Acknowledgement sent
to Sang Kil Cha <sangkil.cha@gmail.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christine Caulfield <Christine.Caulfield@googlemail.com>.
(Sat, 02 Feb 2013 14:30:04 GMT) (full text, mbox, link).
Package: latd
Version: 1.30
Severity: critical
Tags: security
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages latd depends on:
ii libc6 2.13-37
ii libgcc1 1:4.7.2-5
ii liblockdev1 1.0.3-1.5
ii libstdc++6 4.7.2-5
latd recommends no packages.
latd suggests no packages.
-- no debconf information
latd has a buffer overflow vulnerability @ llogincircuit.cc
case LATCP_VERSION:
if (strcmp(VERSION, (char*)cmdbuf) == 0)
{
state = RUNNING; // Versions match
send_reply(LATCP_VERSION, VERSION, -1);
}
else
{
char error[1024];
debuglog(("Connect from invalid llogin version %s\n", cmdbuf));
sprintf(error, "llogin version %s does not match latd version " VERSION, cmdbuf); //***** overflow here
This vulnerability can trigger arbitrary code execution for an unprivileged
user. I am attaching an example payload that crashes latd daemon.
Reply sent
to Christine Caulfield <Christine.Caulfield@googlemail.com>:
You have taken responsibility.
(Mon, 04 Feb 2013 12:21:03 GMT) (full text, mbox, link).
Notification sent
to Sang Kil Cha <sangkil.cha@gmail.com>:
Bug acknowledged by developer.
(Mon, 04 Feb 2013 12:21:03 GMT) (full text, mbox, link).
Source: latd
Source-Version: 1.31
We believe that the bug you reported is fixed in the latest version of
latd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 699625@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christine Caulfield <Christine.Caulfield@googlemail.com> (supplier of updated latd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 6 Dec 2013 11:32:08 +0000
Source: latd
Binary: latd
Architecture: source i386
Version: 1.31
Distribution: unstable
Urgency: low
Maintainer: Christine Caulfield <chrissie@debian.org>
Changed-By: Christine Caulfield <Christine.Caulfield@googlemail.com>
Description:
latd - LAT (Local Area Transport) Daemon
Closes: 699625
Changes:
latd (1.31) unstable; urgency=low
.
* Don't crash if we are fed a malicious version number.
Closes: #699625
* Fix some Lintian errors regarding LSB and build flags
Checksums-Sha1:
7905bb7a8752fee788a96a91ba53a78e3deff42c 739 latd_1.31.dsc
ef493493341c2c9bfc3ec709107846c33c70825f 515171 latd_1.31.tar.gz
8231ad1cbf5e2c1d3e364ee70610f73cd9c04e2b 92922 latd_1.31_i386.deb
Checksums-Sha256:
43861c390ad62fd4e91645e296b396d677b818de8656e0339991498e3f7e439d 739 latd_1.31.dsc
6839a48d60ee52d51c1cf1a4303459d55ab6d256fdba1ac2f5478c50796deaa0 515171 latd_1.31.tar.gz
94c7a68088bf8278967314320f9bae9eaff679c084f3707f9e6154bc0a17ffa6 92922 latd_1.31_i386.deb
Files:
2f562a15b75045415b08e6aef7e5c226 739 net extra latd_1.31.dsc
d2d4caeca72d0e640ebbe3f63d90f42e 515171 net extra latd_1.31.tar.gz
e09e7fc4b27d35aec417cccfcebfa563 92922 net extra latd_1.31_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlEPpFMACgkQhej7/PCycRNyaACfR0vU3OZ7oNx8dbr2npTKiB2x
e3sAmgKVnEoL6ItUnFfrqvn81OahDkTp
=UHdz
-----END PGP SIGNATURE-----
Changed Bug title to 'latd: CVE-2013-0251: unix socket privilege escalation' from 'unix socket privilege escalation'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 04 Feb 2013 22:00:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Christine Caulfield <chrissie@debian.org>: Bug#699625; Package latd.
(Mon, 04 Feb 2013 22:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <chrissie@debian.org>.
(Mon, 04 Feb 2013 22:15:03 GMT) (full text, mbox, link).
Subject: Re: Bug#699625: Only apply minimal changes to latd package due to
Wheezy freeze
Date: Mon, 4 Feb 2013 23:14:20 +0100
Hi Christine
I noticed you already uploaded 1.31 fixing #699625 which is great,
thanks for working on this issue and fixing it already.
There is however one unfortunate thing:
91 files changed, 28516 insertions(+), 2085 deletions(-)
This is a problem as the fix needs to go to testing too, but we are in
Freeze for wheezy now so the freeze policy[1] applies.
[1]: http://release.debian.org/wheezy/freeze_policy.html
Could you isolate the fix needed and only perform a minimal update to
the package in regard to the version in testing? 1.30. I guess the
release team would like to see the changes reverted and have only the
bug fixed at this stage of the freeze.
I assue the only needed change is the following (only shortly looked
at the debdiff)?
----cut---------cut---------cut---------cut---------cut---------cut-----
--- latd-1.30/llogincircuit.cc 2008-08-20 13:10:23.000000000 +0000
+++ latd-1.31/llogincircuit.cc 2013-02-04 11:54:27.000000000 +0000
@@ -92,6 +92,11 @@
else
{
char error[1024];
+ // Truncate cmdbuf at an arbitrary point to make sure it fits into error[], otherwise it's a
+ // potential security problem. Debian bug #699625
+ if (len > 900)
+ len = 900;
+ cmdbuf[len] = '\0';
debuglog(("Connect from invalid llogin version %s\n", cmdbuf));
sprintf(error, "llogin version %s does not match latd version " VERSION, cmdbuf);
send_reply(LATCP_ERRORMSG, error, -1);
----cut---------cut---------cut---------cut---------cut---------cut-----
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Christine Caulfield <chrissie@debian.org>: Bug#699625; Package latd.
(Tue, 05 Feb 2013 08:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ignatios Souvatzis <is@netbsd.org>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <chrissie@debian.org>.
(Tue, 05 Feb 2013 08:30:03 GMT) (full text, mbox, link).
Hi,
I browsed the source archives of latd because pkgsrc still has latd 1.18,
and found that all version between and including 1.25 and 1.30 have the
bug. I wonder if that information is useful to others...
Btw, why not change the sprintf to
snprintf(error, sizeof(error),
"llogin version %s does not match latd version " VERSION, cmdbuf);
instead of arbitrarily limiting cmdbuf to 900 characters, which might
be too long if somebody in the future shortened the buffer error or
passed in a much longer VERSION from the Makefile?
Do we want to avoid snprintf()?
Explicit
1024 - sizeof("llogin version does not match latd version " VERSION)
looks complicated, but makes the size requirement openly visible, and
should be optimizable by modern compilers.
Regards,
-is
Information forwarded
to debian-bugs-dist@lists.debian.org, Christine Caulfield <chrissie@debian.org>: Bug#699625; Package latd.
(Tue, 05 Feb 2013 08:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Chrissie Caulfield <christine.caulfield@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <chrissie@debian.org>.
(Tue, 05 Feb 2013 08:30:05 GMT) (full text, mbox, link).
To: Salvatore Bonaccorso <carnil@debian.org>, 699625@bugs.debian.org
Subject: Re: Bug#699625: Only apply minimal changes to latd package due to
Wheezy freeze
Date: Tue, 05 Feb 2013 08:26:53 +0000
On 04/02/13 22:14, Salvatore Bonaccorso wrote:
> Hi Christine
>
> I noticed you already uploaded 1.31 fixing #699625 which is great,
> thanks for working on this issue and fixing it already.
>
> There is however one unfortunate thing:
>
> 91 files changed, 28516 insertions(+), 2085 deletions(-)
>
> This is a problem as the fix needs to go to testing too, but we are in
> Freeze for wheezy now so the freeze policy[1] applies.
>
> [1]: http://release.debian.org/wheezy/freeze_policy.html
>
> Could you isolate the fix needed and only perform a minimal update to
> the package in regard to the version in testing? 1.30. I guess the
> release team would like to see the changes reverted and have only the
> bug fixed at this stage of the freeze.
Sorry, my mistake.
I'll do another upload later today with only that patch, then another
one to fix the lintian bugs later in the week. TBH most of that diff was
a sill yautoconf-generated file!
Chrissie
Information forwarded
to debian-bugs-dist@lists.debian.org, Christine Caulfield <chrissie@debian.org>: Bug#699625; Package latd.
(Tue, 05 Feb 2013 09:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <chrissie@debian.org>.
(Tue, 05 Feb 2013 09:57:05 GMT) (full text, mbox, link).
To: Chrissie Caulfield <christine.caulfield@googlemail.com>
Cc: 699625@bugs.debian.org
Subject: Re: Bug#699625: Only apply minimal changes to latd package due to
Wheezy freeze
Date: Tue, 5 Feb 2013 10:55:07 +0100
Hi
On Tue, Feb 05, 2013 at 08:26:53AM +0000, Chrissie Caulfield wrote:
> On 04/02/13 22:14, Salvatore Bonaccorso wrote:
> >Hi Christine
> >
> >I noticed you already uploaded 1.31 fixing #699625 which is great,
> >thanks for working on this issue and fixing it already.
> >
> >There is however one unfortunate thing:
> >
> > 91 files changed, 28516 insertions(+), 2085 deletions(-)
> >
> >This is a problem as the fix needs to go to testing too, but we are in
> >Freeze for wheezy now so the freeze policy[1] applies.
> >
> > [1]: http://release.debian.org/wheezy/freeze_policy.html
> >
> >Could you isolate the fix needed and only perform a minimal update to
> >the package in regard to the version in testing? 1.30. I guess the
> >release team would like to see the changes reverted and have only the
> >bug fixed at this stage of the freeze.
>
> Sorry, my mistake.
>
> I'll do another upload later today with only that patch, then
> another one to fix the lintian bugs later in the week. TBH most of
> that diff was a sill yautoconf-generated file!
Thank you for the quick reply! Btw, could you then also ask for the
unblock to the release team? It should appear on their radar anyway as
it's RC bug, but I think it's appreciated on their side.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Christine Caulfield <Christine.Caulfield@googlemail.com>: Bug#699625; Package latd.
(Tue, 05 Feb 2013 18:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Christine Caulfield <Christine.Caulfield@googlemail.com>.
(Tue, 05 Feb 2013 18:57:04 GMT) (full text, mbox, link).
Subject: Re: Bug#699625: Only apply minimal changes to latd package due to
Wheezy freeze
Date: Tue, 5 Feb 2013 19:53:03 +0100
Hi
One further follow up: The Security Team marked the issue as no-dsa in
the Security-Tracker[1]. So an update for Squeeze might go trough a p-u
upload.
[1] https://security-tracker.debian.org/tracker/CVE-2013-0251
Thanks for fixing this issue quickly!
Regards,
Salvatore
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 07:44:04 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.