Debian Bug report logs - #597382
unsafe chroot() call

version graph

Package: mingetty; Maintainer for mingetty is Paul Martin <pm@debian.org>; Source for mingetty is src:mingetty.

Reported by: Vasiliy Kulikov <segooon@gmail.com>

Date: Sun, 19 Sep 2010 08:21:01 UTC

Severity: critical

Tags: patch, security

Found in version mingetty/1.07-1

Fixed in versions mingetty/1.07-2, mingetty/1.07-3

Done: Paul Martin <pm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Martin <pm@debian.org>:
Bug#597382; Package mingetty. (Sun, 19 Sep 2010 08:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vasiliy Kulikov <segooon@gmail.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Martin <pm@debian.org>. (Sun, 19 Sep 2010 08:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vasiliy Kulikov <segooon@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unsafe chroot() call
Date: Sun, 19 Sep 2010 12:13:47 +0400
[Message part 1 (text/plain, inline)]
Package: mingetty
Version: 1.07-1
Severity: critical
Tags: security patch

Hi,

mingetty doesn't change current directory after chroot() call.
It allows an attacker to call chdir("../") many times and get root directory.
Also chdir(), chroot() and nice() are not checked for error return values.
It allows an attacker to avoid local policy restriction in some cases.


-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid-proposed'), (500, 'lucid-backports'), (500, 'lucid')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-25-generic (SMP w/2 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mingetty depends on:
ii  libc6                  2.11.1-0ubuntu7.3 Embedded GNU C Library: Shared lib

mingetty recommends no packages.

mingetty suggests no packages.

-- no debconf information
[diff (text/x-c, attachment)]

Reply sent to Paul Martin <pm@debian.org>:
You have taken responsibility. (Sat, 25 Sep 2010 01:03:09 GMT) Full text and rfc822 format available.

Notification sent to Vasiliy Kulikov <segooon@gmail.com>:
Bug acknowledged by developer. (Sat, 25 Sep 2010 01:03:09 GMT) Full text and rfc822 format available.

Message #10 received at 597382-close@bugs.debian.org (full text, mbox):

From: Paul Martin <pm@debian.org>
To: 597382-close@bugs.debian.org
Subject: Bug#597382: fixed in mingetty 1.07-2
Date: Sat, 25 Sep 2010 01:02:12 +0000
Source: mingetty
Source-Version: 1.07-2

We believe that the bug you reported is fixed in the latest version of
mingetty, which is due to be installed in the Debian FTP archive:

mingetty_1.07-2.diff.gz
  to main/m/mingetty/mingetty_1.07-2.diff.gz
mingetty_1.07-2.dsc
  to main/m/mingetty/mingetty_1.07-2.dsc
mingetty_1.07-2_i386.deb
  to main/m/mingetty/mingetty_1.07-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 597382@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Martin <pm@debian.org> (supplier of updated mingetty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Sep 2010 01:51:12 +0100
Source: mingetty
Binary: mingetty
Architecture: source i386
Version: 1.07-2
Distribution: unstable
Urgency: high
Maintainer: Paul Martin <pm@debian.org>
Changed-By: Paul Martin <pm@debian.org>
Description: 
 mingetty   - Console-only getty
Closes: 597382
Changes: 
 mingetty (1.07-2) unstable; urgency=high
 .
   * Critical security patch: Fix unsafe chroot call. (Closes: #597382)
   * Checked dependencies for locusts. (Closes: http://xkcd.com/797/)
Checksums-Sha1: 
 2399917fff09785a8ea0d737d3e132be5ee6029c 1566 mingetty_1.07-2.dsc
 95ba0cd1dae19a31905430f536300597633b7c7f 4225 mingetty_1.07-2.diff.gz
 c20d4d0596827c771986f7ad30f69bd6a0781cf1 10474 mingetty_1.07-2_i386.deb
Checksums-Sha256: 
 95edd9b9c51b2370a7601478dcecb3ec5b2a2e97abfb8035aaa76fc35fbde52e 1566 mingetty_1.07-2.dsc
 7931407a61cf5717896dbc48b4db4b0aeaab5eed1d1e579d4687ba23dd5952b4 4225 mingetty_1.07-2.diff.gz
 5efbc71e5bfb5c3156480ea5fcaa4f4abd7b59e83ebefa8f32e6b9ea9d9f1cb4 10474 mingetty_1.07-2_i386.deb
Files: 
 5ed2ce7dd10223cd82f556d9a63593d1 1566 admin optional mingetty_1.07-2.dsc
 b65a92fff2ec5eba9c50b946aedc9928 4225 admin optional mingetty_1.07-2.diff.gz
 6e544e7a89973479e4e5f5e795a085c1 10474 admin optional mingetty_1.07-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBTJ1HzmA7gyZh+cpTAQisMQ/+L1MCbBflwHjqR0YQj+u9F6Ym0cIY45Uh
+Wo2mv98orL1Jh8RiMgryJDxg5WIVt69O7GA6qDP3IeZ9tJz5atSQbeaWSMWA0Ck
O7xXjKe+viUzu+sWE7Zgg4d9bTuXHyixcsSL/0Moaj81dZM7lGmCyjXvmPlVgB87
zpTkYNkpcKEscKoyYng0gc+IFSNgjGVtHrmEU8dayNqK4ramn794nc62LPCxAJ5W
lsFvgCyts9DUS84MTcGi9qWU2ZwOkvxNyQjs44edAr0j46eOMCblePfek+V3c+Jm
6V6IqRUieIAiN5HBQnI934S98YKPfu5+cSM4J6mgMc24WxIxQB9n82uqecFBBNB4
Hb7u6MmRFs3SPRRPqlmDKYh1pjMohyQHex79ta53BQddnr4i6KxJxJW4xDsVq0YO
tpVjdFQ61EIalPSG/9CCYbq6aasrP4OlIJOiU5TGo4rlRyYj7WkQ1xybGabcaE1o
DsqjWLDKCyXJE99KgRYCE748ENYrgu1p0JgpraLiJT4EuxC+IsRqbuSRCPxB1zUz
+QMqBQNbEAHU2yzC8YWRFT8EUsVNS/7mLfl3T23UIFydL5HibBoJks9+SXRrhLlg
HkkesWM9lcbG1bQjnBdLU0SCbn5Jhcpc32CMuB+qWmfJTyTpAeufrWQwzFOZNvma
eSRwgyhS0hM=
=Apvd
-----END PGP SIGNATURE-----





Reply sent to Paul Martin <pm@debian.org>:
You have taken responsibility. (Sat, 25 Sep 2010 15:33:06 GMT) Full text and rfc822 format available.

Notification sent to Vasiliy Kulikov <segooon@gmail.com>:
Bug acknowledged by developer. (Sat, 25 Sep 2010 15:33:06 GMT) Full text and rfc822 format available.

Message #15 received at 597382-close@bugs.debian.org (full text, mbox):

From: Paul Martin <pm@debian.org>
To: 597382-close@bugs.debian.org
Subject: Bug#597382: fixed in mingetty 1.07-3
Date: Sat, 25 Sep 2010 15:32:18 +0000
Source: mingetty
Source-Version: 1.07-3

We believe that the bug you reported is fixed in the latest version of
mingetty, which is due to be installed in the Debian FTP archive:

mingetty_1.07-3.diff.gz
  to main/m/mingetty/mingetty_1.07-3.diff.gz
mingetty_1.07-3.dsc
  to main/m/mingetty/mingetty_1.07-3.dsc
mingetty_1.07-3_i386.deb
  to main/m/mingetty/mingetty_1.07-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 597382@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Martin <pm@debian.org> (supplier of updated mingetty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Sep 2010 16:12:51 +0100
Source: mingetty
Binary: mingetty
Architecture: source i386
Version: 1.07-3
Distribution: unstable
Urgency: high
Maintainer: Paul Martin <pm@debian.org>
Changed-By: Paul Martin <pm@debian.org>
Description: 
 mingetty   - Console-only getty
Closes: 597382
Changes: 
 mingetty (1.07-3) unstable; urgency=high
 .
   * Fix bug introduced by patch from #597382: the return value of nice()
     is the new nice value. (Closes: #597382)
Checksums-Sha1: 
 d7d8be453c01ad1e217dfc6082ec44bfc390a29a 1566 mingetty_1.07-3.dsc
 679a50301bab5aeebfdcdd2dbcad379d2be03e0c 4298 mingetty_1.07-3.diff.gz
 0eb0a72dba6faa5ff73b2a84343bf7bb010e2b69 10550 mingetty_1.07-3_i386.deb
Checksums-Sha256: 
 624d609bbb43e6a5087e6bb4c3f60ecab9c31a175e33197bf7bfa3668d3373bf 1566 mingetty_1.07-3.dsc
 01a54a621786516cce47fa90c7c82482d312037b173c0e2e7c0ecc1882398715 4298 mingetty_1.07-3.diff.gz
 e54e92e112cb4f82310fe84b27a6a9b21d1a7f47c1e0b6e9a2bd8bfb90a7b18c 10550 mingetty_1.07-3_i386.deb
Files: 
 4d7bdc989e25dce8d40d99f9f54767ab 1566 admin optional mingetty_1.07-3.dsc
 a9455b84700066392bc25dec0e112d4c 4298 admin optional mingetty_1.07-3.diff.gz
 f14831d46e9eb398b77e8fa822670acc 10550 admin optional mingetty_1.07-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBTJ4SVGA7gyZh+cpTAQiVxw//TwNBbStk9UTIVk2gaR64JygfLlMzcJjL
1GU2q3HwMnu1X8oo9enB7NEJahyte1pCWzOXY5Gtw/3EXvH9CvXrrdheqpmICEMo
jgJ0ol+smolMi/Bsup2Gnk2JdwuYJQ24V4E8yy9MvmwQhnp+4WizG9/b6P6E2aaG
eHa6E/SyE/Y6+Be+UbBM3K3p5lpm7LaFb1bUTp5CjP4/PfbaItHw7pD8eG9Ht+qe
ak0qArcqNwZjrMUfn3wDmVLNGL+cnj/e3YwOqr0KjXKcWrX+6Ri0YmlQ1I7utJBh
WjYFjlR6a/mL3syRMkBkWS9RjK1jJTz3Z8UX9c6EMcbJ6PG6wLYDvrhDa+RNNgUJ
ngQTtmz1AaTTrUYaycPuMN+7IUdu6fGcaMWo/gQuP2anxsTLvOVLgh4tTbkHlipv
9IXHScL3TsLqtYlhLThN0QufjXdIJHeB7wBg3DXOCHxp+VXLZb3acldvyThkfEV3
nxGLby4YRTFcPR6lfzJ6AyqChtsXLLcFpfOstYfF5YWNPH74vGcgPjUQufO7Wd37
g+b1YdpJ0VBWonrOs5hEPaxpjEG+hdqEI/KfUDTEekexTpk2oTgVEYxNqDuHs3ui
mbNeMvolydCtZuTRi3pxnsKO5RNLt6RnY/U1ET56YVlHKJgwFX2sNAY8zGjDKMor
EzxileyHPxg=
=kjU2
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 10:03:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:45:51 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.