On Sun, Feb 18, 2007 at 09:34:49PM +1100, Paul Szabo wrote:
> Dear Security team,
>
> A stupid little bug crept into (was left in) #384454 and DSA-1217.
> My fault originally: I humbly apologize. Please correct it for sarge.
>
Hi all,
I already asked this, but it wasn't consired important by the sec team.
I'm attaching my previous mail.
Alberto
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
--- Begin Message ---
On Wed, Nov 22, 2006 at 12:05:34PM +0100, Moritz Muehlenhoff wrote:
> Alberto Gonzalez Iniesta wrote:
> > I just noticed that the package was updated two days ago. I hope I can
> > have a new one today. Or would it be faster if the Sec. Team just applies
> > the changed mention in my mail?
> >
> > Sorry for this.
>
> If you can upload a fixed package today, go ahead. I don't think this will
> ever
> be triggered in practice, though. The intersection of people running 2.6
> kernels with nproc ressource limits in their PAM config and people running
> legacy netkit ftpds is most definitely empty.
Hi Moritz, the problem with the previous bug was that 2.6 kernels DO
set proccess limits, whether we want them or not. And the ftpd
package installs a pamd.d configuration file with this line:
session required pam_limits.so
So I guess the problem was indeed there and possible to exploit.
Anyway, the patch we (and Gentoo) used introduced and new, easier to
exploit, bug. The ftpd server is running commands with EGID 'root'
instead of the user's one.
And as you know, this is not kernel or local configuration dependant.
I've just uploaded a fixed version to Sid.
Please find attached the diff file for linux-ftpd_0.17-20sarge3. With
the following differences from linux-ftpd_0.17-20sarge2:
---- CUT ------ CUT ------
diff -u linux-ftpd-0.17/ftpd/popen.c linux-ftpd-0.17/ftpd/popen.c
--- linux-ftpd-0.17/ftpd/popen.c
+++ linux-ftpd-0.17/ftpd/popen.c
@@ -174,7 +174,7 @@
* PSz 25 Aug 06 Must check the return status of these setgid/setuid calls,
* see http://www.bress.net/blog/archives/34-setuid-madness.html
*/
- if ( setgid(geteuid()) != 0 ) _exit(1);
+ if ( setgid(getegid()) != 0 ) _exit(1);
if ( setuid(i) != 0 ) _exit(1);
#ifndef __linux__
--- linux-ftpd-0.17/debian/changelog
+++ linux-ftpd-0.17/debian/changelog
@@ -1,3 +1,13 @@
+linux-ftpd (0.17-20sarge3) stable-security; urgency=high
+
+ * Sarge security release.
+ * Corrected typo in patch used in previous upload that
+ made the server run some commands with EGID 'root'.
+ Thanks to Matt Power (for finding out) and
+ Stefan Cornelius from Gentoo (for warning me).
+
+ -- Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> Sat, 25 Nov 2006 19:38:59
+0100
+
---- CUT ------ CUT ------
Regards,
Alberto
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
linux-ftpd_0.17-20sarge3.diff.gz
Description: Binary data
signature.asc
Description: Digital signature
--- End Message ---
