Hello Secunia Research, Unfortunately, I don't know who you guys are, so I am not very inclined to provide the detailed information you are requesting below (sorry for top posting).
However, for you and for the Bacula users, who I have copied, I will repeat my observations on this problem. - Recently I found what appears to be a possible buffer overrun (heap corruption) in one of the Bacula SQL drivers. - This problem has never surfaced in any production version. - It occurred only in 2.1.x test versions with the new batch insert code turned on, and resulted in jobs failing or segmentation faults. This is a key point. - I never dug into the fine details of what was going wrong. - I corrected *several* places where there were *potential* problems, and the failures went away. - The problem involved a possible heap corruption and not a stack overflow, which means to me that it would be very hard to exploit this in any meaningful way. - The problem seemed to be timing dependent (CPU speed or something) and only occurred on some of my test machines, and on those machines where it occurred, it only occurred in approximately 1 of every 20 executions of the test that was failing. - There is a mechanism by which a user (sysadmin) having unrestricted access to the bconsole might have been able to trigger this, but I have never tried it, and all failures were detected during normal jobs running in regression testing. - Normally Bacula will detect these kinds of problems shortly after they occur and abort, minimizing any possiblity of serously corrupted data or exploit. Bacula periodically checks the full heap for any sort of corruption or overrun. - When this bug triggers, it is accompanied by a hard failure of some sort. I.e. when it triggers, you know it hit you. - I did not issue a patch to version 2.0.3 because we have no evidence that this problem occurred in production use, and because the release of the next version is imminent. Though I see no urgency, my recommendation is for all users to upgrade as soon as possible either when the production 2.2.0 version is released, or possibly to the 2.1.26 beta version which is very stable or to 2.1.28 beta which will be released in the next couple of days. Best regards, Kern On Tuesday 17 July 2007 15:44, Secunia Research wrote: > Hello, > > since you say that this potentially affects older (also 1.x?) production > releases, we would do some more research on this issue. In case we find > this to be an exploitable vulnerability we, of course, won't provide > further details in our advisory, but it will include a note that the > vulnerability is fixed in 2.1.12-beta (or the next stable version, if > released). Due to the fact that we noticed the issue in your changelog, > we have to consider this to be at least semi-public. > > Can you therefore provide us with more information on the patches, e.g. > which files have been patched, references to lines etc. > > > Thanks again, > Sven > > > On Fri, 2007-07-13 at 14:42 +0200, Kern Sibbald wrote: > > In taking a more careful look at this, I think under certain > > conditions it is > > possible for the user to submit an SQL statement that could trigger > > this > > overrun. How he would use it to gain security access, I cannot > > say. > > > > I'm a bit busy right at the moment because we are getting very close > > to a > > major release, so unless you can show me this is critical, I would > > rather not > > spend too much more time on it. > > > > I document everything of importance that I find wrong with Bacula. > > However, I > > consider it would be unwise to provide any public documentation on how > > this > > might be exploited, if that is in fact possible, as it would only > > encourage > > hackers to do damage. What IMO would be much more appropriate is to > > advise > > users to upgrade to avoid any potential problems ... > -- > > Sven Krewitt > Security Specialist > > Secunia > Hammerensgade 4, 2. floor > DK-1267 Copenhagen K > Denmark > > http://secunia.com/ > > Phone +45 7020 5144 > Fax +45 7020 5145 > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
