Package: portmap
Version: 6.0-9
Severity: normal
Running portmap in chrooted directory is implemented wrongly. Daemon has
to chdir(2) after chroot(2) to prevent accessing files outside chroot
directory. Running portmap with option -t /var/empty gives following
lsof results:
# lsof -n -p 7892
COMMAND PID USER FD TYPE DEVICESIZENODE NAME
portmap 7892 daemon cwdDIR 9,14096 2 /
portmap 7892 daemon rtdDIR 9,14096 295046 /var/empty
portmap 7892 daemon txtREG 9,1 20488 1589256 /sbin/portmap
...
After (potential) successful attack on portmap daemon exploit code can
access any file on root filesystem for example by using openat(2)
syscalls.
Regards,
Kupson
-- System Information:
Debian Release: squeeze/sid
APT prefers stable
APT policy: (950, 'stable'), (600, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages portmap depends on:
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
portmap recommends no packages.
portmap suggests no packages.
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
