Debian Bug report logs - #651917
ipmitool: insecure file permission when creating PID files

version graph

Package: ipmitool; Maintainer for ipmitool is Matthew Johnson <mjj29@debian.org>; Source for ipmitool is src:ipmitool.

Reported by: Yves-Alexis Perez <corsac@debian.org>

Date: Tue, 13 Dec 2011 06:45:01 UTC

Severity: grave

Tags: security

Fixed in versions ipmitool/1.8.11-5, ipmitool/1.8.11-2+squeeze2, ipmitool/1.8.9-2+squeeze1

Done: Luk Claes <luk@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Johnson <mjj29@debian.org>:
Bug#651917; Package ipmitool. (Tue, 13 Dec 2011 06:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthew Johnson <mjj29@debian.org>. (Tue, 13 Dec 2011 06:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ipmitool: insecure file permission when creating PID files
Date: Tue, 13 Dec 2011 07:41:20 +0100
Package: ipmitool
Severity: grave
Tags: security
Justification: user security hole

Hi,

an insecure file permission flaw was found in the way ipmitool handled
the PID files creation.

There's more info in the Red Hat bug, along with a patch, see
https://bugzilla.redhat.com/show_bug.cgi?id=742837

This has been assigned CVE-2011-4339, when you update a fix, could
you add it to the changelog entry?

Could you prepare updated packages for Squeeze and Lenny too?

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Reply sent to Luk Claes <luk@debian.org>:
You have taken responsibility. (Wed, 28 Dec 2011 12:08:19 GMT) Full text and rfc822 format available.

Notification sent to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer. (Wed, 28 Dec 2011 12:09:05 GMT) Full text and rfc822 format available.

Message #10 received at 651917-close@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 651917-close@bugs.debian.org
Subject: Bug#651917: fixed in ipmitool 1.8.11-5
Date: Wed, 28 Dec 2011 12:03:07 +0000
Source: ipmitool
Source-Version: 1.8.11-5

We believe that the bug you reported is fixed in the latest version of
ipmitool, which is due to be installed in the Debian FTP archive:

ipmitool_1.8.11-5.diff.gz
  to main/i/ipmitool/ipmitool_1.8.11-5.diff.gz
ipmitool_1.8.11-5.dsc
  to main/i/ipmitool/ipmitool_1.8.11-5.dsc
ipmitool_1.8.11-5_i386.deb
  to main/i/ipmitool/ipmitool_1.8.11-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651917@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated ipmitool package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 28 Dec 2011 12:34:15 +0100
Source: ipmitool
Binary: ipmitool
Architecture: source i386
Version: 1.8.11-5
Distribution: unstable
Urgency: high
Maintainer: Matthew Johnson <mjj29@debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 ipmitool   - utility for IPMI control with kernel driver or LAN interface
Closes: 651917
Changes: 
 ipmitool (1.8.11-5) unstable; urgency=high
 .
   * debian/control: Add libncurses-dev build dependency
   * Don't set umask to fix CVE-2011-4339 (Closes: #651917).
Checksums-Sha1: 
 47edc0057398230b178fb37bb5881bb7d1bf5801 1250 ipmitool_1.8.11-5.dsc
 e6503444f077a783818cf90ee152afdf36e666e6 8550 ipmitool_1.8.11-5.diff.gz
 956b5e5581c985df78721021b6fa71932bf8e3e6 395866 ipmitool_1.8.11-5_i386.deb
Checksums-Sha256: 
 c403067c3cc36dde220a2809cca17e175bc13a06f8c282674b187c9e4a28a400 1250 ipmitool_1.8.11-5.dsc
 4630fcb0172ef6360b52a2ca251eaaeb8a6dcc639d99be6ba389f42e99b74113 8550 ipmitool_1.8.11-5.diff.gz
 12f797e2bddb76a265152f373ec91df3cbcc164a8a0e7ae804d97c0b7b3ebef0 395866 ipmitool_1.8.11-5_i386.deb
Files: 
 a2c39309c43dd13da1c5a8a49bec5d83 1250 utils optional ipmitool_1.8.11-5.dsc
 c2bd010583980f6c7ac8f3d7e2365fec 8550 utils optional ipmitool_1.8.11-5.diff.gz
 ab74c5fc1c6f96d8b19624c0aa9e317c 395866 utils optional ipmitool_1.8.11-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk77ASQACgkQ5UTeB5t8Mo1duwCfRkEe/k+iEE6wWZFuRea8g/De
WX8An0k34vjgtH3zWGxO6rHIoK9/NOKp
=9L4f
-----END PGP SIGNATURE-----





Reply sent to Luk Claes <luk@debian.org>:
You have taken responsibility. (Sat, 31 Dec 2011 14:00:28 GMT) Full text and rfc822 format available.

Notification sent to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer. (Sat, 31 Dec 2011 14:00:28 GMT) Full text and rfc822 format available.

Message #15 received at 651917-close@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 651917-close@bugs.debian.org
Subject: Bug#651917: fixed in ipmitool 1.8.11-2+squeeze2
Date: Sat, 31 Dec 2011 13:57:06 +0000
Source: ipmitool
Source-Version: 1.8.11-2+squeeze2

We believe that the bug you reported is fixed in the latest version of
ipmitool, which is due to be installed in the Debian FTP archive:

ipmitool_1.8.11-2+squeeze2.diff.gz
  to main/i/ipmitool/ipmitool_1.8.11-2+squeeze2.diff.gz
ipmitool_1.8.11-2+squeeze2.dsc
  to main/i/ipmitool/ipmitool_1.8.11-2+squeeze2.dsc
ipmitool_1.8.11-2+squeeze2_i386.deb
  to main/i/ipmitool/ipmitool_1.8.11-2+squeeze2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651917@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated ipmitool package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 28 Dec 2011 13:53:15 +0100
Source: ipmitool
Binary: ipmitool
Architecture: source i386
Version: 1.8.11-2+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Matthew Johnson <mjj29@debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 ipmitool   - utility for IPMI control with kernel driver or LAN interface
Closes: 651917
Changes: 
 ipmitool (1.8.11-2+squeeze2) stable-security; urgency=high
 .
   * Don't set umask to fix CVE-2011-4339 (Closes: #651917).
Checksums-Sha1: 
 32243c35d62e337482111084d54691dd331bee79 1107 ipmitool_1.8.11-2+squeeze2.dsc
 4cb6ff3736fd3e166abc5303d6373672327a5db1 769964 ipmitool_1.8.11.orig.tar.gz
 d5c5173428b733ab996b841300886da567b01624 8108 ipmitool_1.8.11-2+squeeze2.diff.gz
 8573f69c2a9c46cfdb6ed3d3a068b6429bf03a30 378430 ipmitool_1.8.11-2+squeeze2_i386.deb
Checksums-Sha256: 
 e1999e756bd05d6111c57c1d251255fc359577b9925b7f2ad58a1772503b3867 1107 ipmitool_1.8.11-2+squeeze2.dsc
 5612f4835d89a6f2cede588eef978a05d63435cf2646256300d9785d8020a13e 769964 ipmitool_1.8.11.orig.tar.gz
 012f690d799ac360beaa6aff86d286ab7b47193a7726f2bbbffcdb6cdae67895 8108 ipmitool_1.8.11-2+squeeze2.diff.gz
 6a709b8a65a8904854cc8232e3ab757abaa6be7a9b1834759ac9e001e84041f6 378430 ipmitool_1.8.11-2+squeeze2_i386.deb
Files: 
 09af621016c76a71e2b1f4d670bcac11 1107 utils optional ipmitool_1.8.11-2+squeeze2.dsc
 0f9b4758c2b7e8a7bafc2ead113b4bc6 769964 utils optional ipmitool_1.8.11.orig.tar.gz
 69dd12f09c086e91c9fb4f6f905da9b8 8108 utils optional ipmitool_1.8.11-2+squeeze2.diff.gz
 e3971e3536e05b685b470ac6869c965c 378430 utils optional ipmitool_1.8.11-2+squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk77E1MACgkQ5UTeB5t8Mo31+ACfc+ZHxkxs2WdqNKWposXTD7PX
8DEAoMGQnqVSbh2hcMWEhrMe8z3Jrt6Z
=wGYR
-----END PGP SIGNATURE-----





Reply sent to Luk Claes <luk@debian.org>:
You have taken responsibility. (Sat, 31 Dec 2011 19:57:04 GMT) Full text and rfc822 format available.

Notification sent to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer. (Sat, 31 Dec 2011 19:57:04 GMT) Full text and rfc822 format available.

Message #20 received at 651917-close@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 651917-close@bugs.debian.org
Subject: Bug#651917: fixed in ipmitool 1.8.9-2+squeeze1
Date: Sat, 31 Dec 2011 19:55:23 +0000
Source: ipmitool
Source-Version: 1.8.9-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
ipmitool, which is due to be installed in the Debian FTP archive:

ipmitool_1.8.9-2+squeeze1.diff.gz
  to main/i/ipmitool/ipmitool_1.8.9-2+squeeze1.diff.gz
ipmitool_1.8.9-2+squeeze1.dsc
  to main/i/ipmitool/ipmitool_1.8.9-2+squeeze1.dsc
ipmitool_1.8.9-2+squeeze1_i386.deb
  to main/i/ipmitool/ipmitool_1.8.9-2+squeeze1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651917@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated ipmitool package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 30 Dec 2011 09:12:15 +0100
Source: ipmitool
Binary: ipmitool
Architecture: source i386
Version: 1.8.9-2+squeeze1
Distribution: oldstable-security
Urgency: high
Maintainer: Matthew Johnson <mjj29@debian.org>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 ipmitool   - utility for IPMI control with kernel driver or LAN interface
Closes: 651917
Changes: 
 ipmitool (1.8.9-2+squeeze1) oldstable-security; urgency=high
 .
   * Don't set umask to fix CVE-2011-4339 (Closes: #651917).
Checksums-Sha1: 
 f32c6eefade1544339e9cf88ff3d5948f63b8023 1070 ipmitool_1.8.9-2+squeeze1.dsc
 fc53d9347a83893296b38480fcfa46799189b95c 682029 ipmitool_1.8.9.orig.tar.gz
 0fc2424b1a7d0c051fd8b5ab079baad83eeb68b5 21121 ipmitool_1.8.9-2+squeeze1.diff.gz
 a6282a022c3c04329cdfe7ec75aeb74f3d10b30f 308496 ipmitool_1.8.9-2+squeeze1_i386.deb
Checksums-Sha256: 
 ed04aa62f2ab881b6c9b804f71566810f5432e08082c55aab561578e523894aa 1070 ipmitool_1.8.9-2+squeeze1.dsc
 1d6bf2595d1fd0dbef206c300cc666d3d079548ba97f727077d61c4736a7e63a 682029 ipmitool_1.8.9.orig.tar.gz
 c63d3472204f28e77abd3935f16b149ac6431dab42fc9ad7f88fae17e55ddd2a 21121 ipmitool_1.8.9-2+squeeze1.diff.gz
 c3af6c3105ab45dbfd022ece1604d5c0198410845c822846b8edcdd6bbbabd95 308496 ipmitool_1.8.9-2+squeeze1_i386.deb
Files: 
 df83a54c1212b1ffedf5aeff0ac48910 1070 utils optional ipmitool_1.8.9-2+squeeze1.dsc
 f122ea1171f8950306b49ddeb4d12f7e 682029 utils optional ipmitool_1.8.9.orig.tar.gz
 8b3ff9bd2e5dcfbc9150bc0545cf0ea8 21121 utils optional ipmitool_1.8.9-2+squeeze1.diff.gz
 8957c335ac68328c775b8ace02044062 308496 utils optional ipmitool_1.8.9-2+squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk79fF8ACgkQ5UTeB5t8Mo0gvQCfW4ysyz8VlbPRx2J5wh7ME2ER
Lh8AnR866zsIQkA0rML5TW+aKTw9TGV3
=4YyM
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Jan 2012 07:33:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:50:30 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.