Debian Bug report logs - #688007
monkey: CVE-2012-4442: Fails to drop supplemental groups when lowering privileges

version graph

Package: monkey; Maintainer for monkey is Thorsten Schmale <thorsten@schmalenegger.com>;

Reported by: John Lightsey <lightsey@debian.org>

Date: Tue, 18 Sep 2012 04:03:01 UTC

Severity: grave

Tags: security

Found in version monkey/0.9.3-1

Fixed in version 0.9.3-1+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thorsten Schmale <thorsten@schmalenegger.com>:
Bug#688007; Package monkey. (Tue, 18 Sep 2012 04:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Lightsey <lightsey@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thorsten Schmale <thorsten@schmalenegger.com>. (Tue, 18 Sep 2012 04:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: John Lightsey <lightsey@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: monkey: Fails to drop supplemental groups when lowering privileges
Date: Mon, 17 Sep 2012 22:59:37 -0500
Package: monkey
Version: 0.9.3-1
Severity: grave
Tags: security
Justification: user security hole

Monkey webserver fails to drop supplemental groups when lowering privileges.
This allows any local user on the system to read any fine that root's
supplemental
groups can access. Monkey does perform a filesystem access check to make sure
that its EUID/EGID can access the target file, but this check is subject to
TOCTOU flaws.



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



Information forwarded to debian-bugs-dist@lists.debian.org, Thorsten Schmale <thorsten@schmalenegger.com>:
Bug#688007; Package monkey. (Tue, 18 Sep 2012 04:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Thorsten Schmale <thorsten@schmalenegger.com>. (Tue, 18 Sep 2012 04:39:05 GMT) Full text and rfc822 format available.

Message #10 received at 688007@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 688007@bugs.debian.org
Subject: CVE
Date: Tue, 18 Sep 2012 07:26:21 +0300
Does this issue have CVE-identifier?

- Henri Salo



Information forwarded to debian-bugs-dist@lists.debian.org, Thorsten Schmale <thorsten@schmalenegger.com>:
Bug#688007; Package monkey. (Thu, 20 Sep 2012 17:39:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Thorsten Schmale <thorsten@schmalenegger.com>. (Thu, 20 Sep 2012 17:39:10 GMT) Full text and rfc822 format available.

Message #15 received at 688007@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 688007@bugs.debian.org
Subject: CVE-request done
Date: Thu, 20 Sep 2012 20:36:05 +0300
CVE request: http://www.openwall.com/lists/oss-security/2012/09/20/7

- Henri Salo



Changed Bug title to 'monkey: CVE-2012-4442: Fails to drop supplemental groups when lowering privileges' from 'monkey: Fails to drop supplemental groups when lowering privileges' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Fri, 21 Sep 2012 05:39:09 GMT) Full text and rfc822 format available.

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sun, 30 Sep 2012 13:15:26 GMT) Full text and rfc822 format available.

Notification sent to John Lightsey <lightsey@debian.org>:
Bug acknowledged by developer. (Sun, 30 Sep 2012 13:15:26 GMT) Full text and rfc822 format available.

Message #22 received at 688007-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 601361-done@bugs.debian.org,640743-done@bugs.debian.org,645879-done@bugs.debian.org,672425-done@bugs.debian.org,688007-done@bugs.debian.org,688008-done@bugs.debian.org,688009-done@bugs.debian.org,
Cc: monkey@packages.debian.org, monkey@packages.qa.debian.org
Subject: Bug#688879: Removed package(s) from unstable
Date: Sun, 30 Sep 2012 13:11:37 +0000
Version: 0.9.3-1+rm

Dear submitter,

as the package monkey has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/688879

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:28:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 18:51:59 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.