Debian Bug report logs - #603946
CVE-2010-4170 and CVE-2010-4171

version graph

Package: systemtap; Maintainer for systemtap is Ritesh Raj Sarraf <rrs@debian.org>; Source for systemtap is src:systemtap.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Thu, 18 Nov 2010 18:42:02 UTC

Severity: grave

Tags: security

Found in versions systemtap/1.3-1, systemtap/1.3-2

Fixed in versions systemtap/1.4-1, systemtap/1.2-3

Done: Ritesh Raj Sarraf <rrs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ritesh Raj Sarraf <rrs@debian.org>:
Bug#603946; Package systemtap. (Thu, 18 Nov 2010 18:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ritesh Raj Sarraf <rrs@debian.org>. (Thu, 18 Nov 2010 18:42:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-4170 and CVE-2010-4171
Date: Thu, 18 Nov 2010 19:39:00 +0100
Package: systemtap
Severity: grave
Tags: security

Two security issues have been found in systemtap, one of them
allowing local privilege escalation:

http://sources.redhat.com/ml/systemtap/2010-q4/msg00230.html

These are CVE-2010-4170 and CVE-2010-4171.

Fix:
http://sources.redhat.com/git/gitweb.cgi?p=systemtap.git;a=commit;h=b7565b41228bea196cefa3a7d43ab67f8f9152e2


Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages systemtap depends on:
ii  libc6                         2.11.2-6   Embedded GNU C Library: Shared lib
ii  libelf1                       0.148-1    library to read and write ELF file
ii  libgcc1                       1:4.4.5-3  GCC support library
ii  libsqlite3-0                  3.7.2-1    SQLite 3 shared library
ii  libstdc++6                    4.4.5-3    The GNU Standard C++ Library v3
pn  systemtap-runtime             <none>     (no description available)

systemtap recommends no packages.

Versions of packages systemtap suggests:
pn  systemtap-doc                 <none>     (no description available)
pn  vim-addon-manager             <none>     (no description available)




Added tag(s) pending. Request was from Ritesh Raj Sarraf <rrs@debian.org> to control@bugs.debian.org. (Fri, 19 Nov 2010 13:21:09 GMT) Full text and rfc822 format available.

Reply sent to Ritesh Raj Sarraf <rrs@debian.org>:
You have taken responsibility. (Sat, 20 Nov 2010 06:21:03 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sat, 20 Nov 2010 06:21:03 GMT) Full text and rfc822 format available.

Message #12 received at 603946-close@bugs.debian.org (full text, mbox):

From: Ritesh Raj Sarraf <rrs@debian.org>
To: 603946-close@bugs.debian.org
Subject: Bug#603946: fixed in systemtap 1.2-3
Date: Sat, 20 Nov 2010 06:17:14 +0000
Source: systemtap
Source-Version: 1.2-3

We believe that the bug you reported is fixed in the latest version of
systemtap, which is due to be installed in the Debian FTP archive:

systemtap-client_1.2-3_amd64.deb
  to main/s/systemtap/systemtap-client_1.2-3_amd64.deb
systemtap-common_1.2-3_all.deb
  to main/s/systemtap/systemtap-common_1.2-3_all.deb
systemtap-doc_1.2-3_all.deb
  to main/s/systemtap/systemtap-doc_1.2-3_all.deb
systemtap-grapher_1.2-3_amd64.deb
  to main/s/systemtap/systemtap-grapher_1.2-3_amd64.deb
systemtap-runtime_1.2-3_amd64.deb
  to main/s/systemtap/systemtap-runtime_1.2-3_amd64.deb
systemtap-sdt-dev_1.2-3_all.deb
  to main/s/systemtap/systemtap-sdt-dev_1.2-3_all.deb
systemtap-server_1.2-3_amd64.deb
  to main/s/systemtap/systemtap-server_1.2-3_amd64.deb
systemtap_1.2-3.debian.tar.gz
  to main/s/systemtap/systemtap_1.2-3.debian.tar.gz
systemtap_1.2-3.dsc
  to main/s/systemtap/systemtap_1.2-3.dsc
systemtap_1.2-3_amd64.deb
  to main/s/systemtap/systemtap_1.2-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 603946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ritesh Raj Sarraf <rrs@debian.org> (supplier of updated systemtap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Nov 2010 18:47:21 +0530
Source: systemtap
Binary: systemtap systemtap-common systemtap-runtime systemtap-doc systemtap-server systemtap-client systemtap-sdt-dev systemtap-grapher
Architecture: source amd64 all
Version: 1.2-3
Distribution: unstable
Urgency: high
Maintainer: Ritesh Raj Sarraf <rrs@debian.org>
Changed-By: Ritesh Raj Sarraf <rrs@debian.org>
Description: 
 systemtap  - instrumentation system for Linux 2.6
 systemtap-client - instrumentation system for Linux 2.6 (client for compile server)
 systemtap-common - instrumentation system for Linux 2.6 (common component)
 systemtap-doc - documentation and examples for SystemTap
 systemtap-grapher - instrumentation system for Linux 2.6 (grapher)
 systemtap-runtime - instrumentation system for Linux 2.6 (runtime component)
 systemtap-sdt-dev - statically defined probes development files
 systemtap-server - instrumentation system for Linux 2.6 (compile server)
Closes: 603946
Changes: 
 systemtap (1.2-3) unstable; urgency=high
 .
   * Fix CVE Vulnerability: CVE-2010-4170, CVE-2010-4171
     staprun module loading/unloading security fixes
     (Closes: #603946)
Checksums-Sha1: 
 f2f0bff87742aa37dcb67abb4e3d936b70dc0081 2308 systemtap_1.2-3.dsc
 9c172d21e2519a7deb5757ad99e7e6308726c29f 27394 systemtap_1.2-3.debian.tar.gz
 1258bbdf3d78837eda4d2c0306336ce1d2fc12e8 636120 systemtap_1.2-3_amd64.deb
 2d83e78ff24f136572dddc47d5b8fe78e08cb19d 410990 systemtap-common_1.2-3_all.deb
 6733ca71e060b0abcd73e1f95ca00c03e72af2c7 64114 systemtap-runtime_1.2-3_amd64.deb
 2472500d9ed1fcccf6f7c534c7e5a8acfb2d4ca0 867196 systemtap-doc_1.2-3_all.deb
 678c01a24f5264305399b07c50da56c01de29361 62606 systemtap-server_1.2-3_amd64.deb
 ec16dca99a92afd89e50e45f0b61f7cd89b76f31 41350 systemtap-client_1.2-3_amd64.deb
 9a24b1d5dec9caff2b20441313646f1cdf360d6c 20090 systemtap-sdt-dev_1.2-3_all.deb
 280e0631f0c2389e8ce0a03afa52bea0fd1d5cb6 121260 systemtap-grapher_1.2-3_amd64.deb
Checksums-Sha256: 
 05ea84fb4546c13652093c140a08f694785c28ce195978cd4271b08b846b4d97 2308 systemtap_1.2-3.dsc
 5a5826cb98782a43577989050c4953312e697874c2ba8d758e521e5d4ea2cf86 27394 systemtap_1.2-3.debian.tar.gz
 2c8eb066cb6575de0c92f9b3cdd904c03b1f9f2c8d58c0e91cd995a76b329b6b 636120 systemtap_1.2-3_amd64.deb
 56d637909ae5370aebdb261174994d9a7fa2233fa2516af606bbf1f934868e2d 410990 systemtap-common_1.2-3_all.deb
 1cd5abdd91ba5b07a93b433b6be619f7f02350f1f21f7a510e915e3ca5f39339 64114 systemtap-runtime_1.2-3_amd64.deb
 c0acf74a6fa7d0a28fbd05cb363288a09573a2a19fc0da790136ab2c474d2f52 867196 systemtap-doc_1.2-3_all.deb
 99d7836af3cc7e15a751e383d55d3f5e823acc28b8b05dd6a4aed12b36d04124 62606 systemtap-server_1.2-3_amd64.deb
 3a39945d2423735cb253dc0a2dc7878b7f854fd7a2d7ff19793a783f867cc462 41350 systemtap-client_1.2-3_amd64.deb
 b38a3e86358ae289247e3a80e66bb54a00c5f85d8db67b7ea955236ab706a0ac 20090 systemtap-sdt-dev_1.2-3_all.deb
 7ea551b4a7f7c4f182ca7936252cf41593861c0e5d0a34d04d9330dcf693258e 121260 systemtap-grapher_1.2-3_amd64.deb
Files: 
 f4bde84293dfb9b207f7e0b504628db3 2308 devel optional systemtap_1.2-3.dsc
 66acaf977718d364ce40811c2df18a06 27394 devel optional systemtap_1.2-3.debian.tar.gz
 28b60666f68d453cf71c2eb2eccfe19e 636120 devel optional systemtap_1.2-3_amd64.deb
 08a28d6827086911bb0dc67fe60692d1 410990 devel optional systemtap-common_1.2-3_all.deb
 229b024a540e1f8d2b7c5d28a889c99c 64114 devel optional systemtap-runtime_1.2-3_amd64.deb
 7838de7e7e99cb99d7fe2cd6648257ab 867196 doc optional systemtap-doc_1.2-3_all.deb
 6fe7cd4b3e6817a80cfd74084ff36d30 62606 devel optional systemtap-server_1.2-3_amd64.deb
 c33f9aa24c5516fa0f2b742dc238ac67 41350 devel optional systemtap-client_1.2-3_amd64.deb
 48bc7656127f0a98a8aa244555d449ed 20090 devel optional systemtap-sdt-dev_1.2-3_all.deb
 9135435cd4a93a2e57a7c7c63f0dbd56 121260 devel optional systemtap-grapher_1.2-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJM52IPAAoJEKY6WKPy4XVpy4EP/2yPnNp5MsMMdORtBu7rmqMg
1f/MHvPav5EaBXbinYT5N8qcRn614mJcTZMGBPqt8bQnUiZdUQixjzEOKWnKPj6J
AjRwGGi2olQIQo9Cl29UoXe/waLCxp6wKzYI++BHXCqn0SrOfRTRhMi3L/pukQBF
nRFCEkkixLEa5UDBLMzao2Udwp98xFzhRch6G4ZfKKJZakSlmJR+Fh2qSI1VgCQh
e7ZQz0uEgDpgcxZkxHprAvDPtRzJhxfuAarCMZC+uIMcAROa94GreD1r91ZW36Yr
Lp7CVRmjSHlrZI2gAgNknQCG6KxH/4PSKyxcoB7VKtgPNOXseYh4N6qyuZ7EX+WZ
sOu5WqPXtMzrQ9qMLq431Iahm+HJWCP2FBQ68S8ZEEeyNxmNKLqo2+ZNmciIynjw
Ix/P5SgrBkVcN7jju2qMMDVxpl2XbpZWTK5rkNbXZuHL5lcvJSESA9/TPjietvDN
bfLO8VKlLGa8ZY0wIWjvOb+BUnbLKZ8pxVhXNSOVtG6zEbVFnHbS1STy2ODawxQW
ZmjEluCUMv6FvsbjDSv9yBukSZ5jBr42IrFlLPtz8eA7vOHqYY+/Lr16G+Q+6u9X
+iaMNlhWcztpDv+RRzXyhuViwcDp8cMiDpkgLnGOJLjFcIZkz7fH1wH50E8Pu8UP
iC8qvD+0bQfXCmI68W1J
=M0o7
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 19 Dec 2010 07:32:04 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Mahyuddin Susanto <udienz@ubuntu.com> to control@bugs.debian.org. (Sat, 19 Feb 2011 12:39:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions systemtap/1.3-2 and reopened. Request was from Mahyuddin Susanto <udienz@ubuntu.com> to control@bugs.debian.org. (Sat, 19 Feb 2011 12:39:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions systemtap/1.3-1. Request was from Mahyuddin Susanto <udienz@ubuntu.com> to control@bugs.debian.org. (Sat, 19 Feb 2011 12:39:04 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions systemtap/1.4-1. Request was from Ritesh Raj Sarraf <rrs@debian.org> to control@bugs.debian.org. (Sun, 27 Feb 2011 13:36:03 GMT) Full text and rfc822 format available.

Bug closed, send any further explanations to Moritz Muehlenhoff <jmm@debian.org> Request was from Ritesh Raj Sarraf <rrs@debian.org> to control@bugs.debian.org. (Wed, 16 Mar 2011 09:03:05 GMT) Full text and rfc822 format available.

Message sent on to Moritz Muehlenhoff <jmm@debian.org>:
Bug#603946. (Wed, 16 Mar 2011 09:03:07 GMT) Full text and rfc822 format available.

Message #27 received at 603946-submitter@bugs.debian.org (full text, mbox):

From: Ritesh Raj Sarraf <rrs@debian.org>
To: control@bugs.debian.org
Cc: 603946-submitter@bugs.debian.org
Subject: closing 603946
Date: Wed, 16 Mar 2011 14:31:28 +0530
#the bug is fixed in 1.4-1 which is now in testing/unstable
close 603946 
thanks
-- 
-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 14 Apr 2011 07:35:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 23:37:13 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.