[Pkg-clamav-devel] Bug#580188: marked as done (pid file attacks can be used to kill arbitrary processes)

[Debian Bug Tracking System]

Your message dated Thu, 24 Apr 2014 06:03:44 +0000
with message-id <e1wdcl6-0005ot...@franck.debian.org>
and subject line Bug#580188: fixed in clamav 0.98.1+dfsg-5
has caused the Debian Bug report #580188,
regarding pid file attacks can be used to kill arbitrary processes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
580188: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580188
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: clamav
Version: 0.63.0-2
Severity: normal
Tags: security

The pid files for clamav and freshclam are writable by user clamav.
It that user is compromised, it can replace the pid file contents
with an arbitrary pid, such as 1. Then both init scripts will proceed
to the process.

start-stop-daemon avoids this kind of security flaw by checking
/proc/pid/exe (when run with -exec), or at least the process name (when
run with -name). Neither init script uses it. The lsb init script
pidofproc does not do those checks on Debian at least.

Besides the potential security hole, killing a process that
is stored in a pid file without checking that the pid file is accurate
is asking for trouble. Things go wrong, and pid files, stale.

-- 
see shy jo

--- End Message ---

--- Begin Message ---

Source: clamav
Source-Version: 0.98.1+dfsg-5

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 580...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <sc...@kitterman.com> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 23 Apr 2014 23:20:27 -0400
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav6 
clamav-daemon clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all i386
Version: 0.98.1+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Description: 
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-dbg - debug symbols for ClamAV
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav6 - anti-virus utility for Unix - library
Closes: 554005 580188 646845 728188 742164 743874
Changes: 
 clamav (0.98.1+dfsg-5) unstable; urgency=medium
 .
   [ Américo Monteiro ]
   * Updated Debconf translation for pt (Closes: #742164)
 .
   [ Sebastian Andrzej Siewior ]
   * Convert debian/rules to dh.
   * Add new debconf template translations:
     - Japanese, thanks to victory (Closes: #743874)
   * Use pkill and start-stop-daemon in initscripts to start/stop/status the
     daemons. (Closes: 580188)
 .
   [ Andreas Cadhalpun ]
   * Remove deprecated libclamav.la file.
   * Use faketime to make the build more binary-reproducible.
   * Add symbols file for libclamav.
   * Fix lintian warnings:
    - path-in-maintainer-script
    - using-first-person-in-templates
   * Automatically updated translation files
   * Let 'dpkg-reconfigure clamav-base' recognise changes in 0.98-options.
   * Fix updating the logrotate files.
   * Merge AppArmor support from Ubuntu. (Closes: #554005)
   * Don't mention non-existant INSTALL.gz in README.Debian. (Closes: #728188)
   * Use log_action_msg instead of log_failure_msg in the usage message of the
     init scripts. (Closes: #646845)
 .
   [ Scott Kitterman ]
   * Add lintian override for source-is-missing unit_tests/encode.js.ref
     - See lintian bug #745694
Checksums-Sha1: 
 f99138d1ad50ceb6efb57af4a892568a7b239099 2770 clamav_0.98.1+dfsg-5.dsc
 838ff4a76c72f05e3477f6025dbde51ebe98f363 190940 
clamav_0.98.1+dfsg-5.debian.tar.xz
 29930a4ebfc541a33cd3af2a2492480144e9c904 330552 
clamav-base_0.98.1+dfsg-5_all.deb
 0b563a89b219c7492d3f06e4bad13ffee959f6bb 1250858 
clamav-docs_0.98.1+dfsg-5_all.deb
 8bd313ef4c012ed65a361790f18b43287828f658 24692362 
clamav-dbg_0.98.1+dfsg-5_i386.deb
 a70903e317f0ad7b9df4182b4963a8c82c9567a4 299116 clamav_0.98.1+dfsg-5_i386.deb
 7563192743acac5204b4b500ca46dac9408f95d0 232024 
libclamav-dev_0.98.1+dfsg-5_i386.deb
 7198a91a0fcd6b4931d8a9460fe20101802c9e54 3420838 
libclamav6_0.98.1+dfsg-5_i386.deb
 243369e2521ac32eef39cfe11cbbdb9342758e47 348464 
clamav-daemon_0.98.1+dfsg-5_i386.deb
 f010e8ed6ae3407d0c21c93e854fc41feddeffd5 3083032 
clamav-testfiles_0.98.1+dfsg-5_all.deb
 dbaae95bb67b3e8426fd4f3f90d579e0f6b74a3b 329544 
clamav-freshclam_0.98.1+dfsg-5_i386.deb
 ff20a7854405274cdaa430c168acc0cd183ebf10 385270 
clamav-milter_0.98.1+dfsg-5_i386.deb
Checksums-Sha256: 
 46a22a9287617929a4383ebb44b4ddbf40cfa962e80830d4108b9ec7733caf7a 2770 
clamav_0.98.1+dfsg-5.dsc
 a6afa6f0922f79c8fcf2985fb8c1e155c9291255821b2a360013bd4ac7908140 190940 
clamav_0.98.1+dfsg-5.debian.tar.xz
 c9b941af90b686eaab8d6e842680690d6145f8259091619062b2ab770878d566 330552 
clamav-base_0.98.1+dfsg-5_all.deb
 68e976cb8cf9dea3663d52b5e7159fbf5a500212b4aca13cabea366f2b338302 1250858 
clamav-docs_0.98.1+dfsg-5_all.deb
 4db91665858ce492b3e566e84eaa743ac26a5d4ef429bd3a9446adcb31d2599d 24692362 
clamav-dbg_0.98.1+dfsg-5_i386.deb
 f047483e09fdf391510b8b1191057c8cf81261f79188caedbaaf2eae57038159 299116 
clamav_0.98.1+dfsg-5_i386.deb
 4c9e8fedc716dd80b49d9d70d2558dbfadab8ff294b0cdafc7b934d9ac06180d 232024 
libclamav-dev_0.98.1+dfsg-5_i386.deb
 eaa39e69a95e1b83f757a3a56c92a08cc73975655b21931ecf283a3d9d11c806 3420838 
libclamav6_0.98.1+dfsg-5_i386.deb
 507f7a43d611560fd73a302b28da240d056c12b13dad0ff9be00dfc465f9876b 348464 
clamav-daemon_0.98.1+dfsg-5_i386.deb
 fd290bbf48ae0d925ef097b48b6427278b6287fc853a42aeecb5c4d0577d5960 3083032 
clamav-testfiles_0.98.1+dfsg-5_all.deb
 e5e7b1f6559c2232143dfb09a327afbdde54a7aa75e7653f49e57233246d63a5 329544 
clamav-freshclam_0.98.1+dfsg-5_i386.deb
 832c76975ce2c44e2dc5a6b80cc2f22bfd2b48f63c0b4472aec838d87a96e0a3 385270 
clamav-milter_0.98.1+dfsg-5_i386.deb
Files: 
 cb3505181b805bfb55b4127dfa6e5aa0 330552 utils optional 
clamav-base_0.98.1+dfsg-5_all.deb
 3e7ab59c32b2eaae554aaf56c1d0bbf0 1250858 doc optional 
clamav-docs_0.98.1+dfsg-5_all.deb
 644c4720672baec0d8605a9b1d0c4133 24692362 debug extra 
clamav-dbg_0.98.1+dfsg-5_i386.deb
 87feaf3900154d21449cc41a3e515245 299116 utils optional 
clamav_0.98.1+dfsg-5_i386.deb
 59da6a1865bd62f3dce7627a13d13677 232024 libdevel optional 
libclamav-dev_0.98.1+dfsg-5_i386.deb
 40197109f12a5a4d51a81a4940abeb15 3420838 libs optional 
libclamav6_0.98.1+dfsg-5_i386.deb
 2c3ede9024d47663f421674f397d7822 348464 utils optional 
clamav-daemon_0.98.1+dfsg-5_i386.deb
 afeae07a81e431c38874250f9de91a62 3083032 utils optional 
clamav-testfiles_0.98.1+dfsg-5_all.deb
 e68d6a82aff2b31e8c1d8e5f384211a0 329544 utils optional 
clamav-freshclam_0.98.1+dfsg-5_i386.deb
 b73ca3517d8a573896552c9af21c6bc9 385270 utils extra 
clamav-milter_0.98.1+dfsg-5_i386.deb
 1e768804df8ad97fe8a9251b48ffb794 2770 utils optional clamav_0.98.1+dfsg-5.dsc
 f1d863647d6939bfba9b835b5f1ebac8 190940 utils optional 
clamav_0.98.1+dfsg-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTWKUuAAoJEHjX3vua1ZrxbPAQANcF6fjkIeEvZzdaQcrKqvN1
wjVPDXD0MIS6Ysz7NjlooymYM6CLEehsCOgJgcSZL8z4PkCBR7VFc7OQ5g0w0WlT
eotJgYZnNzQlBaoOYdQeTQ2odD6SH1vbd6014JSTJZBuufBz3O4nqcknIS3FJDzU
8R2vuB1tXCjneEP2POA4sXztsxm7nYaHKxajglNEzR7FbCqD390hrgAvVcWQtnNO
QrfiYauNSGAtUpbpYYWpogITkGc7NMj2T9eIxJd8p9eRJzGSJErGvHJ0Toq5f2Go
e52dwSeFWG4wEAANIpErtzMIwlW6x2IacuHsooaNIKfnKlvqAM56eXKLeq28n/S2
SOhmHJ50kxS+7pXh6X7VVSG1lOpuhuqZLB/UchRIJa85FwOqmyWitx1iqw6aWnpz
8SGZwIG+3gMmbw0Sru32GI4n+Rhcr3yOLFOReO5t1pf7h6b3MEKfe11fLLNfE1uz
/i4YHBnzMufMV9u4MHemx4wHyxrB3UgDxIKmqSjOPkSwcQWnjbU/QvdNgdFL8ZaD
EN+bqb6d4J+057T1vxTbjBjitmVE+dwJ4B0PBDnnLVCUn/lsyzafX83zO/cu5VXh
YLNh3V1kr5pj9ZH7kFpZX0ajWpT0ac2W09bpsr9QBY0dyst2rvprSZrZAcWCMCZ0
HuBP87d6KZXZrPxfZbFx
=sNS3
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel