Debian Bug report logs - #699625
latd: CVE-2013-0251: unix socket privilege escalation

version graph

Package: latd; Maintainer for latd is Debian QA Group <packages@qa.debian.org>; Source for latd is src:latd (PTS, buildd, popcon).

Reported by: Sang Kil Cha <sangkil.cha@gmail.com>

Date: Sat, 2 Feb 2013 14:30:02 UTC

Severity: critical

Tags: security

Found in version latd/1.30

Fixed in version latd/1.31

Done: Christine Caulfield <Christine.Caulfield@googlemail.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christine Caulfield <Christine.Caulfield@googlemail.com>:
Bug#699625; Package latd. (Sat, 02 Feb 2013 14:30:04 GMT) (full text, mbox, link).


Acknowledgement sent to Sang Kil Cha <sangkil.cha@gmail.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christine Caulfield <Christine.Caulfield@googlemail.com>. (Sat, 02 Feb 2013 14:30:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sang Kil Cha <sangkil.cha@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unix socket privilege escalation
Date: Sat, 02 Feb 2013 09:23:57 -0500
[Message part 1 (text/plain, inline)]
Package: latd
Version: 1.30
Severity: critical
Tags: security



-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages latd depends on:
ii  libc6        2.13-37
ii  libgcc1      1:4.7.2-5
ii  liblockdev1  1.0.3-1.5
ii  libstdc++6   4.7.2-5

latd recommends no packages.

latd suggests no packages.

-- no debconf information




latd has a buffer overflow vulnerability @ llogincircuit.cc

    case LATCP_VERSION:
        if (strcmp(VERSION, (char*)cmdbuf) == 0)
        {
            state = RUNNING; // Versions match
            send_reply(LATCP_VERSION, VERSION, -1);
        }
        else
        {
            char error[1024];
            debuglog(("Connect from invalid llogin version %s\n", cmdbuf));
            sprintf(error, "llogin version %s does not match latd version " VERSION, cmdbuf); //***** overflow here


This vulnerability can trigger arbitrary code execution for an unprivileged
user. I am attaching an example payload that crashes latd daemon.
[payload.c (text/x-c, attachment)]

Reply sent to Christine Caulfield <Christine.Caulfield@googlemail.com>:
You have taken responsibility. (Mon, 04 Feb 2013 12:21:03 GMT) (full text, mbox, link).


Notification sent to Sang Kil Cha <sangkil.cha@gmail.com>:
Bug acknowledged by developer. (Mon, 04 Feb 2013 12:21:03 GMT) (full text, mbox, link).


Message #10 received at 699625-close@bugs.debian.org (full text, mbox, reply):

From: Christine Caulfield <Christine.Caulfield@googlemail.com>
To: 699625-close@bugs.debian.org
Subject: Bug#699625: fixed in latd 1.31
Date: Mon, 04 Feb 2013 12:17:29 +0000
Source: latd
Source-Version: 1.31

We believe that the bug you reported is fixed in the latest version of
latd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699625@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christine Caulfield <Christine.Caulfield@googlemail.com> (supplier of updated latd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun,  6 Dec 2013 11:32:08 +0000
Source: latd
Binary: latd
Architecture: source i386
Version: 1.31
Distribution: unstable
Urgency: low
Maintainer: Christine Caulfield <chrissie@debian.org>
Changed-By: Christine Caulfield <Christine.Caulfield@googlemail.com>
Description: 
 latd       - LAT (Local Area Transport) Daemon
Closes: 699625
Changes: 
 latd (1.31) unstable; urgency=low
 .
   * Don't crash if we are fed a malicious version number.
     Closes: #699625
   * Fix some Lintian errors regarding LSB and build flags
Checksums-Sha1: 
 7905bb7a8752fee788a96a91ba53a78e3deff42c 739 latd_1.31.dsc
 ef493493341c2c9bfc3ec709107846c33c70825f 515171 latd_1.31.tar.gz
 8231ad1cbf5e2c1d3e364ee70610f73cd9c04e2b 92922 latd_1.31_i386.deb
Checksums-Sha256: 
 43861c390ad62fd4e91645e296b396d677b818de8656e0339991498e3f7e439d 739 latd_1.31.dsc
 6839a48d60ee52d51c1cf1a4303459d55ab6d256fdba1ac2f5478c50796deaa0 515171 latd_1.31.tar.gz
 94c7a68088bf8278967314320f9bae9eaff679c084f3707f9e6154bc0a17ffa6 92922 latd_1.31_i386.deb
Files: 
 2f562a15b75045415b08e6aef7e5c226 739 net extra latd_1.31.dsc
 d2d4caeca72d0e640ebbe3f63d90f42e 515171 net extra latd_1.31.tar.gz
 e09e7fc4b27d35aec417cccfcebfa563 92922 net extra latd_1.31_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEPpFMACgkQhej7/PCycRNyaACfR0vU3OZ7oNx8dbr2npTKiB2x
e3sAmgKVnEoL6ItUnFfrqvn81OahDkTp
=UHdz
-----END PGP SIGNATURE-----




Changed Bug title to 'latd: CVE-2013-0251: unix socket privilege escalation' from 'unix socket privilege escalation' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 04 Feb 2013 22:00:07 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Christine Caulfield <chrissie@debian.org>:
Bug#699625; Package latd. (Mon, 04 Feb 2013 22:15:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <chrissie@debian.org>. (Mon, 04 Feb 2013 22:15:03 GMT) (full text, mbox, link).


Message #17 received at 699625@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 699625@bugs.debian.org
Cc: Sang Kil Cha <sangkil.cha@gmail.com>
Subject: Re: Bug#699625: Only apply minimal changes to latd package due to Wheezy freeze
Date: Mon, 4 Feb 2013 23:14:20 +0100
Hi Christine

I noticed you already uploaded 1.31 fixing #699625 which is great,
thanks for working on this issue and fixing it already.

There is however one unfortunate thing:

 91 files changed, 28516 insertions(+), 2085 deletions(-)

This is a problem as the fix needs to go to testing too, but we are in
Freeze for wheezy now so the freeze policy[1] applies.

 [1]: http://release.debian.org/wheezy/freeze_policy.html

Could you isolate the fix needed and only perform a minimal update to
the package in regard to the version in testing? 1.30. I guess the
release team would like to see the changes reverted and have only the
bug fixed at this stage of the freeze.

I assue the only needed change is the following (only shortly looked
at the debdiff)?

----cut---------cut---------cut---------cut---------cut---------cut-----
--- latd-1.30/llogincircuit.cc  2008-08-20 13:10:23.000000000 +0000
+++ latd-1.31/llogincircuit.cc  2013-02-04 11:54:27.000000000 +0000
@@ -92,6 +92,11 @@
        else
        {
            char error[1024];
+           // Truncate cmdbuf at an arbitrary point to make sure it fits into error[], otherwise it's a
+           // potential security problem. Debian bug #699625
+           if (len > 900)
+                   len = 900;
+           cmdbuf[len] = '\0';
            debuglog(("Connect from invalid llogin version %s\n", cmdbuf));
            sprintf(error, "llogin version %s does not match latd version " VERSION, cmdbuf);
            send_reply(LATCP_ERRORMSG, error, -1);
----cut---------cut---------cut---------cut---------cut---------cut-----

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Christine Caulfield <chrissie@debian.org>:
Bug#699625; Package latd. (Tue, 05 Feb 2013 08:30:03 GMT) (full text, mbox, link).


Acknowledgement sent to Ignatios Souvatzis <is@netbsd.org>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <chrissie@debian.org>. (Tue, 05 Feb 2013 08:30:03 GMT) (full text, mbox, link).


Message #22 received at 699625@bugs.debian.org (full text, mbox, reply):

From: Ignatios Souvatzis <is@netbsd.org>
To: 699625@bugs.debian.org
Subject: asdf
Date: Tue, 5 Feb 2013 09:05:56 +0100
Hi,

I browsed the source archives of latd because pkgsrc still has latd 1.18,
and found that all version between and including 1.25 and 1.30 have the
bug. I wonder if that information is useful to others...

Btw, why not change the sprintf to

snprintf(error, sizeof(error),
	"llogin version %s does not match latd version " VERSION, cmdbuf);

instead of arbitrarily limiting cmdbuf to 900 characters, which might 
be too long if somebody in the future shortened the buffer error or 
passed in a much longer VERSION from the Makefile?

Do we want to avoid snprintf()?

Explicit

1024 - sizeof("llogin version  does not match latd version " VERSION)
looks complicated, but makes the size requirement openly visible, and 
should be optimizable by modern compilers.

Regards,
	-is



Information forwarded to debian-bugs-dist@lists.debian.org, Christine Caulfield <chrissie@debian.org>:
Bug#699625; Package latd. (Tue, 05 Feb 2013 08:30:05 GMT) (full text, mbox, link).


Acknowledgement sent to Chrissie Caulfield <christine.caulfield@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <chrissie@debian.org>. (Tue, 05 Feb 2013 08:30:05 GMT) (full text, mbox, link).


Message #27 received at 699625@bugs.debian.org (full text, mbox, reply):

From: Chrissie Caulfield <christine.caulfield@googlemail.com>
To: Salvatore Bonaccorso <carnil@debian.org>, 699625@bugs.debian.org
Subject: Re: Bug#699625: Only apply minimal changes to latd package due to Wheezy freeze
Date: Tue, 05 Feb 2013 08:26:53 +0000
On 04/02/13 22:14, Salvatore Bonaccorso wrote:
> Hi Christine
>
> I noticed you already uploaded 1.31 fixing #699625 which is great,
> thanks for working on this issue and fixing it already.
>
> There is however one unfortunate thing:
>
>   91 files changed, 28516 insertions(+), 2085 deletions(-)
>
> This is a problem as the fix needs to go to testing too, but we are in
> Freeze for wheezy now so the freeze policy[1] applies.
>
>   [1]: http://release.debian.org/wheezy/freeze_policy.html
>
> Could you isolate the fix needed and only perform a minimal update to
> the package in regard to the version in testing? 1.30. I guess the
> release team would like to see the changes reverted and have only the
> bug fixed at this stage of the freeze.

Sorry, my mistake.

I'll do another upload later today with only that patch, then another 
one to fix the lintian bugs later in the week. TBH most of that diff was 
a sill yautoconf-generated file!

Chrissie



Information forwarded to debian-bugs-dist@lists.debian.org, Christine Caulfield <chrissie@debian.org>:
Bug#699625; Package latd. (Tue, 05 Feb 2013 09:57:05 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <chrissie@debian.org>. (Tue, 05 Feb 2013 09:57:05 GMT) (full text, mbox, link).


Message #32 received at 699625@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Chrissie Caulfield <christine.caulfield@googlemail.com>
Cc: 699625@bugs.debian.org
Subject: Re: Bug#699625: Only apply minimal changes to latd package due to Wheezy freeze
Date: Tue, 5 Feb 2013 10:55:07 +0100
Hi

On Tue, Feb 05, 2013 at 08:26:53AM +0000, Chrissie Caulfield wrote:
> On 04/02/13 22:14, Salvatore Bonaccorso wrote:
> >Hi Christine
> >
> >I noticed you already uploaded 1.31 fixing #699625 which is great,
> >thanks for working on this issue and fixing it already.
> >
> >There is however one unfortunate thing:
> >
> >  91 files changed, 28516 insertions(+), 2085 deletions(-)
> >
> >This is a problem as the fix needs to go to testing too, but we are in
> >Freeze for wheezy now so the freeze policy[1] applies.
> >
> >  [1]: http://release.debian.org/wheezy/freeze_policy.html
> >
> >Could you isolate the fix needed and only perform a minimal update to
> >the package in regard to the version in testing? 1.30. I guess the
> >release team would like to see the changes reverted and have only the
> >bug fixed at this stage of the freeze.
> 
> Sorry, my mistake.
> 
> I'll do another upload later today with only that patch, then
> another one to fix the lintian bugs later in the week. TBH most of
> that diff was a sill yautoconf-generated file!

Thank you for the quick reply! Btw, could you then also ask for the
unblock to the release team? It should appear on their radar anyway as
it's RC bug, but I think it's appreciated on their side.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Christine Caulfield <Christine.Caulfield@googlemail.com>:
Bug#699625; Package latd. (Tue, 05 Feb 2013 18:57:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <Christine.Caulfield@googlemail.com>. (Tue, 05 Feb 2013 18:57:04 GMT) (full text, mbox, link).


Message #37 received at 699625@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 699625@bugs.debian.org
Cc: Chrissie Caulfield <christine.caulfield@googlemail.com>
Subject: Re: Bug#699625: Only apply minimal changes to latd package due to Wheezy freeze
Date: Tue, 5 Feb 2013 19:53:03 +0100
Hi

One further follow up: The Security Team marked the issue as no-dsa in
the Security-Tracker[1]. So an update for Squeeze might go trough a p-u
upload.

 [1] https://security-tracker.debian.org/tracker/CVE-2013-0251

Thanks for fixing this issue quickly!

Regards,
Salvatore



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 07:44:04 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:23:47 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.