Debian Bug report logs - #675203
[CVE-2012-2944] upsd can be remotely crashed

version graph

Package: nut; Maintainer for nut is Arnaud Quette <aquette@debian.org>; Source for nut is src:nut.

Reported by: Arnaud Quette <aquette.dev@gmail.com>

Date: Wed, 30 May 2012 14:03:02 UTC

Severity: critical

Tags: patch, security

Found in versions nut/2.4.3-1.1squeeze1, nut/2.4.3-1

Fixed in versions nut/2.6.4-1, nut/2.4.3-1.1squeeze2

Done: Arnaud Quette <aquette@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Arnaud Quette <aquette@debian.org>:
Bug#675203; Package nut. (Wed, 30 May 2012 14:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arnaud Quette <aquette.dev@gmail.com>:
New Bug report received and forwarded. Copy sent to Arnaud Quette <aquette@debian.org>. (Wed, 30 May 2012 14:03:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Arnaud Quette <aquette.dev@gmail.com>
To: Debian Bugs <submit@bugs.debian.org>
Subject: [CVE-2012-2944] upsd can be remotely crashed
Date: Wed, 30 May 2012 15:58:32 +0200
Package: nut
Severity: critical
Tags: security patch

The following potential vulnerability had been reported against NUT
(Network UPS Tools):
https://alioth.debian.org/tracker/index.php?func=detail&aid=313636&group_id=30602&atid=411542

The patch has already been committed upstream (development version),
and include more details on the issue:
http://trac.networkupstools.org/projects/nut/changeset/3633

It will be available in 2.6.4, which will be released by the end of the week.
This will fix Sid and Testing.

But Stable is still exposed (NUT 2.4.3). I'm currently preparing an
upload to fix it (2.4.3-1.1squeeze2).

Please use CVE-2012-2944 for this issue.
This CVE is not yet official, but will be on Friday, June Arst 00:00:00 UTC.

cheers,
Arnaud
--
Linux / Unix Expert R&D - Eaton - http://powerquality.eaton.com
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/
Debian Developer - http://www.debian.org
Free Software Developer - http://arnaud.quette.free.fr/




Reply sent to Arnaud Quette <aquette@debian.org>:
You have taken responsibility. (Mon, 04 Jun 2012 20:54:11 GMT) Full text and rfc822 format available.

Notification sent to Arnaud Quette <aquette.dev@gmail.com>:
Bug acknowledged by developer. (Mon, 04 Jun 2012 20:54:11 GMT) Full text and rfc822 format available.

Message #10 received at 675203-close@bugs.debian.org (full text, mbox):

From: Arnaud Quette <aquette@debian.org>
To: 675203-close@bugs.debian.org
Subject: Bug#675203: fixed in nut 2.4.3-1.1squeeze2
Date: Mon, 04 Jun 2012 20:51:17 +0000
Source: nut
Source-Version: 2.4.3-1.1squeeze2

We believe that the bug you reported is fixed in the latest version of
nut, which is due to be installed in the Debian FTP archive:

libupsclient1-dev_2.4.3-1.1squeeze2_i386.deb
  to main/n/nut/libupsclient1-dev_2.4.3-1.1squeeze2_i386.deb
libupsclient1_2.4.3-1.1squeeze2_i386.deb
  to main/n/nut/libupsclient1_2.4.3-1.1squeeze2_i386.deb
nut-cgi_2.4.3-1.1squeeze2_i386.deb
  to main/n/nut/nut-cgi_2.4.3-1.1squeeze2_i386.deb
nut-hal-drivers_2.4.3-1.1squeeze2_i386.deb
  to main/n/nut/nut-hal-drivers_2.4.3-1.1squeeze2_i386.deb
nut-powerman-pdu_2.4.3-1.1squeeze2_i386.deb
  to main/n/nut/nut-powerman-pdu_2.4.3-1.1squeeze2_i386.deb
nut-snmp_2.4.3-1.1squeeze2_i386.deb
  to main/n/nut/nut-snmp_2.4.3-1.1squeeze2_i386.deb
nut-xml_2.4.3-1.1squeeze2_i386.deb
  to main/n/nut/nut-xml_2.4.3-1.1squeeze2_i386.deb
nut_2.4.3-1.1squeeze2.diff.gz
  to main/n/nut/nut_2.4.3-1.1squeeze2.diff.gz
nut_2.4.3-1.1squeeze2.dsc
  to main/n/nut/nut_2.4.3-1.1squeeze2.dsc
nut_2.4.3-1.1squeeze2_i386.deb
  to main/n/nut/nut_2.4.3-1.1squeeze2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 675203@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arnaud Quette <aquette@debian.org> (supplier of updated nut package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 30 May 2012 13:38:46 +0200
Source: nut
Binary: nut nut-cgi nut-snmp nut-hal-drivers nut-xml nut-powerman-pdu libupsclient1 libupsclient1-dev
Architecture: source i386
Version: 2.4.3-1.1squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Arnaud Quette <aquette@debian.org>
Changed-By: Arnaud Quette <aquette@debian.org>
Description: 
 libupsclient1 - network UPS tools - client library
 libupsclient1-dev - network UPS tools - development files
 nut        - network UPS tools - core system
 nut-cgi    - network UPS tools - web interface
 nut-hal-drivers - network UPS tools - HAL interface
 nut-powerman-pdu - network UPS tools - PowerMan PDU driver
 nut-snmp   - network UPS tools - SNMP driver
 nut-xml    - network UPS tools - XML/HTTP driver
Closes: 675203
Changes: 
 nut (2.4.3-1.1squeeze2) stable-security; urgency=high
 .
   * debian/control, debian/rules, debian/patches/*: enable dpatch again
   * debian/patches/0001-fix_CVE-2012-2944.patch: Fix CVE-2012-2944,
     which expose upsd to remote crashes. (Closes: #675203)
Checksums-Sha1: 
 411e0725ad04c132c97771e8c168b5f6599bb141 1573 nut_2.4.3-1.1squeeze2.dsc
 3a09b09c03df7e8b12f70576fd703e65d1cf7b06 1154503 nut_2.4.3.orig.tar.gz
 792772fcb69af96a5aa103c2242b5281539d5a48 33544 nut_2.4.3-1.1squeeze2.diff.gz
 2a6b96257bc206f66674d20f6d30cc3be7eefc40 1214478 nut_2.4.3-1.1squeeze2_i386.deb
 2d8af9406b781a0b74322f5b429d4fd70add3d1c 78116 nut-cgi_2.4.3-1.1squeeze2_i386.deb
 e3c96f5516028508cc86e6a4abaecc2fe96e8e19 63714 nut-snmp_2.4.3-1.1squeeze2_i386.deb
 9731019e0ce3338ee225cc0cc9238eb13953c3a3 141282 nut-hal-drivers_2.4.3-1.1squeeze2_i386.deb
 6d35947e7c7bfacbccc03154e698ff35df6030d8 59958 nut-xml_2.4.3-1.1squeeze2_i386.deb
 5de6017a85cefad66f81527208965299e8523738 52048 nut-powerman-pdu_2.4.3-1.1squeeze2_i386.deb
 f5db51d99d32d99f635747a993943cfea0f2d8e0 42078 libupsclient1_2.4.3-1.1squeeze2_i386.deb
 2d99570c6e95b76bd3a2cb2c6bf9e8e6d6d1c4bd 55560 libupsclient1-dev_2.4.3-1.1squeeze2_i386.deb
Checksums-Sha256: 
 9631006596c488e0e98f99a2591c52ba1577e8671a01b7920882857a0d455f13 1573 nut_2.4.3-1.1squeeze2.dsc
 d3b701f21f1e049abb5df94ee9805fce86fe57a876c3bb41217558a846a49335 1154503 nut_2.4.3.orig.tar.gz
 f3e3386b8685bcf0ceb62b21001a5429959dea0e7b4c44a2e60f4df378b8085f 33544 nut_2.4.3-1.1squeeze2.diff.gz
 e096afaea0d0ea79732da9dbd05e0e88830f816f400b20074a2e5cd1c681fd20 1214478 nut_2.4.3-1.1squeeze2_i386.deb
 51a65aceb5b40a527630158afa73868f5f5cc4ef5cd044e8cbc913dad0f8f20d 78116 nut-cgi_2.4.3-1.1squeeze2_i386.deb
 5db0c67ef0f9f0de7b92a1aa3c9c9c615acadcc1aa8b7d5bf8c2cb8a2436410f 63714 nut-snmp_2.4.3-1.1squeeze2_i386.deb
 7c379eeb2cb48034170e12936982266c508de9f9e46d3c77d641d7793d37aba1 141282 nut-hal-drivers_2.4.3-1.1squeeze2_i386.deb
 817fa74d4852b374b3f9d117e1a95db6059c297af7219a228a3492be26d7458c 59958 nut-xml_2.4.3-1.1squeeze2_i386.deb
 f9e0806962f34803f80616a3b167f9f6a5739f43e5769665b8959d84e4c1281d 52048 nut-powerman-pdu_2.4.3-1.1squeeze2_i386.deb
 4dbcda9b30222a9456f64821b0ce99c9d16d09bca5f352d31d8176458f85476d 42078 libupsclient1_2.4.3-1.1squeeze2_i386.deb
 582fa099f92cf0647a7ad23d534b1a799d0e352a73c8073a3eb37bf0407fa356 55560 libupsclient1-dev_2.4.3-1.1squeeze2_i386.deb
Files: 
 69f65beac439c52f413bbf7c2e4f15fd 1573 admin optional nut_2.4.3-1.1squeeze2.dsc
 6f893b61b07915e7a139324fa3f79121 1154503 admin optional nut_2.4.3.orig.tar.gz
 f9a4972545b8ffe40032c5a4f714ea1b 33544 admin optional nut_2.4.3-1.1squeeze2.diff.gz
 2d4e08ad091ee1083a643ed8b474a196 1214478 admin optional nut_2.4.3-1.1squeeze2_i386.deb
 bfff76c2a05cf54e1e53e0cda604f286 78116 admin optional nut-cgi_2.4.3-1.1squeeze2_i386.deb
 af8f11a7796d6902bfa462be0040a65a 63714 admin optional nut-snmp_2.4.3-1.1squeeze2_i386.deb
 e71b8f899bcb1c3cf43497eff0b28c97 141282 admin optional nut-hal-drivers_2.4.3-1.1squeeze2_i386.deb
 d65adce505fdbc28a0168ea1efd2146e 59958 admin optional nut-xml_2.4.3-1.1squeeze2_i386.deb
 e6ae02e9ee62d12d059864a946e6e667 52048 admin optional nut-powerman-pdu_2.4.3-1.1squeeze2_i386.deb
 02451f689cd58e25bdf14762bb82cf54 42078 admin optional libupsclient1_2.4.3-1.1squeeze2_i386.deb
 0f3b1fb74e08f68e63920fe1d84c62e1 55560 libdevel optional libupsclient1-dev_2.4.3-1.1squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk/GZW8ACgkQ22QUyiBN3xurzACfWyv8Vdzw016D9voO8/emwHgn
W8kAoJ4I8o0pFrb1SchgyGzQIQWKL4Rl
=jq+A
-----END PGP SIGNATURE-----





Marked as fixed in versions nut/2.6.4-1. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Wed, 13 Jun 2012 13:27:03 GMT) Full text and rfc822 format available.

Marked as found in versions nut/2.4.3-1.1squeeze1. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Wed, 13 Jun 2012 13:27:06 GMT) Full text and rfc822 format available.

Marked as found in versions nut/2.4.3-1; no longer marked as fixed in versions nut/2.4.3-1.1squeeze2. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Wed, 13 Jun 2012 13:36:06 GMT) Full text and rfc822 format available.

Marked as fixed in versions nut/2.4.3-1.1squeeze2. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Wed, 13 Jun 2012 13:42:05 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:25:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:59:20 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.