Re: klibc 1.5.20 stable/oldstable update
On Tue, 31 May 2011, Adam D. Barratt wrote: Something very much like that, yes. :-) Please go ahead with the stable upload; thanks. (Ugh at the debian-changes auto-patch, but that's not a regression from the current squeeze package, so never mind.) thanks, stable klibc-1.5.20-1+squeeze1 uploaded. sorry for the debian-changes auto-patch, no idea how that happens. (looks wrong to me too) for oldstable the upload would only target the outstanding ipconfig security issue, see belows debdiff. -- maks diff -Nru klibc-1.5.12/debian/changelog klibc-1.5.12/debian/changelog --- klibc-1.5.12/debian/changelog 2011-06-01 10:33:42.0 +0200 +++ klibc-1.5.12/debian/changelog 2011-06-01 10:33:42.0 +0200 @@ -1,3 +1,9 @@ +klibc (1.5.12-2lenny1) oldstable; urgency=low + + * ipconfig: Escape DHCP options. (CVE-2011-1930) + + -- maximilian attems m...@debian.org Wed, 01 Jun 2011 10:20:28 +0200 + klibc (1.5.12-2) unstable; urgency=medium * Add backport 11_klibc-Default-signal-3-to-bsd_signal-3.patch. diff -Nru klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch --- klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch 1970-01-01 01:00:00.0 +0100 +++ klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch 2011-06-01 10:33:42.0 +0200 @@ -0,0 +1,97 @@ +From 881498e5141db5bc694522de0622553dc2a6e7bf Mon Sep 17 00:00:00 2001 +From: Maximilian Attems matt...@hep.itp.tuwien.ac.at +Date: Wed, 1 Jun 2011 10:29:01 +0200 +Subject: [PATCH] [klibc] ipconfig: Escape DHCP options written to /tmp/net-$DEVCICE.conf + +DHCP options like domain-name or hostname are written to +/tmp/net-$DEVICE.conf which is typically later used by other scripts to +determine the network configuration. This is done by sourcing the +/tmp/net-$DEVICE.conf file to get all defined variables. + +This patch escapes the DHCP options written to /tmp/net-$DEVICE.conf +to prevent arbitrary code execution. + +Signed-off-by: Ulrich Dangel u...@spamt.net +Reviewed-by: H. Peter Anvin h...@zytor.com +[ trivial backport to 1.5.12 -maks ] +Signed-off-by: maximilian attems m...@stro.at +--- + usr/kinit/ipconfig/main.c | 55 +++- + 1 files changed, 39 insertions(+), 16 deletions(-) + +diff --git a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c +index 2ded0f3..3e7f9a7 100644 +--- a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c +@@ -96,6 +96,25 @@ static void configure_device(struct netdev *dev) + dev-hostname, dev-name); + } + ++static void write_option(FILE* f, const char* name, const char* chr) ++{ ++ ++ fprintf(f, %s=', name); ++ while (*chr) { ++ switch (*chr) { ++ case '!': ++ case '\'': ++ fprintf(f, '\\%c', *chr); ++ break; ++ default: ++ fprintf(f, %c, *chr); ++ break; ++ } ++ ++chr; ++ } ++ fprintf(f, '\n); ++} ++ + static void dump_device_config(struct netdev *dev) + { + char fn[40]; +@@ -104,22 +123,26 @@ static void dump_device_config(struct netdev *dev) + snprintf(fn, sizeof(fn), /tmp/net-%s.conf, dev-name); + f = fopen(fn, w); + if (f) { +- fprintf(f, DEVICE=%s\n, dev-name); +- fprintf(f, IPV4ADDR=%s\n, my_inet_ntoa(dev-ip_addr)); +- fprintf(f, IPV4BROADCAST=%s\n, +- my_inet_ntoa(dev-ip_broadcast)); +- fprintf(f, IPV4NETMASK=%s\n, my_inet_ntoa(dev-ip_netmask)); +- fprintf(f, IPV4GATEWAY=%s\n, my_inet_ntoa(dev-ip_gateway)); +- fprintf(f, IPV4DNS0=%s\n, +- my_inet_ntoa(dev-ip_nameserver[0])); +- fprintf(f, IPV4DNS1=%s\n, +- my_inet_ntoa(dev-ip_nameserver[1])); +- fprintf(f, HOSTNAME=%s\n, dev-hostname); +- fprintf(f, DNSDOMAIN=%s\n, dev-dnsdomainname); +- fprintf(f, NISDOMAIN=%s\n, dev-nisdomainname); +- fprintf(f, ROOTSERVER=%s\n, my_inet_ntoa(dev-ip_server)); +- fprintf(f, ROOTPATH=%s\n, dev-bootpath); +- fprintf(f, filename=\%s\\n, dev-filename); ++ write_option(f, DEVICE, dev-name); ++ write_option(f, IPV4ADDR, ++ my_inet_ntoa(dev-ip_addr)); ++ write_option(f, IPV4BROADCAST, ++ my_inet_ntoa(dev-ip_broadcast)); ++ write_option(f, IPV4NETMASK, ++ my_inet_ntoa(dev-ip_netmask)); ++ write_option(f, IPV4GATEWAY, ++ my_inet_ntoa(dev-ip_gateway)); ++ write_option(f, IPV4DNS0, ++
Re: klibc 1.5.20 stable/oldstable update
On Wed, 2011-06-01 at 10:43 +0200, maximilian attems wrote: On Tue, 31 May 2011, Adam D. Barratt wrote: Something very much like that, yes. :-) Please go ahead with the stable upload; thanks. (Ugh at the debian-changes auto-patch, but that's not a regression from the current squeeze package, so never mind.) thanks, stable klibc-1.5.20-1+squeeze1 uploaded. and marked for acceptance at the next dinstall. for oldstable the upload would only target the outstanding ipconfig security issue, see belows debdiff. That looks fine; please feel free to upload. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1306956795.15666.390.ca...@hathi.jungle.funky-badger.org
Re: klibc 1.5.20 stable/oldstable update
On Wed, Jun 01, 2011 at 08:33:15PM +0100, Adam D. Barratt wrote: On Wed, 2011-06-01 at 10:43 +0200, maximilian attems wrote: thanks, stable klibc-1.5.20-1+squeeze1 uploaded. and marked for acceptance at the next dinstall. great! for oldstable the upload would only target the outstanding ipconfig security issue, see belows debdiff. That looks fine; please feel free to upload. cool, uploaded 1.5.12-2lenny1. thank you. -- maks -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110601195346.gb22...@vostochny.stro.at
Re: klibc 1.5.20 stable/oldstable update
On Mon, 2011-05-30 at 17:35 +0200, maximilian attems wrote: On Thu, 19 May 2011, Adam D. Barratt wrote: On Wed, 2011-05-18 at 15:41 +, maximilian attems wrote: * [klibc] ipconfig: comment new escape function security fix for CVE-2011-0997 type vulnerability corresponding cve requested but not yet given out. http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff As mentioned on oss-sec, it would be nice if this didn't write to a predictable filename. From the stable update point-of-view though, I realise that's not a regression relative to the current lenny / squeeze versions. It is not of relevance for current pre-init usage, as you don't have unpriviliged users there, but it will get fixed upstream, by making the used dir an optional switch. Thanks for the update. * [klibc] ipconfig: Only peek and discard packets from specified device. This fixes netbooting on boxes with several connected network dev. (the commit is on the largeish size, but got tested together with 1.5.20) http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c concerning oldstable only the first one should be fixed. ipconfig has deeper troubles there. if acked by SRM I'd upload a klibc-1.5.20-2 with just the 2 aboves fixes for stable and a 1.5.12-3 for oldstable with just the first fix? [...] I'd appreciate debdiffs for a final check before the uploads, but the above sounds good; thanks. do you mean belows output of debdiff on the dsc files? belows is for stable, oldstable will follow once this is acked. Something very much like that, yes. :-) Please go ahead with the stable upload; thanks. (Ugh at the debian-changes auto-patch, but that's not a regression from the current squeeze package, so never mind.) Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1306868080.3872.102.ca...@hathi.jungle.funky-badger.org
Re: klibc 1.5.20 stable/oldstable update
On Thu, 19 May 2011, Adam D. Barratt wrote: On Wed, 2011-05-18 at 15:41 +, maximilian attems wrote: * [klibc] ipconfig: comment new escape function security fix for CVE-2011-0997 type vulnerability corresponding cve requested but not yet given out. http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff As mentioned on oss-sec, it would be nice if this didn't write to a predictable filename. From the stable update point-of-view though, I realise that's not a regression relative to the current lenny / squeeze versions. It is not of relevance for current pre-init usage, as you don't have unpriviliged users there, but it will get fixed upstream, by making the used dir an optional switch. * [klibc] ipconfig: Only peek and discard packets from specified device. This fixes netbooting on boxes with several connected network dev. (the commit is on the largeish size, but got tested together with 1.5.20) http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c concerning oldstable only the first one should be fixed. ipconfig has deeper troubles there. if acked by SRM I'd upload a klibc-1.5.20-2 with just the 2 aboves fixes for stable and a 1.5.12-3 for oldstable with just the first fix? It's conventional to use e.g. -1+squeeze1, but afaics the above versions have not been previously uploaded to Debian so could be used if you wish. ok cool, used the conventional numbering. I'd appreciate debdiffs for a final check before the uploads, but the above sounds good; thanks. do you mean belows output of debdiff on the dsc files? belows is for stable, oldstable will follow once this is acked. thank you -- maks diff -Nru klibc-1.5.20/debian/changelog klibc-1.5.20/debian/changelog --- klibc-1.5.20/debian/changelog 2010-08-28 13:07:23.0 +0200 +++ klibc-1.5.20/debian/changelog 2011-05-30 17:20:39.0 +0200 @@ -1,3 +1,10 @@ +klibc (1.5.20-1+squeeze1) stable; urgency=low + + * ipconfig: handle multiple connected network dev. (closes: #621065) + * ipconfig: Escape DHCP options. (CVE-2011-1930) + + -- maximilian attems m...@debian.org Mon, 30 May 2011 17:17:18 +0200 + klibc (1.5.20-1) unstable; urgency=high * New upstream release diff -Nru klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 --- klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 2010-08-28 13:09:43.0 +0200 +++ klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 1970-01-01 01:00:00.0 +0100 @@ -1,54 +0,0 @@ -Description: Upstream changes introduced in version 1.5.20-1 - This patch has been created by dpkg-source during the package build. - Here's the last changelog entry, hopefully it gives details on why - those changes were made: - . - klibc (1.5.20-1) unstable; urgency=high - . - * New upstream release - - ipconfig: fix infinite loop. (closes: #552554) - - ipconfig: fix multiple dns domains. (closes: #594208) - * klibc-utils.postinst: Nuke non empty dirs too. (closes: #594651) - . - The person named in the Author field signed this changelog entry. -Author: maximilian attems m...@debian.org -Bug-Debian: http://bugs.debian.org/552554 -Bug-Debian: http://bugs.debian.org/594208 -Bug-Debian: http://bugs.debian.org/594651 - -The information above should follow the Patch Tagging Guidelines, please -checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here -are templates for supplementary fields that you might want to add: - -Origin: vendor|upstream|other, url of original patch -Bug: url in upstream bugtracker -Bug-Debian: http://bugs.debian.org/bugnumber -Bug-Ubuntu: https://launchpad.net/bugs/bugnumber -Forwarded: no|not-needed|url proving that it has been forwarded -Reviewed-By: name and email of someone who approved the patch -Last-Update: -MM-DD - /dev/null -+++ klibc-1.5.20/maketar.sh -@@ -0,0 +1,20 @@ -+#!/bin/bash -xe -+# -+# Make a tarball from the current git repository -+# -+ -+[ -z $tmpdir ] tmpdir=/var/tmp -+ -+tmp=$tmpdir/klibc.$$ -+rm -rf $tmp -+cg-export $tmp -+cd $tmp -+make release -+version=`cat usr/klibc/version` -+rm -rf $tmpdir/klibc-$version -+mv $tmp $tmpdir/klibc-$version -+cd .. -+rm -f klibc-$version.tar* -+tar cvvf klibc-$version.tar klibc-$version -+gzip -9 klibc-$version.tar -+rm -rf klibc-$version diff -Nru klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 --- klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 1970-01-01 01:00:00.0 +0100 +++ klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 2011-05-30 17:27:42.0 +0200 @@ -0,0 +1,50 @@ +Description: Upstream changes introduced in version 1.5.20-1+squeeze1 + This patch has been created by dpkg-source during the package build. + Here's the last changelog entry, hopefully
Re: klibc 1.5.20 stable/oldstable update
On Wed, May 18, 2011 at 03:41:50PM +, maximilian attems wrote: 2 commits of klibc 1.5.22 are candidates for stable fixes: * [klibc] ipconfig: comment new escape function security fix for CVE-2011-0997 type vulnerability corresponding cve requested but not yet given out. http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff * [klibc] ipconfig: Only peek and discard packets from specified device. This fixes netbooting on boxes with several connected network dev. (the commit is on the largeish size, but got tested together with 1.5.20) http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c concerning oldstable only the first one should be fixed. ipconfig has deeper troubles there. Please security team could you confirm that aboves can be handled via p-u? thank you -- maks -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110519144939.gs17...@vostochny.stro.at
Re: klibc 1.5.20 stable/oldstable update
On Thu, 2011-05-19 at 14:49 +, maximilian attems wrote: On Wed, May 18, 2011 at 03:41:50PM +, maximilian attems wrote: 2 commits of klibc 1.5.22 are candidates for stable fixes: [...] Please security team could you confirm that aboves can be handled via p-u? Moritz did that, in slrnit8ctu.374@inutil.org. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1305829330.3338.26.ca...@hathi.jungle.funky-badger.org
Re: klibc 1.5.20 stable/oldstable update
On Wed, 2011-05-18 at 15:41 +, maximilian attems wrote: * [klibc] ipconfig: comment new escape function security fix for CVE-2011-0997 type vulnerability corresponding cve requested but not yet given out. http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff As mentioned on oss-sec, it would be nice if this didn't write to a predictable filename. From the stable update point-of-view though, I realise that's not a regression relative to the current lenny / squeeze versions. * [klibc] ipconfig: Only peek and discard packets from specified device. This fixes netbooting on boxes with several connected network dev. (the commit is on the largeish size, but got tested together with 1.5.20) http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c concerning oldstable only the first one should be fixed. ipconfig has deeper troubles there. if acked by SRM I'd upload a klibc-1.5.20-2 with just the 2 aboves fixes for stable and a 1.5.12-3 for oldstable with just the first fix? It's conventional to use e.g. -1+squeeze1, but afaics the above versions have not been previously uploaded to Debian so could be used if you wish. I'd appreciate debdiffs for a final check before the uploads, but the above sounds good; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1305832031.3338.218.ca...@hathi.jungle.funky-badger.org
klibc 1.5.20 stable/oldstable update
Hello, 2 commits of klibc 1.5.22 are candidates for stable fixes: * [klibc] ipconfig: comment new escape function security fix for CVE-2011-0997 type vulnerability corresponding cve requested but not yet given out. http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff * [klibc] ipconfig: Only peek and discard packets from specified device. This fixes netbooting on boxes with several connected network dev. (the commit is on the largeish size, but got tested together with 1.5.20) http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c concerning oldstable only the first one should be fixed. ipconfig has deeper troubles there. if acked by SRM I'd upload a klibc-1.5.20-2 with just the 2 aboves fixes for stable and a 1.5.12-3 for oldstable with just the first fix? thanks -- maks signature.asc Description: Digital signature
Re: klibc 1.5.20 stable/oldstable update
On Wed, 2011-05-18 at 15:41 +, maximilian attems wrote: 2 commits of klibc 1.5.22 are candidates for stable fixes: * [klibc] ipconfig: comment new escape function security fix for CVE-2011-0997 type vulnerability corresponding cve requested but not yet given out. http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff Thanks for working on fixing this in stable. Have you confirmed with the security team that they don't wish to handle this via a DSA as for CVE-2011-0997 itself? Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1305750327.3964.779.ca...@hathi.jungle.funky-badger.org
Re: klibc 1.5.20 stable/oldstable update
Adam D. Barratt a...@adam-barratt.org.uk schrieb: On Wed, 2011-05-18 at 15:41 +, maximilian attems wrote: 2 commits of klibc 1.5.22 are candidates for stable fixes: * [klibc] ipconfig: comment new escape function security fix for CVE-2011-0997 type vulnerability corresponding cve requested but not yet given out. http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff Thanks for working on fixing this in stable. Have you confirmed with the security team that they don't wish to handle this via a DSA as for CVE-2011-0997 itself? The impact is less severe, please proceed with spu/opsu. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnit8ctu.374@inutil.org
Re: klibc 1.5.20 stable/oldstable update
On Wed, May 18, 2011 at 09:25:27PM +0100, Adam D. Barratt wrote: On Wed, 2011-05-18 at 15:41 +, maximilian attems wrote: 2 commits of klibc 1.5.22 are candidates for stable fixes: * [klibc] ipconfig: comment new escape function security fix for CVE-2011-0997 type vulnerability corresponding cve requested but not yet given out. http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff Thanks for working on fixing this in stable. Have you confirmed with the security team that they don't wish to handle this via a DSA as for CVE-2011-0997 itself? I had only shortly spoken with dannf when fix was not yet at the hand. he had pointed out that maintainer could upload for minor security. ipconfig in contrare to dhclient is mostly used for netbooting so rogue dhcpd is only more likely if you mix a live boot system in the equation. thank you for reviewing the proposed fixes. -- maks ps adding security team on recipient list. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110518205349.gq17...@vostochny.stro.at