (Zak B. Elep):
Bug#576308; Package opendchub. (Sat, 03 Apr 2010 16:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gerfried Fuchs <rhonda@deb.at>:
Extra info received and forwarded to list. Copy sent to zakame@zakame.net (Zak B. Elep). (Sat, 03 Apr 2010 16:36:02 GMT) Full text and rfc822 format available.

Message #10 received at 576308@bugs.debian.org (full text, mbox):

From: Gerfried Fuchs <rhonda@deb.at>
To: Moritz Muehlenhoff <jmm@debian.org>, 576308@bugs.debian.org
Subject: Re: Bug#576308: OpenDcHub 0.8.1 Remote Code Execution Exploit
Date: Sat, 3 Apr 2010 17:55:11 +0200
	Hi!

* Moritz Muehlenhoff <jmm@debian.org> [2010-04-02 22:13:42 CEST]:
> Package: opendchub
> Version: OpenDcHub 0.8.1 Remote Code Execution Exploit
> Severity: grave
> Tags: security
> 
> This was reported to full-disclosure:
> 
> http://www.indahax.com/exploits/opendchub-0-8-1-remote-code-execution-exploit#more-600
> 
> Please get in touch with upstream for a fix.

 Hmm, it is mentioned in there that 0.8.1 is affected - has it been
tested if previous versions are affected too? From what I can see 0.8.1
isn't packaged (yet).

 Thanks,
Rhonda




Information forwarded to debian-bugs-dist@lists.debian.org, zakame@zakame.net (Zak B. Elep):
Bug#576308; Package opendchub. (Sat, 10 Apr 2010 12:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to zakame@zakame.net (Zak B. Elep). (Sat, 10 Apr 2010 12:36:05 GMT) Full text and rfc822 format available.

Message #15 received at 576308@bugs.debian.org (full text, mbox):

From: Sebastien Delafond <seb@debian.org>
To: 576308@bugs.debian.org
Subject: Patch
Date: Sat, 10 Apr 2010 14:32:53 +0200
[Message part 1 (text/plain, inline)]
The aforementioned exploit does not yield a shell when run against
0.8.0, but it does crash the daemon:

  ~ # gdb -q
  (gdb) att 17168
  Attaching to process 17168
  Reading symbols from /usr/bin/opendchub...(no debugging symbols found)...done.
  Reading symbols from /usr/lib/libperl.so.5.10...(no debugging symbols found)...done.
  Loaded symbols for /usr/lib/libperl.so.5.10
  Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done.
  Loaded symbols for /lib/libdl.so.2
  Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done.
  Loaded symbols for /lib/libm.so.6
  Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
  [Thread debugging using libthread_db enabled]
  Loaded symbols for /lib/libpthread.so.0
  Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
  Loaded symbols for /lib/libc.so.6
  Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done.
  Loaded symbols for /lib/libcrypt.so.1
  Reading symbols from /lib/libcap.so.2...(no debugging symbols found)...done.
  Loaded symbols for /lib/libcap.so.2
  Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done.
  Loaded symbols for /lib/libnsl.so.1
  Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
  Loaded symbols for /lib/ld-linux.so.2
  Reading symbols from /lib/libattr.so.1...(no debugging symbols found)...done.
  Loaded symbols for /lib/libattr.so.1
  Reading symbols from /lib/libnss_compat.so.2...(no debugging symbols found)...done.
  Loaded symbols for /lib/libnss_compat.so.2
  Reading symbols from /lib/libnss_nis.so.2...(no debugging symbols found)...done.
  Loaded symbols for /lib/libnss_nis.so.2
  Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done.
  Loaded symbols for /lib/libnss_files.so.2
  (no debugging symbols found)
  0xb7657b06 in poll () from /lib/libc.so.6
  (gdb) c
  Continuing.

  Program received signal SIGPIPE, Broken pipe.
  0xb76e9f5c in send () from /lib/libpthread.so.0
  (gdb)

The attached patch, courtesy of Moritz Muehlenhoff, does fix the
problem.

Cheers,

--Seb
[opendchub.patch (text/x-diff, attachment)]

Added tag(s) confirmed and patch. Request was from Sebastien Delafond <seb@debian.org> to control@bugs.debian.org. (Sat, 10 Apr 2010 15:42:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, zakame@zakame.net (Zak B. Elep):
Bug#576308; Package opendchub. (Thu, 22 Apr 2010 06:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Zak <zakame@zakame.net>:
Extra info received and forwarded to list. Copy sent to zakame@zakame.net (Zak B. Elep). (Thu, 22 Apr 2010 06:45:03 GMT) Full text and rfc822 format available.

Message #22 received at 576308@bugs.debian.org (full text, mbox):

From: Zak <zakame@zakame.net>
To: Sebastien Delafond <seb@debian.org>, 576308@bugs.debian.org
Subject: Re: Bug#576308: Patch
Date: Thu, 22 Apr 2010 14:18:32 +0800
Hi!

On 04/10/10 20:32, Sebastien Delafond wrote:
> The aforementioned exploit does not yield a shell when run against
> 0.8.0, but it does crash the daemon:
>    
...
> The attached patch, courtesy of Moritz Muehlenhoff, does fix the
> problem.
>    

Thanks, I will check if it is in the new 0.8.2 version update.





Reply sent to zakame@zakame.net (Zak B. Elep):
You have taken responsibility. (Tue, 27 Apr 2010 17:36:07 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Tue, 27 Apr 2010 17:36:07 GMT) Full text and rfc822 format available.

Message #27 received at 576308-close@bugs.debian.org (full text, mbox):

From: zakame@zakame.net (Zak B. Elep)
To: 576308-close@bugs.debian.org
Subject: Bug#576308: fixed in opendchub 0.8.2-2
Date: Tue, 27 Apr 2010 17:34:17 +0000
Source: opendchub
Source-Version: 0.8.2-2

We believe that the bug you reported is fixed in the latest version of
opendchub, which is due to be installed in the Debian FTP archive:

opendchub_0.8.2-2.debian.tar.gz
  to main/o/opendchub/opendchub_0.8.2-2.debian.tar.gz
opendchub_0.8.2-2.dsc
  to main/o/opendchub/opendchub_0.8.2-2.dsc
opendchub_0.8.2-2_amd64.deb
  to main/o/opendchub/opendchub_0.8.2-2_amd64.deb
opendchub_0.8.2.orig.tar.gz
  to main/o/opendchub/opendchub_0.8.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 576308@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Zak B. Elep <zakame@zakame.net> (supplier of updated opendchub package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 23 Apr 2010 13:59:56 +0800
Source: opendchub
Binary: opendchub
Architecture: source amd64
Version: 0.8.2-2
Distribution: unstable
Urgency: low
Maintainer: Zak B. Elep <zakame@zakame.net>
Changed-By: Zak B. Elep <zakame@zakame.net>
Description: 
 opendchub  - hub clone for DC (Direct Connect P2P network)
Closes: 564888 576308
Changes: 
 opendchub (0.8.2-2) unstable; urgency=low
 .
   * Switch to new source package format 3.0 (quilt)
   * debian/NEWS: Fix for lintian informational warning
   * Fix spelling and grammar errors in the source, again per lintian
 .
 opendchub (0.8.2-1) unstable; urgency=low
 .
   * New upstream version (Closes: #564888)
     + Fix remote code execution exploit, thanks jmm@ (Closes: #576308)
Checksums-Sha1: 
 4bdd79cb6c4f4f0bd7556afb187b356c2d77cadf 1277 opendchub_0.8.2-2.dsc
 2236861833d24a6af1dffe6cc5571d0cf64d3dc0 188551 opendchub_0.8.2.orig.tar.gz
 0336a8aae62ef7d4e74ddbbb4ba04ed5ac79c7e3 9053 opendchub_0.8.2-2.debian.tar.gz
 be061bda53a90d0b80cd1cea789821e1fe8cbe9a 108712 opendchub_0.8.2-2_amd64.deb
Checksums-Sha256: 
 e93bd518f3e73258a55039a184f58ed5935a3ef2bba48274784d54c025a666a2 1277 opendchub_0.8.2-2.dsc
 c00d5859fde939741699026da9d4d5fd0b409474608353710204c3c78a8ac5bf 188551 opendchub_0.8.2.orig.tar.gz
 e9421be8dfb39c4b77838acf68eb10783b06e655e67f360952c4ddd6e28903fb 9053 opendchub_0.8.2-2.debian.tar.gz
 4e5b02c18964045571a64a2eceb58556f0c124cf3c7aebc7491becaeac83e78a 108712 opendchub_0.8.2-2_amd64.deb
Files: 
 82ef6d8657d0981cd1a93c9aaa66104e 1277 net optional opendchub_0.8.2-2.dsc
 e812ac26323f3a8113ce1a0761ce9544 188551 net optional opendchub_0.8.2.orig.tar.gz
 55b9aab46044da8b209655d245d8d255 9053 net optional opendchub_0.8.2-2.debian.tar.gz
 334bad09bbc6c71c0ea5c067b33bb221 108712 net optional opendchub_0.8.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvXHKMACgkQ2XA5inpabMfBjwCeKrqL/ZFvs5HO9YJv71Q0mV1h
y7wAn22uCkRuTSIruNitjT1Qgrxymq4x
=pydm
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 07:49:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 02:03:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.