Package: gnome-gv Version: 1:2.8.2-3 Severity: critical Justification: root security hole
{{ note that the Severity: _may_ be overstated, I simply don't know; but if gnome-gv can be made to open outbound FTP connections by the contents of a postscript file, then this is potentially a very serious hole, on a par with local root exploits }} When viewing a local copy of http://www.scs.cs.nyu.edu/~dm/papers/mazieres:sundr-podc.ps.gz (Firefox had downloaded it to /tmp/mazieres:sundr-podc.ps.gz and invoked gnome-gv as "/usr/bin/gnome-gv /tmp/mazieres:sundr-podc.ps.gz") two odd things happened: - gnome-gv never appeared. (I assumed that I had choked in the .gz, so I uncompressed the file, converted to PDF for good measure and opened and viewed it with xpdf.) - An hour later I noticed unexpected network traffic. Upon digging a little deeper I noticed continual failed anonymous FTP login attempts to 208.113.133.22. Strace showed: Process 32332 attached - interrupt to quit select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62 write(50, "USER anonymous\r\n", 16) = 16 read(50, 0x81a229c, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "331 Password required for anonym"..., 4096) = 38 write(50, "PASS [EMAIL PROTECTED]", 23) = 23 read(50, 0x81a229c, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "530 Login incorrect.\r\n", 4096) = 22 close(50) = 0 socket(PF_NETLINK, SOCK_RAW, 0) = 50 bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0 time(NULL) = 1155039459 sendto(50, "\24\0\0\0\26\0\1\3\343\200\330D\0\0\0\0\0\352\241@", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0\343\200\330DL~\0\0\2\10\200\376\1\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 248 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\343\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(50) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50 connect(50, {sa_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("208.113.133.22")}, 16) = 0 fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0 read(50, 0x81a22a4, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62 write(50, "USER anonymous\r\n", 16) = 16 read(50, 0x81a22a4, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "331 Password required for anonym"..., 4096) = 38 write(50, "PASS [EMAIL PROTECTED]", 23) = 23 read(50, 0x81a22a4, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "530 Login incorrect.\r\n", 4096) = 22 close(50) = 0 socket(PF_NETLINK, SOCK_RAW, 0) = 50 bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0 time(NULL) = 1155039460 sendto(50, "\24\0\0\0\26\0\1\3\344\200\330D\0\0\0\0\0\352\241@", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0\344\200\330DL~\0\0\2\10\200\376\1\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 248 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\344\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(50) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50 connect(50, {sa_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("208.113.133.22")}, 16) = 0 fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0 read(50, 0x81a22ec, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62 write(50, "USER anonymous\r\n", 16) = 16 read(50, 0x81a22ec, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "331 Password required for anonym"..., 4096) = 38 write(50, "PASS [EMAIL PROTECTED]", 23) = 23 read(50, 0x81a22ec, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "530 Login incorrect.\r\n", 4096) = 22 close(50) = 0 socket(PF_NETLINK, SOCK_RAW, 0) = 50 bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0 time(NULL) = 1155039461 sendto(50, "\24\0\0\0\26\0\1\3\345\200\330D\0\0\0\0\0\352\241@", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0\345\200\330DL~\0\0\2\10\200\376\1\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 248 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\345\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(50) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50 connect(50, {sa_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("208.113.133.22")}, 16) = 0 fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0 read(50, 0x81a22f4, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62 write(50, "USER anonymous\r\n", 16) = 16 read(50, 0x81a22f4, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "331 Password required for anonym"..., 4096) = 38 write(50, "PASS [EMAIL PROTECTED]", 23) = 23 read(50, 0x81a22f4, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "530 Login incorrect.\r\n", 4096) = 22 close(50) = 0 socket(PF_NETLINK, SOCK_RAW, 0) = 50 bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0 time(NULL) = 1155039461 sendto(50, "\24\0\0\0\26\0\1\3\345\200\330D\0\0\0\0\0\352\241@", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0\345\200\330DL~\0\0\2\10\200\376\1\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 248 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\345\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(50) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50 connect(50, {sa_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("208.113.133.22")}, 16) = 0 fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0 read(50, 0x81a233c, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62 write(50, "USER anonymous\r\n", 16) = 16 read(50, 0x81a233c, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "331 Password required for anonym"..., 4096) = 38 write(50, "PASS [EMAIL PROTECTED]", 23) = 23 read(50, 0x81a233c, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "530 Login incorrect.\r\n", 4096) = 22 close(50) = 0 socket(PF_NETLINK, SOCK_RAW, 0) = 50 bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0 time(NULL) = 1155039462 sendto(50, "\24\0\0\0\26\0\1\3\346\200\330D\0\0\0\0\0\352\241@", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0\346\200\330DL~\0\0\2\10\200\376\1\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 248 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\346\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(50) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50 connect(50, {sa_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("208.113.133.22")}, 16) = 0 fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(50, F_SETFL, O_RDWR|O_NONBLOCK) = 0 read(50, 0x81a2344, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "220 ProFTPD 1.3.0rc2 Server (Dre"..., 4096) = 62 write(50, "USER anonymous\r\n", 16) = 16 read(50, 0x81a2344, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "331 Password required for anonym"..., 4096) = 38 write(50, "PASS [EMAIL PROTECTED]", 23) = 23 read(50, 0x81a2344, 4096) = -1 EAGAIN (Resource temporarily unavailable) select(51, [50], NULL, NULL, NULL) = 1 (in [50]) read(50, "530 Login incorrect.\r\n", 4096) = 22 close(50) = 0 socket(PF_NETLINK, SOCK_RAW, 0) = 50 bind(50, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(50, {sa_family=AF_NETLINK, pid=32332, groups=00000000}, [12]) = 0 time(NULL) = 1155039463 sendto(50, "\24\0\0\0\26\0\1\3\347\200\330D\0\0\0\0\0\352\241@", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0\347\200\330DL~\0\0\2\10\200\376\1\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 248 recvmsg(50, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\347\200\330DL~\0\0\0\0\0\0\1\0\0\0\10"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(50) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 50 connect(50, {sa_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("208.113.133.22")}, 16) = 0 fcntl64(50, F_GETFL) = 0x2 (flags O_RDWR) ... ltrace showed: g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 g_str_hash(0x40edfe7d, 0x40aa18e0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 g_str_hash(0x40edfe7d, 0, 0xbf80b358, 0x408f9924, 0x40aa18e0) = 0xdefc1d76 ... I'm not sure what else to tell you. Presumably there is no legitimate reason for gnome-gv to be making gratuitous outbound FTP connections? - Raz -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.15-1-686 Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1) Versions of packages gnome-gv depends on: ii desktop-file-utils 0.10-1 Utilities for .desktop files ii gconf2 2.8.1-6 GNOME configuration database syste ii gs 8.01-5 Transitional package ii gs-esp [gs] 7.07.1-9 The Ghostscript PostScript interpr ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit ii libaudiofile0 0.2.6-6 Open-source version of SGI's audio ii libbonobo2-0 2.8.1-2 Bonobo CORBA interfaces library ii libbonoboui2-0 2.8.1-2 The Bonobo UI library ii libc6 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an ii libesd0 0.2.35-2 Enlightened Sound Daemon - Shared ii libgconf2-4 2.8.1-6 GNOME configuration database syste ii libgcrypt11 1.2.0-11.1 LGPL Crypto library - runtime libr ii libglib2.0-0 2.6.4-1 The GLib library of C routines ii libgnome-keyring0 0.4.2-1 GNOME keyring services library ii libgnome2-0 2.8.1-2 The GNOME 2 library - runtime file ii libgnomecanvas2-0 2.8.0-1 A powerful object-oriented display ii libgnomeui-0 2.8.1-3 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 2.8.4-4 The GNOME virtual file-system libr ii libgnutls11 1.0.16-13.2 GNU TLS library - runtime library ii libgpg-error0 1.0-1 library for common error values an ii libgtk2.0-0 2.6.4-3.1 The GTK+ graphical user interface ii libice6 4.3.0.dfsg.1-14sarge1 Inter-Client Exchange library ii libjpeg62 6b-10 The Independent JPEG Group's JPEG ii liborbit2 1:2.12.2-1 libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.8.1-1 Layout and rendering of internatio ii libpopt0 1.7-5 lib for parsing cmdline parameters ii libsm6 4.3.0.dfsg.1-14sarge1 X Window System Session Management ii libtasn1-2 0.2.10-3sarge1 Manage ASN.1 structures (runtime) ii libx11-6 4.3.0.dfsg.1-14sarge1 X Window System protocol client li ii libxml2 2.6.16-7 GNOME XML library ii scrollkeeper 0.3.14-10 A free electronic cataloging syste ii xlibs 6.9.0.dfsg.1-5bpo2 X Window System client libraries m ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]