Debian Bug report logs - #631345
opie: missing setuid() retval check in opielogin

version graph

Package: opie; Maintainer for opie is Michael Stone <mstone@debian.org>;

Reported by: Luciano Bello <luciano@debian.org>

Date: Thu, 23 Jun 2011 03:06:05 UTC

Severity: serious

Fixed in version opie/2.32.dfsg.1-0.2+squeeze1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Michael Stone <mstone@debian.org>:
Bug#631345; Package opie. (Thu, 23 Jun 2011 03:06:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Michael Stone <mstone@debian.org>. (Thu, 23 Jun 2011 03:06:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: opie: missing setuid() retval check in opielogin
Date: Thu, 23 Jun 2011 00:04:14 -0300
Package: opie
Severity: serious
Tags: important

Hi,
  A security bug has been reported in opielogin[1]. A patch by Novell is can be 
found here: https://bugzillafiles.novell.org/attachment.cgi?id=435901

Please, considerer port this patch to stable and oldstable.

Thanks a lot for all your help,

luciano

[1] http://www.openwall.com/lists/oss-security/2011/06/22/6




Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Fri, 22 Jul 2011 20:00:10 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Fri, 22 Jul 2011 20:00:10 GMT) Full text and rfc822 format available.

Message #10 received at 631345-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 631345-close@bugs.debian.org
Subject: Bug#631345: fixed in opie 2.32.dfsg.1-0.2+squeeze1
Date: Fri, 22 Jul 2011 19:56:49 +0000
Source: opie
Source-Version: 2.32.dfsg.1-0.2+squeeze1

We believe that the bug you reported is fixed in the latest version of
opie, which is due to be installed in the Debian FTP archive:

libopie-dev_2.32.dfsg.1-0.2+squeeze1_amd64.deb
  to main/o/opie/libopie-dev_2.32.dfsg.1-0.2+squeeze1_amd64.deb
opie-client_2.32.dfsg.1-0.2+squeeze1_amd64.deb
  to main/o/opie/opie-client_2.32.dfsg.1-0.2+squeeze1_amd64.deb
opie-server_2.32.dfsg.1-0.2+squeeze1_amd64.deb
  to main/o/opie/opie-server_2.32.dfsg.1-0.2+squeeze1_amd64.deb
opie_2.32.dfsg.1-0.2+squeeze1.diff.gz
  to main/o/opie/opie_2.32.dfsg.1-0.2+squeeze1.diff.gz
opie_2.32.dfsg.1-0.2+squeeze1.dsc
  to main/o/opie/opie_2.32.dfsg.1-0.2+squeeze1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631345@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated opie package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 Jul 2011 22:21:04 +1000
Source: opie
Binary: opie-client opie-server libopie-dev
Architecture: source amd64
Version: 2.32.dfsg.1-0.2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Michael Stone <mstone@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 libopie-dev - OPIE library development files.
 opie-client - OPIE programs for generating OTPs on client machines
 opie-server - OPIE programs for maintaining an OTP key file
Closes: 631344 631345
Changes: 
 opie (2.32.dfsg.1-0.2+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix off-by-one and privilege escalation via missing check for
     setuid() (Closes: #631344, #631345)
     Fixes: CVE-2011-2489 CVE-2011-2490
Checksums-Sha1: 
 536316d93cd23eb3b508b11aeaeb689fe7cfe834 1060 opie_2.32.dfsg.1-0.2+squeeze1.dsc
 111e543d61c94c005b41283adbf3789053d98fce 158349 opie_2.32.dfsg.1.orig.tar.gz
 675cded4faa1136ec8ae6a1a9e7906d47de11cf3 14774 opie_2.32.dfsg.1-0.2+squeeze1.diff.gz
 6234370a18d1c6835b1de560cf423a14e7494dbe 43824 opie-client_2.32.dfsg.1-0.2+squeeze1_amd64.deb
 83a2bdd11c2cabaab59d618e2af6b3cb9f3c4137 46838 opie-server_2.32.dfsg.1-0.2+squeeze1_amd64.deb
 eea9aba861766325a2dfec78fc149218daf95782 31972 libopie-dev_2.32.dfsg.1-0.2+squeeze1_amd64.deb
Checksums-Sha256: 
 b8e48e63704c2e640748739373ed26365c5f727ffc23b82d5db3c9821bd9e93c 1060 opie_2.32.dfsg.1-0.2+squeeze1.dsc
 6472b5214a031330b933a2b2ffbdab08054093eb4ca283f97284b04319d1060b 158349 opie_2.32.dfsg.1.orig.tar.gz
 cd2816e294c666ea51f3b2a914916164c50cbaf4e4ec33c4c5aae1326f919e07 14774 opie_2.32.dfsg.1-0.2+squeeze1.diff.gz
 07f2f03cde1c8fe10f9a567c4a540d5cf81205b47a1b2beb02745437dcc5f59e 43824 opie-client_2.32.dfsg.1-0.2+squeeze1_amd64.deb
 acf66e0402b4fac480ead3fc02660881b548e392fde01c50d3f8703b2a576d53 46838 opie-server_2.32.dfsg.1-0.2+squeeze1_amd64.deb
 5143e7ea7550d2931d4827f4b9bff4e0b67141856b717bba301362534c2f9c7a 31972 libopie-dev_2.32.dfsg.1-0.2+squeeze1_amd64.deb
Files: 
 654a8c11fecc0bacbf75305b51acf5c2 1060 admin optional opie_2.32.dfsg.1-0.2+squeeze1.dsc
 fc269281acbb567839589aa46bce3335 158349 admin optional opie_2.32.dfsg.1.orig.tar.gz
 fcb7224dc128e1e08073e19d12f878b2 14774 admin optional opie_2.32.dfsg.1-0.2+squeeze1.diff.gz
 3378dd8a9ebfeedf5884bf0ecb337013 43824 admin optional opie-client_2.32.dfsg.1-0.2+squeeze1_amd64.deb
 240843f4be99218e6b19c7061c60430c 46838 admin optional opie-server_2.32.dfsg.1-0.2+squeeze1_amd64.deb
 a970f8fa69eab2ea6501c82b7348d52f 31972 devel optional libopie-dev_2.32.dfsg.1-0.2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4lfcQACgkQ62zWxYk/rQeifwCgrLlsUfl/r6LrEF1s4tdraBsY
InUAn3ET73PP5G9XZJ56Y21lSY5SHZ0q
=wFUc
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 06 Nov 2011 07:36:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 03:44:15 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.