Your message dated Thu, 24 Apr 2014 06:03:44 +0000
with message-id <e1wdcl6-0005ot...@franck.debian.org>
and subject line Bug#580188: fixed in clamav 0.98.1+dfsg-5
has caused the Debian Bug report #580188,
regarding pid file attacks can be used to kill arbitrary processes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
580188: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580188
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: clamav
Version: 0.63.0-2
Severity: normal
Tags: security
The pid files for clamav and freshclam are writable by user clamav.
It that user is compromised, it can replace the pid file contents
with an arbitrary pid, such as 1. Then both init scripts will proceed
to the process.
start-stop-daemon avoids this kind of security flaw by checking
/proc/pid/exe (when run with -exec), or at least the process name (when
run with -name). Neither init script uses it. The lsb init script
pidofproc does not do those checks on Debian at least.
Besides the potential security hole, killing a process that
is stored in a pid file without checking that the pid file is accurate
is asking for trouble. Things go wrong, and pid files, stale.
--
see shy jo
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 0.98.1+dfsg-5
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 580...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <sc...@kitterman.com> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 23 Apr 2014 23:20:27 -0400
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav6
clamav-daemon clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all i386
Version: 0.98.1+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Description:
clamav - anti-virus utility for Unix - command-line interface
clamav-base - anti-virus utility for Unix - base package
clamav-daemon - anti-virus utility for Unix - scanner daemon
clamav-dbg - debug symbols for ClamAV
clamav-docs - anti-virus utility for Unix - documentation
clamav-freshclam - anti-virus utility for Unix - virus database update utility
clamav-milter - anti-virus utility for Unix - sendmail integration
clamav-testfiles - anti-virus utility for Unix - test files
libclamav-dev - anti-virus utility for Unix - development files
libclamav6 - anti-virus utility for Unix - library
Closes: 554005 580188 646845 728188 742164 743874
Changes:
clamav (0.98.1+dfsg-5) unstable; urgency=medium
.
[ Américo Monteiro ]
* Updated Debconf translation for pt (Closes: #742164)
.
[ Sebastian Andrzej Siewior ]
* Convert debian/rules to dh.
* Add new debconf template translations:
- Japanese, thanks to victory (Closes: #743874)
* Use pkill and start-stop-daemon in initscripts to start/stop/status the
daemons. (Closes: 580188)
.
[ Andreas Cadhalpun ]
* Remove deprecated libclamav.la file.
* Use faketime to make the build more binary-reproducible.
* Add symbols file for libclamav.
* Fix lintian warnings:
- path-in-maintainer-script
- using-first-person-in-templates
* Automatically updated translation files
* Let 'dpkg-reconfigure clamav-base' recognise changes in 0.98-options.
* Fix updating the logrotate files.
* Merge AppArmor support from Ubuntu. (Closes: #554005)
* Don't mention non-existant INSTALL.gz in README.Debian. (Closes: #728188)
* Use log_action_msg instead of log_failure_msg in the usage message of the
init scripts. (Closes: #646845)
.
[ Scott Kitterman ]
* Add lintian override for source-is-missing unit_tests/encode.js.ref
- See lintian bug #745694
Checksums-Sha1:
f99138d1ad50ceb6efb57af4a892568a7b239099 2770 clamav_0.98.1+dfsg-5.dsc
838ff4a76c72f05e3477f6025dbde51ebe98f363 190940
clamav_0.98.1+dfsg-5.debian.tar.xz
29930a4ebfc541a33cd3af2a2492480144e9c904 330552
clamav-base_0.98.1+dfsg-5_all.deb
0b563a89b219c7492d3f06e4bad13ffee959f6bb 1250858
clamav-docs_0.98.1+dfsg-5_all.deb
8bd313ef4c012ed65a361790f18b43287828f658 24692362
clamav-dbg_0.98.1+dfsg-5_i386.deb
a70903e317f0ad7b9df4182b4963a8c82c9567a4 299116 clamav_0.98.1+dfsg-5_i386.deb
7563192743acac5204b4b500ca46dac9408f95d0 232024
libclamav-dev_0.98.1+dfsg-5_i386.deb
7198a91a0fcd6b4931d8a9460fe20101802c9e54 3420838
libclamav6_0.98.1+dfsg-5_i386.deb
243369e2521ac32eef39cfe11cbbdb9342758e47 348464
clamav-daemon_0.98.1+dfsg-5_i386.deb
f010e8ed6ae3407d0c21c93e854fc41feddeffd5 3083032
clamav-testfiles_0.98.1+dfsg-5_all.deb
dbaae95bb67b3e8426fd4f3f90d579e0f6b74a3b 329544
clamav-freshclam_0.98.1+dfsg-5_i386.deb
ff20a7854405274cdaa430c168acc0cd183ebf10 385270
clamav-milter_0.98.1+dfsg-5_i386.deb
Checksums-Sha256:
46a22a9287617929a4383ebb44b4ddbf40cfa962e80830d4108b9ec7733caf7a 2770
clamav_0.98.1+dfsg-5.dsc
a6afa6f0922f79c8fcf2985fb8c1e155c9291255821b2a360013bd4ac7908140 190940
clamav_0.98.1+dfsg-5.debian.tar.xz
c9b941af90b686eaab8d6e842680690d6145f8259091619062b2ab770878d566 330552
clamav-base_0.98.1+dfsg-5_all.deb
68e976cb8cf9dea3663d52b5e7159fbf5a500212b4aca13cabea366f2b338302 1250858
clamav-docs_0.98.1+dfsg-5_all.deb
4db91665858ce492b3e566e84eaa743ac26a5d4ef429bd3a9446adcb31d2599d 24692362
clamav-dbg_0.98.1+dfsg-5_i386.deb
f047483e09fdf391510b8b1191057c8cf81261f79188caedbaaf2eae57038159 299116
clamav_0.98.1+dfsg-5_i386.deb
4c9e8fedc716dd80b49d9d70d2558dbfadab8ff294b0cdafc7b934d9ac06180d 232024
libclamav-dev_0.98.1+dfsg-5_i386.deb
eaa39e69a95e1b83f757a3a56c92a08cc73975655b21931ecf283a3d9d11c806 3420838
libclamav6_0.98.1+dfsg-5_i386.deb
507f7a43d611560fd73a302b28da240d056c12b13dad0ff9be00dfc465f9876b 348464
clamav-daemon_0.98.1+dfsg-5_i386.deb
fd290bbf48ae0d925ef097b48b6427278b6287fc853a42aeecb5c4d0577d5960 3083032
clamav-testfiles_0.98.1+dfsg-5_all.deb
e5e7b1f6559c2232143dfb09a327afbdde54a7aa75e7653f49e57233246d63a5 329544
clamav-freshclam_0.98.1+dfsg-5_i386.deb
832c76975ce2c44e2dc5a6b80cc2f22bfd2b48f63c0b4472aec838d87a96e0a3 385270
clamav-milter_0.98.1+dfsg-5_i386.deb
Files:
cb3505181b805bfb55b4127dfa6e5aa0 330552 utils optional
clamav-base_0.98.1+dfsg-5_all.deb
3e7ab59c32b2eaae554aaf56c1d0bbf0 1250858 doc optional
clamav-docs_0.98.1+dfsg-5_all.deb
644c4720672baec0d8605a9b1d0c4133 24692362 debug extra
clamav-dbg_0.98.1+dfsg-5_i386.deb
87feaf3900154d21449cc41a3e515245 299116 utils optional
clamav_0.98.1+dfsg-5_i386.deb
59da6a1865bd62f3dce7627a13d13677 232024 libdevel optional
libclamav-dev_0.98.1+dfsg-5_i386.deb
40197109f12a5a4d51a81a4940abeb15 3420838 libs optional
libclamav6_0.98.1+dfsg-5_i386.deb
2c3ede9024d47663f421674f397d7822 348464 utils optional
clamav-daemon_0.98.1+dfsg-5_i386.deb
afeae07a81e431c38874250f9de91a62 3083032 utils optional
clamav-testfiles_0.98.1+dfsg-5_all.deb
e68d6a82aff2b31e8c1d8e5f384211a0 329544 utils optional
clamav-freshclam_0.98.1+dfsg-5_i386.deb
b73ca3517d8a573896552c9af21c6bc9 385270 utils extra
clamav-milter_0.98.1+dfsg-5_i386.deb
1e768804df8ad97fe8a9251b48ffb794 2770 utils optional clamav_0.98.1+dfsg-5.dsc
f1d863647d6939bfba9b835b5f1ebac8 190940 utils optional
clamav_0.98.1+dfsg-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTWKUuAAoJEHjX3vua1ZrxbPAQANcF6fjkIeEvZzdaQcrKqvN1
wjVPDXD0MIS6Ysz7NjlooymYM6CLEehsCOgJgcSZL8z4PkCBR7VFc7OQ5g0w0WlT
eotJgYZnNzQlBaoOYdQeTQ2odD6SH1vbd6014JSTJZBuufBz3O4nqcknIS3FJDzU
8R2vuB1tXCjneEP2POA4sXztsxm7nYaHKxajglNEzR7FbCqD390hrgAvVcWQtnNO
QrfiYauNSGAtUpbpYYWpogITkGc7NMj2T9eIxJd8p9eRJzGSJErGvHJ0Toq5f2Go
e52dwSeFWG4wEAANIpErtzMIwlW6x2IacuHsooaNIKfnKlvqAM56eXKLeq28n/S2
SOhmHJ50kxS+7pXh6X7VVSG1lOpuhuqZLB/UchRIJa85FwOqmyWitx1iqw6aWnpz
8SGZwIG+3gMmbw0Sru32GI4n+Rhcr3yOLFOReO5t1pf7h6b3MEKfe11fLLNfE1uz
/i4YHBnzMufMV9u4MHemx4wHyxrB3UgDxIKmqSjOPkSwcQWnjbU/QvdNgdFL8ZaD
EN+bqb6d4J+057T1vxTbjBjitmVE+dwJ4B0PBDnnLVCUn/lsyzafX83zO/cu5VXh
YLNh3V1kr5pj9ZH7kFpZX0ajWpT0ac2W09bpsr9QBY0dyst2rvprSZrZAcWCMCZ0
HuBP87d6KZXZrPxfZbFx
=sNS3
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel