Your message dated Sat, 25 Sep 2010 01:02:12 +0000
with message-id <[email protected]>
and subject line Bug#597382: fixed in mingetty 1.07-2
has caused the Debian Bug report #597382,
regarding unsafe chroot() call
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
597382: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597382
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mingetty
Version: 1.07-1
Severity: critical
Tags: security patch
Hi,
mingetty doesn't change current directory after chroot() call.
It allows an attacker to call chdir("../") many times and get root directory.
Also chdir(), chroot() and nice() are not checked for error return values.
It allows an attacker to avoid local policy restriction in some cases.
-- System Information:
Debian Release: squeeze/sid
APT prefers lucid-updates
APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500,
'lucid-proposed'), (500, 'lucid-backports'), (500, 'lucid')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-25-generic (SMP w/2 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages mingetty depends on:
ii libc6 2.11.1-0ubuntu7.3 Embedded GNU C Library: Shared lib
mingetty recommends no packages.
mingetty suggests no packages.
-- no debconf information
--- mingetty.c.orig 2010-09-19 07:51:59.000000000 +0000
+++ mingetty.c 2010-09-19 08:00:09.000000000 +0000
@@ -431,12 +431,20 @@ int main (int argc, char **argv)
while ((logname = get_logname ()) == 0)
/* do nothing */ ;
- if (ch_root)
- chroot (ch_root);
- if (ch_dir)
- chdir (ch_dir);
- if (priority)
- nice (priority);
+ if (ch_root) {
+ if (chroot (ch_root))
+ error ("chroot(): %s", strerror (errno));
+ if (chdir("/"))
+ error ("chdir(\"/\"): %s", strerror (errno));
+ }
+ if (ch_dir) {
+ if (chdir (ch_dir))
+ error ("chdir(): %s", strerror (errno));
+ }
+ if (priority) {
+ if (nice (priority))
+ error ("nice(): %s", strerror (errno));
+ }
execl (loginprog, loginprog, autologin? "-f" : "--", logname, NULL);
error ("%s: can't exec %s: %s", tty, loginprog, strerror (errno));
--- End Message ---
--- Begin Message ---
Source: mingetty
Source-Version: 1.07-2
We believe that the bug you reported is fixed in the latest version of
mingetty, which is due to be installed in the Debian FTP archive:
mingetty_1.07-2.diff.gz
to main/m/mingetty/mingetty_1.07-2.diff.gz
mingetty_1.07-2.dsc
to main/m/mingetty/mingetty_1.07-2.dsc
mingetty_1.07-2_i386.deb
to main/m/mingetty/mingetty_1.07-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Martin <[email protected]> (supplier of updated mingetty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 25 Sep 2010 01:51:12 +0100
Source: mingetty
Binary: mingetty
Architecture: source i386
Version: 1.07-2
Distribution: unstable
Urgency: high
Maintainer: Paul Martin <[email protected]>
Changed-By: Paul Martin <[email protected]>
Description:
mingetty - Console-only getty
Closes: 597382
Changes:
mingetty (1.07-2) unstable; urgency=high
.
* Critical security patch: Fix unsafe chroot call. (Closes: #597382)
* Checked dependencies for locusts. (Closes: http://xkcd.com/797/)
Checksums-Sha1:
2399917fff09785a8ea0d737d3e132be5ee6029c 1566 mingetty_1.07-2.dsc
95ba0cd1dae19a31905430f536300597633b7c7f 4225 mingetty_1.07-2.diff.gz
c20d4d0596827c771986f7ad30f69bd6a0781cf1 10474 mingetty_1.07-2_i386.deb
Checksums-Sha256:
95edd9b9c51b2370a7601478dcecb3ec5b2a2e97abfb8035aaa76fc35fbde52e 1566
mingetty_1.07-2.dsc
7931407a61cf5717896dbc48b4db4b0aeaab5eed1d1e579d4687ba23dd5952b4 4225
mingetty_1.07-2.diff.gz
5efbc71e5bfb5c3156480ea5fcaa4f4abd7b59e83ebefa8f32e6b9ea9d9f1cb4 10474
mingetty_1.07-2_i386.deb
Files:
5ed2ce7dd10223cd82f556d9a63593d1 1566 admin optional mingetty_1.07-2.dsc
b65a92fff2ec5eba9c50b946aedc9928 4225 admin optional mingetty_1.07-2.diff.gz
6e544e7a89973479e4e5f5e795a085c1 10474 admin optional mingetty_1.07-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBTJ1HzmA7gyZh+cpTAQisMQ/+L1MCbBflwHjqR0YQj+u9F6Ym0cIY45Uh
+Wo2mv98orL1Jh8RiMgryJDxg5WIVt69O7GA6qDP3IeZ9tJz5atSQbeaWSMWA0Ck
O7xXjKe+viUzu+sWE7Zgg4d9bTuXHyixcsSL/0Moaj81dZM7lGmCyjXvmPlVgB87
zpTkYNkpcKEscKoyYng0gc+IFSNgjGVtHrmEU8dayNqK4ramn794nc62LPCxAJ5W
lsFvgCyts9DUS84MTcGi9qWU2ZwOkvxNyQjs44edAr0j46eOMCblePfek+V3c+Jm
6V6IqRUieIAiN5HBQnI934S98YKPfu5+cSM4J6mgMc24WxIxQB9n82uqecFBBNB4
Hb7u6MmRFs3SPRRPqlmDKYh1pjMohyQHex79ta53BQddnr4i6KxJxJW4xDsVq0YO
tpVjdFQ61EIalPSG/9CCYbq6aasrP4OlIJOiU5TGo4rlRyYj7WkQ1xybGabcaE1o
DsqjWLDKCyXJE99KgRYCE748ENYrgu1p0JgpraLiJT4EuxC+IsRqbuSRCPxB1zUz
+QMqBQNbEAHU2yzC8YWRFT8EUsVNS/7mLfl3T23UIFydL5HibBoJks9+SXRrhLlg
HkkesWM9lcbG1bQjnBdLU0SCbn5Jhcpc32CMuB+qWmfJTyTpAeufrWQwzFOZNvma
eSRwgyhS0hM=
=Apvd
-----END PGP SIGNATURE-----
--- End Message ---
