Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi
Please unblock package s-nail
The upload to unstable with a new upstream version (but only
containing the changes to fix this issue), address #852934, a local
root privilege escalation.
Details were posted at
http://www.openwall.com/lists/oss-security/2017/01/27/7
>s-nail (14.8.16-1) unstable; urgency=medium
>
> * New upstream version 14.8.16
> - Fixes local root privilege escalation (Closes: #852934)
>
> -- Hilko Bengen <ben...@debian.org> Sat, 28 Jan 2017 12:32:17 +0100
I'm attaching the debdiff from the current version in unstable. The
previous version should have mgirated to testing in time before the
release. But I can as well attach the debdiff to that version if
needed.
unblock s-nail/14.8.16-1
Regards,
Salvatore
diff -Nru s-nail-14.8.15/debian/changelog s-nail-14.8.16/debian/changelog
--- s-nail-14.8.15/debian/changelog 2017-01-19 16:40:01.000000000 +0100
+++ s-nail-14.8.16/debian/changelog 2017-01-28 12:32:17.000000000 +0100
@@ -1,3 +1,10 @@
+s-nail (14.8.16-1) unstable; urgency=medium
+
+ * New upstream version 14.8.16
+ - Fixes local root privilege escalation (Closes: #852934)
+
+ -- Hilko Bengen <ben...@debian.org> Sat, 28 Jan 2017 12:32:17 +0100
+
s-nail (14.8.15-1) unstable; urgency=medium
* New upstream version 14.8.15
diff -Nru s-nail-14.8.15/nail.1 s-nail-14.8.16/nail.1
--- s-nail-14.8.15/nail.1 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/nail.1 2017-01-27 21:33:45.000000000 +0100
@@ -34,9 +34,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\"@ S-nail(1): v14.8.15 / 2017-01-17
-.Dd Jan 17, 2017
-.ds VV \\%v14.8.15
+.\"@ S-nail(1): v14.8.16 / 2017-01-27
+.Dd Jan 27, 2017
+.ds VV \\%v14.8.16
.\"--MKMAN-START--
.ds UU \\%S-NAIL
.ds UA \\%S-nail
diff -Nru s-nail-14.8.15/nail.rc s-nail-14.8.16/nail.rc
--- s-nail-14.8.15/nail.rc 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/nail.rc 2017-01-27 21:33:45.000000000 +0100
@@ -1,7 +1,7 @@
#--MKRC-START--
# /etc/s-nail.rc - configuration file for S-nail(1)
#--MKRC-END--
-#@ S-nail(1): v14.8.15 / 2017-01-17
+#@ S-nail(1): v14.8.16 / 2017-01-27
## The standard POSIX 2008/Cor 1-2013 mandates the following initial settings:
# (Keep in sync: ./main.c:_startup(), ./nail.rc, ./nail.1:"Initial settings"!)
diff -Nru s-nail-14.8.15/NEWS s-nail-14.8.16/NEWS
--- s-nail-14.8.15/NEWS 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/NEWS 2017-01-27 21:33:45.000000000 +0100
@@ -1,6 +1,28 @@
S - n a i l N e w s
====================
+v14.8.16 ("Copris lunaris"), 2017-01-27
+---------------------------------------
+
+Fixes an at least theoretical security vulnerability of the
+privilege-separated child, which does not strip path separators
+from arguments.
+
+It thus can be forced (by a local attacker) to create an exclusive
+file for a very short time -- if that happens to be in a PolicyKit
+directory, and if the supervising program is capable to inject
+some PolicyKit directives, and if PolicyKit reads those directives
+before the file is unlink(2)ed again (after an fchown(2) followed
+by link(2)), then the written directives could force PolicyKit to
+do bad things.
+
+Anyway inotifyd hooks could be triggered when they shouldn't.
+Sorry.
+
+Thanks to wapiflapi for reporting this issue!
+
+We welcome wapiflapi in THANKS!
+
v14.8.15 ("Scarabaeus sacer"), 2017-01-17
-----------------------------------------
diff -Nru s-nail-14.8.15/privsep.c s-nail-14.8.16/privsep.c
--- s-nail-14.8.15/privsep.c 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/privsep.c 2017-01-27 21:33:45.000000000 +0100
@@ -44,6 +44,7 @@
int
main(int argc, char **argv)
{
+ char hostbuf[64];
struct dotlock_info di;
struct stat stb;
sigset_t nset, oset;
@@ -58,6 +59,7 @@
strcmp(argv[ 4], "name") ||
strcmp(argv[ 6], "hostname") ||
strcmp(argv[ 8], "randstr") ||
+ strchr(argv[ 9], '/') != NULL /* Seal path injection vector */ ||
strcmp(argv[10], "pollmsecs") ||
fstat(STDIN_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode) ||
fstat(STDOUT_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode)) {
@@ -70,6 +72,21 @@
" fewest lines of code in order to reduce attack surface.\n"
" It cannot be run by itself.\n");
exit(EXIT_USE);
+ }else{
+ /* Prevent one more path injection attack vector, but be friendly */
+ char const *ccp;
+ size_t i;
+ char *cp, c;
+
+ for(ccp = argv[7], cp = hostbuf, i = 0; (c = *ccp) != '\0'; ++cp, ++ccp){
+ *cp = (c == '/' ? '_' : c);
+ if(++i == sizeof(hostbuf) -1)
+ break;
+ }
+ *cp = '\0';
+ if(cp == hostbuf)
+ goto jeuse;
+ argv[7] = hostbuf;
}
di.di_file_name = argv[3];
diff -Nru s-nail-14.8.15/THANKS s-nail-14.8.16/THANKS
--- s-nail-14.8.15/THANKS 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/THANKS 2017-01-27 21:33:45.000000000 +0100
@@ -55,6 +55,7 @@
Tim trondd at kagu-tsuchi dot com
Gavin Troy gavtroy at fastmail dot fm
Paul Vojta vojta at math dot berkeley dot edu
+wapiflapi wapiflapi at yahoo dot fr
William Yodlowsky william at OpenBSD dot org
Ypnose ypnx at mailoo dot org
diff -Nru s-nail-14.8.15/version.h s-nail-14.8.16/version.h
--- s-nail-14.8.15/version.h 2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/version.h 2017-01-27 21:33:45.000000000 +0100
@@ -1,4 +1,4 @@
-#define VERSION "v14.8.15"
+#define VERSION "v14.8.16"
#define VERSION_MAJOR "14"
#define VERSION_MINOR "8"
-#define VERSION_UPDATE "15"
+#define VERSION_UPDATE "16"
