Package: gnome-gv
Version: 1:2.8.2-3
Severity: critical
Justification: root security hole
{{ note that the Severity: _may_ be overstated, I simply don't know; but
if gnome-gv can be made to open outbound FTP connections by the contents
of a postscript file, then this is potentially a very serious hole, on a
par with local root exploits }}
When viewing a local copy of
http://www.scs.cs.nyu.edu/~dm/papers/mazieres:sundr-podc.ps.gz (Firefox
had downloaded it to /tmp/mazieres:sundr-podc.ps.gz and invoked gnome-gv
as "/usr/bin/gnome-gv /tmp/mazieres:sundr-podc.ps.gz") two odd things
happened:
- gnome-gv never appeared. (I assumed that I had choked in the .gz, so I
uncompressed the file, converted to PDF for good measure and opened and
viewed it with xpdf.)
- An hour later I noticed unexpected network traffic. Upon digging a little
deeper I noticed continual failed anonymous FTP login attempts to
208.113.133.22.
Strace showed:
Process 32332 attached - interrupt to quit
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62
write(50, "USER anonymous\r\n", 16) = 16
read(50, 0x81a229c, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "331 Password required for anonym"..., 4096) = 38
write(50, "PASS [EMAIL PROTECTED]", 23) = 23
read(50, 0x81a229c, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "530 Login incorrect.\r\n", 4096) = 22
close(50) = 0
socket(PF_NETLINK, SOCK_RAW, 0) = 50
bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0
time(NULL) = 1155039459
sendto(50, "\24\0\0\0\26\0\1\3\343\200\330D\0\0\0\0\0\352\241@", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"<\0\0\0\24\0\2\0\343\200\330DL~\0\0\2\10\200\376\1\0\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 248
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\24\0\0\0\3\0\2\0\343\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
close(50) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50
connect(50, {sa_family=AF_INET, sin_port=htons(21),
sin_addr=inet_addr("208.113.133.22")}, 16) = 0
fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0
read(50, 0x81a22a4, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62
write(50, "USER anonymous\r\n", 16) = 16
read(50, 0x81a22a4, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "331 Password required for anonym"..., 4096) = 38
write(50, "PASS [EMAIL PROTECTED]", 23) = 23
read(50, 0x81a22a4, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "530 Login incorrect.\r\n", 4096) = 22
close(50) = 0
socket(PF_NETLINK, SOCK_RAW, 0) = 50
bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0
time(NULL) = 1155039460
sendto(50, "\24\0\0\0\26\0\1\3\344\200\330D\0\0\0\0\0\352\241@", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"<\0\0\0\24\0\2\0\344\200\330DL~\0\0\2\10\200\376\1\0\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 248
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\24\0\0\0\3\0\2\0\344\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
close(50) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50
connect(50, {sa_family=AF_INET, sin_port=htons(21),
sin_addr=inet_addr("208.113.133.22")}, 16) = 0
fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0
read(50, 0x81a22ec, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62
write(50, "USER anonymous\r\n", 16) = 16
read(50, 0x81a22ec, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "331 Password required for anonym"..., 4096) = 38
write(50, "PASS [EMAIL PROTECTED]", 23) = 23
read(50, 0x81a22ec, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "530 Login incorrect.\r\n", 4096) = 22
close(50) = 0
socket(PF_NETLINK, SOCK_RAW, 0) = 50
bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0
time(NULL) = 1155039461
sendto(50, "\24\0\0\0\26\0\1\3\345\200\330D\0\0\0\0\0\352\241@", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"<\0\0\0\24\0\2\0\345\200\330DL~\0\0\2\10\200\376\1\0\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 248
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\24\0\0\0\3\0\2\0\345\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
close(50) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50
connect(50, {sa_family=AF_INET, sin_port=htons(21),
sin_addr=inet_addr("208.113.133.22")}, 16) = 0
fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0
read(50, 0x81a22f4, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62
write(50, "USER anonymous\r\n", 16) = 16
read(50, 0x81a22f4, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "331 Password required for anonym"..., 4096) = 38
write(50, "PASS [EMAIL PROTECTED]", 23) = 23
read(50, 0x81a22f4, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "530 Login incorrect.\r\n", 4096) = 22
close(50) = 0
socket(PF_NETLINK, SOCK_RAW, 0) = 50
bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0
time(NULL) = 1155039461
sendto(50, "\24\0\0\0\26\0\1\3\345\200\330D\0\0\0\0\0\352\241@", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"<\0\0\0\24\0\2\0\345\200\330DL~\0\0\2\10\200\376\1\0\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 248
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\24\0\0\0\3\0\2\0\345\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
close(50) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50
connect(50, {sa_family=AF_INET, sin_port=htons(21),
sin_addr=inet_addr("208.113.133.22")}, 16) = 0
fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0
read(50, 0x81a233c, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62
write(50, "USER anonymous\r\n", 16) = 16
read(50, 0x81a233c, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "331 Password required for anonym"..., 4096) = 38
write(50, "PASS [EMAIL PROTECTED]", 23) = 23
read(50, 0x81a233c, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "530 Login incorrect.\r\n", 4096) = 22
close(50) = 0
socket(PF_NETLINK, SOCK_RAW, 0) = 50
bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0
time(NULL) = 1155039462
sendto(50, "\24\0\0\0\26\0\1\3\346\200\330D\0\0\0\0\0\352\241@", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"<\0\0\0\24\0\2\0\346\200\330DL~\0\0\2\10\200\376\1\0\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 248
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\24\0\0\0\3\0\2\0\346\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
close(50) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50
connect(50, {sa_family=AF_INET, sin_port=htons(21),
sin_addr=inet_addr("208.113.133.22")}, 16) = 0
fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0
read(50, 0x81a2344, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62
write(50, "USER anonymous\r\n", 16) = 16
read(50, 0x81a2344, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "331 Password required for anonym"..., 4096) = 38
write(50, "PASS [EMAIL PROTECTED]", 23) = 23
read(50, 0x81a2344, 4096) = -1 EAGAIN (Resource temporarily
unavailable)
select(51, [50], NULL, NULL, NULL) = 1 (in [50])
read(50, "530 Login incorrect.\r\n", 4096) = 22
close(50) = 0
socket(PF_NETLINK, SOCK_RAW, 0) = 50
bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0
time(NULL) = 1155039463
sendto(50, "\24\0\0\0\26\0\1\3\347\200\330D\0\0\0\0\0\352\241@", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"<\0\0\0\24\0\2\0\347\200\330DL~\0\0\2\10\200\376\1\0\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 248
recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\24\0\0\0\3\0\2\0\347\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
close(50) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50
connect(50, {sa_family=AF_INET, sin_port=htons(21),
sin_addr=inet_addr("208.113.133.22")}, 16) = 0
fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR)
...
ltrace showed:
g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) =
0xdefc1d76
...
I'm not sure what else to tell you. Presumably there is no legitimate reason for
gnome-gv to be making gratuitous outbound FTP connections?
- Raz
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Versions of packages gnome-gv depends on:
ii desktop-file-utils 0.10-1 Utilities for .desktop files
ii gconf2 2.8.1-6 GNOME configuration database syste
ii gs 8.01-5 Transitional package
ii gs-esp [gs] 7.07.1-9 The Ghostscript PostScript interpr
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libaudiofile0 0.2.6-6 Open-source version of SGI's audio
ii libbonobo2-0 2.8.1-2 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.8.1-2 The Bonobo UI library
ii libc6 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an
ii libesd0 0.2.35-2 Enlightened Sound Daemon - Shared
ii libgconf2-4 2.8.1-6 GNOME configuration database syste
ii libgcrypt11 1.2.0-11.1 LGPL Crypto library - runtime libr
ii libglib2.0-0 2.6.4-1 The GLib library of C routines
ii libgnome-keyring0 0.4.2-1 GNOME keyring services library
ii libgnome2-0 2.8.1-2 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.8.0-1 A powerful object-oriented display
ii libgnomeui-0 2.8.1-3 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 2.8.4-4 The GNOME virtual file-system libr
ii libgnutls11 1.0.16-13.2 GNU TLS library - runtime library
ii libgpg-error0 1.0-1 library for common error values an
ii libgtk2.0-0 2.6.4-3.1 The GTK+ graphical user interface
ii libice6 4.3.0.dfsg.1-14sarge1 Inter-Client Exchange library
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii liborbit2 1:2.12.2-1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.8.1-1 Layout and rendering of internatio
ii libpopt0 1.7-5 lib for parsing cmdline parameters
ii libsm6 4.3.0.dfsg.1-14sarge1 X Window System Session Management
ii libtasn1-2 0.2.10-3sarge1 Manage ASN.1 structures (runtime)
ii libx11-6 4.3.0.dfsg.1-14sarge1 X Window System protocol client li
ii libxml2 2.6.16-7 GNOME XML library
ii scrollkeeper 0.3.14-10 A free electronic cataloging syste
ii xlibs 6.9.0.dfsg.1-5bpo2 X Window System client libraries m
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
