Your message dated Mon, 20 Mar 2006 23:02:13 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#329087: fixed in kernel-patch-vserver 1.9.5.4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: kernel-patch-vserver
Severity: critical
Tags: sarge
Justification: root security hole
Dear maintainer(s),
I found the kernel-patch-vserver and util-vserver in sarge can not pass
the testfs.sh script[1] which provide by upstream author. After some more
tests, upstream author discoveryed this is a security hole.
Here is what I did in my test:
# ls -lda /var/lib/vservers/XXXX/..
d--------- 8 root root 4096 Sep 19 19:46 /var/lib/vservers/XXXX/../
# showattr -d /var/lib/vservers/XXXX/..
---BU-- /var/lib/vservers/XXXX/..
# lsattr -d /var/lib/vservers/XXXX/..
---------------t- /var/lib/vservers/XXXX/..
ssh into a guest and then starting the root exploit[2] inside a guest now
gives: Exploit seems to work. =)
And then I can be able to access the host, can be able to read /etc/shadow
and can be able to create /test.txt in the host.
[1] http://vserver.13thfloor.at/Stuff/SCRIPT/testfs.sh-0.09
[2] http://vserver.13thfloor.at/Stuff/rootesc.c
-- System Information:
Debian Release: 3.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-10vserver
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
--- End Message ---
--- Begin Message ---
Source: kernel-patch-vserver
Source-Version: 1.9.5.4
We believe that the bug you reported is fixed in the latest version of
kernel-patch-vserver, which is due to be installed in the Debian FTP archive:
kernel-patch-vserver_1.9.5.4.dsc
to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.4.dsc
kernel-patch-vserver_1.9.5.4.tar.gz
to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.4.tar.gz
kernel-patch-vserver_1.9.5.4_all.deb
to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Micah Anderson <[EMAIL PROTECTED]> (supplier of updated kernel-patch-vserver
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 20 Nov 2005 17:16:45 -0500
Source: kernel-patch-vserver
Binary: kernel-patch-vserver
Architecture: source all
Version: 1.9.5.4
Distribution: stable-security
Urgency: high
Maintainer: Ola Lundqvist <[EMAIL PROTECTED]>
Changed-By: Micah Anderson <[EMAIL PROTECTED]>
Description:
kernel-patch-vserver - context switching virtual private servers - kernel patch
Closes: 329087
Changes:
kernel-patch-vserver (1.9.5.4) stable-security; urgency=high
.
* Updated 2.4.27 kernel patch to fix chroot escape as a result
of missing immutable unlink extended filesystem attributes
and the capability system that would enforce the chroot
barrier. (Closes: #329087)
Files:
9befc3f1ef20d620d87a8d073258ea0d 635 devel extra
kernel-patch-vserver_1.9.5.4.dsc
f3e339b76de5b6bd8f84e01cd079c2b3 980051 devel extra
kernel-patch-vserver_1.9.5.4.tar.gz
e98fefbcbaa631427c37c3c3fbde159d 467052 devel extra
kernel-patch-vserver_1.9.5.4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDjKa/9n4qXRzy1ioRAgCyAKCBJ1O1fnGzmVsJnMjhi3ouu+RRcgCcC87S
YXrdiwor3FI2HXjTRGOsiPA=
=hlSV
-----END PGP SIGNATURE-----
--- End Message ---
