Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hi Please unblock package s-nail The upload to unstable with a new upstream version (but only containing the changes to fix this issue), address #852934, a local root privilege escalation. Details were posted at http://www.openwall.com/lists/oss-security/2017/01/27/7 >s-nail (14.8.16-1) unstable; urgency=medium > > * New upstream version 14.8.16 > - Fixes local root privilege escalation (Closes: #852934) > > -- Hilko Bengen <ben...@debian.org> Sat, 28 Jan 2017 12:32:17 +0100 I'm attaching the debdiff from the current version in unstable. The previous version should have mgirated to testing in time before the release. But I can as well attach the debdiff to that version if needed. unblock s-nail/14.8.16-1 Regards, Salvatore
diff -Nru s-nail-14.8.15/debian/changelog s-nail-14.8.16/debian/changelog --- s-nail-14.8.15/debian/changelog 2017-01-19 16:40:01.000000000 +0100 +++ s-nail-14.8.16/debian/changelog 2017-01-28 12:32:17.000000000 +0100 @@ -1,3 +1,10 @@ +s-nail (14.8.16-1) unstable; urgency=medium + + * New upstream version 14.8.16 + - Fixes local root privilege escalation (Closes: #852934) + + -- Hilko Bengen <ben...@debian.org> Sat, 28 Jan 2017 12:32:17 +0100 + s-nail (14.8.15-1) unstable; urgency=medium * New upstream version 14.8.15 diff -Nru s-nail-14.8.15/nail.1 s-nail-14.8.16/nail.1 --- s-nail-14.8.15/nail.1 2017-01-17 15:38:05.000000000 +0100 +++ s-nail-14.8.16/nail.1 2017-01-27 21:33:45.000000000 +0100 @@ -34,9 +34,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\"@ S-nail(1): v14.8.15 / 2017-01-17 -.Dd Jan 17, 2017 -.ds VV \\%v14.8.15 +.\"@ S-nail(1): v14.8.16 / 2017-01-27 +.Dd Jan 27, 2017 +.ds VV \\%v14.8.16 .\"--MKMAN-START-- .ds UU \\%S-NAIL .ds UA \\%S-nail diff -Nru s-nail-14.8.15/nail.rc s-nail-14.8.16/nail.rc --- s-nail-14.8.15/nail.rc 2017-01-17 15:38:05.000000000 +0100 +++ s-nail-14.8.16/nail.rc 2017-01-27 21:33:45.000000000 +0100 @@ -1,7 +1,7 @@ #--MKRC-START-- # /etc/s-nail.rc - configuration file for S-nail(1) #--MKRC-END-- -#@ S-nail(1): v14.8.15 / 2017-01-17 +#@ S-nail(1): v14.8.16 / 2017-01-27 ## The standard POSIX 2008/Cor 1-2013 mandates the following initial settings: # (Keep in sync: ./main.c:_startup(), ./nail.rc, ./nail.1:"Initial settings"!) diff -Nru s-nail-14.8.15/NEWS s-nail-14.8.16/NEWS --- s-nail-14.8.15/NEWS 2017-01-17 15:38:05.000000000 +0100 +++ s-nail-14.8.16/NEWS 2017-01-27 21:33:45.000000000 +0100 @@ -1,6 +1,28 @@ S - n a i l N e w s ==================== +v14.8.16 ("Copris lunaris"), 2017-01-27 +--------------------------------------- + +Fixes an at least theoretical security vulnerability of the +privilege-separated child, which does not strip path separators +from arguments. + +It thus can be forced (by a local attacker) to create an exclusive +file for a very short time -- if that happens to be in a PolicyKit +directory, and if the supervising program is capable to inject +some PolicyKit directives, and if PolicyKit reads those directives +before the file is unlink(2)ed again (after an fchown(2) followed +by link(2)), then the written directives could force PolicyKit to +do bad things. + +Anyway inotifyd hooks could be triggered when they shouldn't. +Sorry. + +Thanks to wapiflapi for reporting this issue! + +We welcome wapiflapi in THANKS! + v14.8.15 ("Scarabaeus sacer"), 2017-01-17 ----------------------------------------- diff -Nru s-nail-14.8.15/privsep.c s-nail-14.8.16/privsep.c --- s-nail-14.8.15/privsep.c 2017-01-17 15:38:05.000000000 +0100 +++ s-nail-14.8.16/privsep.c 2017-01-27 21:33:45.000000000 +0100 @@ -44,6 +44,7 @@ int main(int argc, char **argv) { + char hostbuf[64]; struct dotlock_info di; struct stat stb; sigset_t nset, oset; @@ -58,6 +59,7 @@ strcmp(argv[ 4], "name") || strcmp(argv[ 6], "hostname") || strcmp(argv[ 8], "randstr") || + strchr(argv[ 9], '/') != NULL /* Seal path injection vector */ || strcmp(argv[10], "pollmsecs") || fstat(STDIN_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode) || fstat(STDOUT_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode)) { @@ -70,6 +72,21 @@ " fewest lines of code in order to reduce attack surface.\n" " It cannot be run by itself.\n"); exit(EXIT_USE); + }else{ + /* Prevent one more path injection attack vector, but be friendly */ + char const *ccp; + size_t i; + char *cp, c; + + for(ccp = argv[7], cp = hostbuf, i = 0; (c = *ccp) != '\0'; ++cp, ++ccp){ + *cp = (c == '/' ? '_' : c); + if(++i == sizeof(hostbuf) -1) + break; + } + *cp = '\0'; + if(cp == hostbuf) + goto jeuse; + argv[7] = hostbuf; } di.di_file_name = argv[3]; diff -Nru s-nail-14.8.15/THANKS s-nail-14.8.16/THANKS --- s-nail-14.8.15/THANKS 2017-01-17 15:38:05.000000000 +0100 +++ s-nail-14.8.16/THANKS 2017-01-27 21:33:45.000000000 +0100 @@ -55,6 +55,7 @@ Tim trondd at kagu-tsuchi dot com Gavin Troy gavtroy at fastmail dot fm Paul Vojta vojta at math dot berkeley dot edu +wapiflapi wapiflapi at yahoo dot fr William Yodlowsky william at OpenBSD dot org Ypnose ypnx at mailoo dot org diff -Nru s-nail-14.8.15/version.h s-nail-14.8.16/version.h --- s-nail-14.8.15/version.h 2017-01-17 15:38:05.000000000 +0100 +++ s-nail-14.8.16/version.h 2017-01-27 21:33:45.000000000 +0100 @@ -1,4 +1,4 @@ -#define VERSION "v14.8.15" +#define VERSION "v14.8.16" #define VERSION_MAJOR "14" #define VERSION_MINOR "8" -#define VERSION_UPDATE "15" +#define VERSION_UPDATE "16"