Re: upload processing resumed
On 2012-12-06 18:33, Joerg Jaspert wrote: as we have found a bug in a part of our archive software that might lead to remote code execution, we have stopped processing uploads until this bug is fixed. We expect that to happen pretty soon, though Thursday is more likely to see a fix than the rest of this Wednesday. And while the main archive got it turned back on around noon UTC, the other archives just got it back. So all back to normal, nothing to see, go on fixing RC bugs please. :) Thanks for securing it quickly :) Is there any danger of the vulnerable code being in use on other systems, e.g. as part of a dak install? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2566b9920f03eb25fbf7a3f32de67...@hogwarts.powdarrmonkey.net
Re: upload processing resumed
Hi, On 07.12.2012 12:20, Jonathan Wiltshire wrote: Thanks for securing it quickly :) Is there any danger of the vulnerable code being in use on other systems, e.g. as part of a dak install? Indeed, thanks for fixing the issue so fast. But full disclosure FTW. Now, that the problem is fixed please share some details about the nature of the vulnerability. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Re: upload processing resumed
On Fri, Dec 7, 2012 at 14:03:22 +0100, Arno Töll wrote: Hi, On 07.12.2012 12:20, Jonathan Wiltshire wrote: Thanks for securing it quickly :) Is there any danger of the vulnerable code being in use on other systems, e.g. as part of a dak install? Indeed, thanks for fixing the issue so fast. But full disclosure FTW. Now, that the problem is fixed please share some details about the nature of the vulnerability. The commits from the last couple of days in http://anonscm.debian.org/gitweb/?p=mirror/dak.git should allow you to take a guess. Cheers, Julien signature.asc Description: Digital signature
Re: upload processing resumed
* Joerg Jaspert jo...@debian.org, 2012-12-06, 19:33: as we have found a bug in a part of our archive software that might lead to remote code execution, we have stopped processing uploads until this bug is fixed. We expect that to happen pretty soon, though Thursday is more likely to see a fix than the rest of this Wednesday. And while the main archive got it turned back on around noon UTC, the other archives just got it back. So all back to normal, nothing to see, go on fixing RC bugs please. :) Thanks. Do we know if anyone tried exploiting this bug in the past? -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121207132022.ga1...@jwilk.net
Re: upload processing resumed
And while the main archive got it turned back on around noon UTC, the other archives just got it back. So all back to normal, nothing to see, go on fixing RC bugs please. :) Thanks. Do we know if anyone tried exploiting this bug in the past? I don't think so. Also, most other archives I know off are either putting files by ftp directly where dak can read them or use scp or similar to get them there. Both cases need no queued. Obviously I don't know for sure. -- bye, Joerg What is a wedding? Webster’s Dictionary defines a wedding as ‘The process of removing weeds from one’s garden.’ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87lid9d1iu@gkar.ganneff.de
Re: upload processing resumed
On 13053 March 1977, Arno Töll wrote: Thanks for securing it quickly :) Is there any danger of the vulnerable code being in use on other systems, e.g. as part of a dak install? Indeed, thanks for fixing the issue so fast. But full disclosure FTW. Now, that the problem is fixed please share some details about the nature of the vulnerability. All our commits are open and get to the -dak list too. The basic summary is really old code that needs to be replaced, really. In this case - a possible attack using the help of shell metacharacters by a specially prepared filename due to not checking if such characters are in the filename AND using perls open function in the way it lets shell help it. My quick fix only ensured we don't have meta characters, Ansgar invested some more time and rewrote the code in question much more. And fixed a number of other issues too. For details there: read the commits. :) -- bye, Joerg Naturally; worms that don't know what they are doing end up as fish bait, instead of getting invited into weird math experiments. -- Lars Wirzenius -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87hanxd1aw@gkar.ganneff.de