Debian Bug report logs - #733505
rush: CVE-2013-6889: Allows reading arbitrary files

version graph

Package: rush; Maintainer for rush is Mats Erik Andersson <mats.andersson@gisladisker.se>; Source for rush is src:rush.

Reported by: Steve Kemp <steve@steve.org.uk>

Date: Sun, 29 Dec 2013 14:48:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version rush/1.7+dfsg-1

Fixed in version rush/1.7+dfsg-4

Done: Mats Erik Andersson <mats.andersson@gisladisker.se>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Mats Erik Andersson <mats.andersson@gisladisker.se>:
Bug#733505; Package rush. (Sun, 29 Dec 2013 14:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <steve@steve.org.uk>:
New Bug report received and forwarded. Copy sent to Mats Erik Andersson <mats.andersson@gisladisker.se>. (Sun, 29 Dec 2013 14:48:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Kemp <steve@steve.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rush: Allows reading arbitrary files
Date: Sun, 29 Dec 2013 14:06:25 +0000
Package: rush
Version: 1.7+dfsg-1
Severity: important

 From the package description:

    "GNU Rush is a restricted shell designed for sites providing only
     limited access to resources for remote users".

  Much like sudo the shell allows a configuration file to limit the
 commands the user(s) are allowed to execute, and again like sudo
 the main binary (/usr/sbin/rush) is installed setuid root.

  Unfortunately the program suffers from the grave flaw that a
 configuration file may be tested via the --lint option, and this
 occurs prior to dropping any privileges.  As the program is
 setuid(root) any file on the system may be read.

  Sample "exploit":

shelob ~ $ rush --lint /etc/shadow 2>&1| head -n 2
rush: Info: /etc/shadow:1: unknown statement: root:$6$zwJQWKVo$../Wg.rwXXitSyS8/.../:15884:0:99999:7:::
rush: Info: /etc/shadow:2: unknown statement: daemon:*:15884:0:99999:7:::

  As you can see the unrecognized content is shown to the user,
 allowing the local user access to the file they otherwise couldn't
 read.  In this case setting up the system for a dictionary attack
 against the password hashes.

  Mitigating factors: Only the first whitespace-separated token
 is shown to the user.

  The identifier CVE-2013-6889 has been assigned to help track
 this security problem across distributions and releases.  Please
 mention it when uploading a fixed package.


-- System Information:
Debian Release: 7.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11.2 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rush depends on:
ii  libc6  2.13-38

rush recommends no packages.

Versions of packages rush suggests:
pn  xinetd | inetutils-inetd  <none>

-- no debconf information



Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 29 Dec 2013 15:57:05 GMT) Full text and rfc822 format available.

Changed Bug title to 'rush: CVE-2013-6889: Allows reading arbitrary files' from 'rush: Allows reading arbitrary files' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 29 Dec 2013 15:57:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Mats Erik Andersson <mats.andersson@gisladisker.se>:
Bug#733505; Package rush. (Thu, 02 Jan 2014 13:06:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sven Hoexter <sven@timegate.de>:
Extra info received and forwarded to list. Copy sent to Mats Erik Andersson <mats.andersson@gisladisker.se>. (Thu, 02 Jan 2014 13:06:07 GMT) Full text and rfc822 format available.

Message #14 received at 733505@bugs.debian.org (full text, mbox):

From: Sven Hoexter <sven@timegate.de>
To: 733505@bugs.debian.org, steve@steve.org.uk
Subject: rush CVE-2013-6889 forwarded upstream?
Date: Thu, 2 Jan 2014 13:58:06 +0100
Hi Steve,
have you informed the rush upstream developer about this issue?
I could not find anything in the public ressources upstream so far.

Sven
-- 
we live we love we learn and breathe
each breath we take makes me believe that we can take this road forever
if we take this road together
                                 [ AZ0 - Endless Roads ]



Information forwarded to debian-bugs-dist@lists.debian.org, Mats Erik Andersson <mats.andersson@gisladisker.se>:
Bug#733505; Package rush. (Mon, 20 Jan 2014 11:57:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergey Poznyakoff <gray@gnu.org>:
Extra info received and forwarded to list. Copy sent to Mats Erik Andersson <mats.andersson@gisladisker.se>. (Mon, 20 Jan 2014 11:57:09 GMT) Full text and rfc822 format available.

Message #19 received at 733505@bugs.debian.org (full text, mbox):

From: Sergey Poznyakoff <gray@gnu.org>
To: <733505@bugs.debian.org>
Subject: Re: CVE-2013-6889: Allows reading arbitrary files
Date: Mon, 20 Jan 2014 13:30:15 +0200
Hello,

Thanks for noticing.  The bug is fixed in the rush repository (commit
00bdccd4).

Regards,
Sergey



Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 20 Jan 2014 15:21:16 GMT) Full text and rfc822 format available.

Reply sent to Mats Erik Andersson <mats.andersson@gisladisker.se>:
You have taken responsibility. (Fri, 24 Jan 2014 15:27:30 GMT) Full text and rfc822 format available.

Notification sent to Steve Kemp <steve@steve.org.uk>:
Bug acknowledged by developer. (Fri, 24 Jan 2014 15:27:30 GMT) Full text and rfc822 format available.

Message #26 received at 733505-close@bugs.debian.org (full text, mbox):

From: Mats Erik Andersson <mats.andersson@gisladisker.se>
To: 733505-close@bugs.debian.org
Subject: Bug#733505: fixed in rush 1.7+dfsg-4
Date: Fri, 24 Jan 2014 15:26:25 +0000
Source: rush
Source-Version: 1.7+dfsg-4

We believe that the bug you reported is fixed in the latest version of
rush, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 733505@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mats Erik Andersson <mats.andersson@gisladisker.se> (supplier of updated rush package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 24 Jan 2014 13:32:24 +0100
Source: rush
Binary: rush
Architecture: source amd64
Version: 1.7+dfsg-4
Distribution: unstable
Urgency: high
Maintainer: Mats Erik Andersson <mats.andersson@gisladisker.se>
Changed-By: Mats Erik Andersson <mats.andersson@gisladisker.se>
Description: 
 rush       - restricted user shell
Closes: 733505
Changes: 
 rush (1.7+dfsg-4) unstable; urgency=high
 .
   * Standards 3.9.5, no changes.
   * Attend to CVE-2013-6889, file access escalation. (Closes: #733505)
     + debian/patches/cve_2013_6889.diff: New file.
   * Fix a problem with translated help message.
     + debian/patches/help_text.diff: New file.
   * Minor update to manual pages of rushlast and rushwho.
Checksums-Sha1: 
 6194af02cf41d542e1c675d4a46e1fb674cfc354 1767 rush_1.7+dfsg-4.dsc
 d032722dad4dc8b75aa764a4bd2f9d5afe4e58c5 20748 rush_1.7+dfsg-4.debian.tar.xz
 b62040b5471810c51b111eeb31f96e20789b28de 131674 rush_1.7+dfsg-4_amd64.deb
Checksums-Sha256: 
 4aa01c1ecd09133c9d230f4ffd9574f626d7aa34104141cb21ad6a50ee8d4162 1767 rush_1.7+dfsg-4.dsc
 9b312adb1ec838d3fe7534089cc4d813512187db81cc66579f03b844a5548b42 20748 rush_1.7+dfsg-4.debian.tar.xz
 6089303b76d42798a476b74d72309526057b35bfffae65cc47a4a18380fcb681 131674 rush_1.7+dfsg-4_amd64.deb
Files: 
 78ee5cd63df555ab17709955d881ec4d 1767 shells extra rush_1.7+dfsg-4.dsc
 97b1a21d844d389a8fb9dd9094c66230 20748 shells extra rush_1.7+dfsg-4.debian.tar.xz
 dbe1e453cd00c4bb0a87c4c6d7e3e62a 131674 shells extra rush_1.7+dfsg-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJS4nk6AAoJEKbcJNnaJJPR46MP/2fp/JinHk73Rr/M6oigah8Y
9QUDlX+XIHM/Jh8l919x8j+JeDzi2HuwZz/u3o7ebRSlM1aeWk8fGm/M1SmvT4gE
bOMjo1vwCuo1JIUSiOiDW7iRdDqDsjtuyDqgNgl5eM2wqGBtTXEWh7uB8KVIhQVf
AIBbZNo1X8Ld1jdhEsBtYeY2zUQqvKkMxUEYSaB1st1e+N8x0LKNLOvQY3J9mdlf
pGLFMBJvWgQZ31tY3Dla/Q9qhu5YUNKQjN0uwRUCcYM/L1DSXYnkGdtA9AZG1BVy
hsyXcBddPN9MjXW5j2e7o2Kl+zHiw6CiZFkDacLnFlkTX6a5NRp8nf7hpEfjkj8+
nvsAPm10mg1hF+XHyJ0TXCWfsfpV4cyTIhMQNDbIBLFdckoGBTydS3I/QoOw1jB/
jAAobXbIp4YsM88JC4t3a3QpZXsFNukzuLwEYZSkRBoZf8px1MOxKVuDXY8ulLo9
qfLVrtV3zsnC3VOy4V/BOBpDbiv/XzG3Sml2kUkhJeZSD6Xd2WvRdhP35k59VdT7
JLt4Dkfg5MpXrup06YfMN8B9I4sKYptXMEQXpLbBn8jYtSM/OIu1xpQ8qqtN0vqG
FDLMQyX7BVfdP+N4CPelsxRUzIC7p/8rULv0skBycZRg9wLw5zmgYxsIEFn31PQQ
B0PZ6GWGsiwvh44m1/nR
=vEAj
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 24 Feb 2014 07:25:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 00:44:17 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.