Your message dated Sun, 29 May 2005 08:53:56 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#310833: [CAN-2005-1040] local root privilege escalation
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 26 May 2005 09:55:10 +0000
>From [EMAIL PROTECTED] Thu May 26 02:55:10 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail01.pironet-ndh.com (mail02.pironet-ndh.com) [194.64.31.10]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DbF53-0001LU-00; Thu, 26 May 2005 02:55:09 -0700
Received: from mail.fbn-dd.de (mail.fbn-dd.de [195.227.105.178])
by mail02.pironet-ndh.com (Postfix) with ESMTP id 9680733B2E
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 11:54:38 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de
(192-168-0-1.transfer-000.intranet.fbn-dd.de [192.168.0.1])
by mail.fbn-dd.de (Postfix) with ESMTP id 7F9EE262DD
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 11:54:38 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP id 6B8951F6F4
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 11:54:38 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de (localhost [127.0.0.1])
by localhost (AvMailGate-2.0.1.16) id 20339-11AE66FF;
Thu, 26 May 2005 11:54:38 +0200
Received: from localhost.localdomain (10-28-130-200.intranet-28-130.fbn-dd.de
[10.28.130.200])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP id 0FDB41F6DA
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 11:54:38 +0200 (CEST)
Received: by localhost.localdomain (Postfix, from userid 1000)
id 64DBA958C; Thu, 26 May 2005 11:54:39 +0200 (CEST)
Date: Thu, 26 May 2005 11:54:39 +0200
From: Martin Pitt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [CAN-2005-1040] local root privilege escalation
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="2Z2K0IlrPCVsbNpk"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.16; AVE: 6.30.0.15;
VDF: 6.30.0.202; host: sonne)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--2Z2K0IlrPCVsbNpk
Content-Type: multipart/mixed; boundary="32u276st3Jlj2kUU"
Content-Disposition: inline
--32u276st3Jlj2kUU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: netapplet
Severity: critical
Tags: security, patch
Hi Matthew!
The changelog does not show any sign that=20
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-1040
is fixed. The CAN entry is pretty empty (just points at the SuSE
security announcement), but they posted a patch to vendor-sec
(attached). Can you please review that?
Thanks,
Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
--32u276st3Jlj2kUU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="netapplet-security-fix-2.patch"
Content-Transfer-Encoding: quoted-printable
Index: netapplet.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/gnome/netapplet/src/netapplet.c,v
retrieving revision 1.11
diff -u -u -r1.11 netapplet.c
--- netapplet.c 13 Mar 2005 23:39:22 -0000 1.11
+++ netapplet.c 16 Mar 2005 20:50:45 -0000
@@ -91,6 +91,9 @@
=20
static NetApplet *netapplet;
=20
+static guint update_id =3D 0;
+static gboolean window_shown =3D FALSE;
+
static void populate_popup_menu (void);
=20
static void
@@ -599,11 +602,24 @@
const char *key;
=20
key =3D gtk_entry_get_text (GTK_ENTRY (entry_key));
+ key =3D verify_string (key);
+ if (!key) {
+ GtkWidget *error_dialog;
=20
- netapplet_set_essid (old_essid, key);
-
- if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON
(checkbox_keyring)))
+ error_dialog =3D gtk_message_dialog_new_with_markup (
+ NULL, 0, GTK_MESSAGE_ERROR, GTK_BUTTONS_OK,
+ _("<span weight=3D\"bold\" size=3D\"larger\">"
+ "Invalid Encryption Key: "
+ "</span>\n\n"
+ "Key contains illegal characters!"));
+ gtk_dialog_run (GTK_DIALOG (error_dialog));
+ gtk_widget_destroy (error_dialog);
+ } else {
+ netapplet_set_essid (old_essid, key);
+ if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON
+ (checkbox_keyring)))
keyring_save (old_essid, key);
+ }
}
=20
g_free (old_essid);
@@ -711,12 +727,43 @@
essid =3D gtk_entry_get_text (GTK_ENTRY (entry_essid));
key =3D gtk_entry_get_text (GTK_ENTRY (entry_key));
=20
- if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON
(checkbox_keyring)))
- keyring_save (essid, key);
+ essid =3D verify_string (essid);
+ if (!essid || *essid =3D=3D '\0') {
+ GtkWidget *error_dialog;
+
+ error_dialog =3D gtk_message_dialog_new_with_markup (
+ NULL, 0, GTK_MESSAGE_ERROR, GTK_BUTTONS_OK,
+ _("<span weight=3D\"bold\" size=3D\"larger\">"
+ "Invalid ESSID: "
+ "</span>\n\n"
+ "ESSID is blank or "
+ "contains illegal characters!"));
+ gtk_dialog_run (GTK_DIALOG (error_dialog));
+ gtk_widget_destroy (error_dialog);
+ goto out;
+ }
=20
+ key =3D verify_string (key);
+ if (!key) {
+ GtkWidget *error_dialog;
+
+ error_dialog =3D gtk_message_dialog_new_with_markup (
+ NULL, 0, GTK_MESSAGE_ERROR, GTK_BUTTONS_OK,
+ _("<span weight=3D\"bold\" size=3D\"larger\">"
+ "Invalid Encryption Key:</span>\n\n"
+ "Key contains illegal characters!"));
+ gtk_dialog_run (GTK_DIALOG (error_dialog));
+ gtk_widget_destroy (error_dialog);
+ goto out;
+ }
+
+ if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON
+ (checkbox_keyring)))
+ keyring_save (essid, key);
netapplet_set_essid (essid, key);
}
=20
+out:
gtk_widget_destroy (dialog);
g_object_unref (xml);
}
@@ -735,9 +782,6 @@
return label;
}
=20
-static guint update_id =3D 0;
-static gboolean window_shown =3D FALSE;
-
static gboolean
update_info(GladeXML *xml)
{
@@ -1255,11 +1299,12 @@
*push_in =3D TRUE;
}
=20
-
static void
active_scan_on (void)
{
netapplet->active_scanning =3D TRUE;
+ if (!netapplet->active)
+ return;
if (g_str_has_prefix (netapplet->active->interface, "ath")) {
netapplet_get_accesspoints (netapplet->active->interface);
netapplet_get_wireless (netapplet->active->interface);
Index: netcommon.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/gnome/netapplet/src/netcommon.c,v
retrieving revision 1.3
diff -u -u -r1.3 netcommon.c
--- netcommon.c 4 Oct 2004 18:34:20 -0000 1.3
+++ netcommon.c 16 Mar 2005 20:50:45 -0000
@@ -22,6 +22,26 @@
# define dbg(fmt,arg...) do { } while(0)
#endif
=20
+/*
+ * Check general strings for sanity. Used for ESSID's and keys. We allow
+ * spaces and alphanumerics, nothing else.
+ */
+const char *
+verify_string (const char *str)
+{
+ const char *s =3D str;
+
+ if (!str || *s =3D=3D '\0')
+ return str;
+
+ do {
+ if (!g_ascii_isalnum (*s) && *s !=3D ' ')
+ return NULL;
+ } while (*++s !=3D '\0');
+
+ return str;
+}
+
static GIOStatus
netcommon_write_chars_all (GIOChannel *channel, const char *buf,
gssize count, GError **err)
Index: netcommon.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/gnome/netapplet/src/netcommon.h,v
retrieving revision 1.2
diff -u -u -r1.2 netcommon.h
--- netcommon.h 4 Oct 2004 18:26:15 -0000 1.2
+++ netcommon.h 16 Mar 2005 20:50:45 -0000
@@ -12,6 +12,8 @@
=20
#define CLIPBOARD_NAME "NETAPPLET_SELECTION"
=20
+const char * verify_string (const char *str);
+
void netcommon_send_message (GIOChannel *channel,
const char *command,
...);
Index: netdaemon.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/gnome/netapplet/src/netdaemon.c,v
retrieving revision 1.7
diff -u -u -r1.7 netdaemon.c
--- netdaemon.c 7 Mar 2005 16:30:44 -0000 1.7
+++ netdaemon.c 16 Mar 2005 20:50:45 -0000
@@ -433,6 +433,30 @@
}
#endif
=20
+/*
+ * Sanitize the interface. We cannot trust the networking shell
+ * scripts, which have escaping problems out the wazoo.
+ */
+static const char *
+verify_interface (const char *interface)
+{
+ GSList *iface_list, *iter;
+
+ if (!interface)
+ return NULL;
+
+ iface_list =3D get_interfaces ();
+ if (!iface_list)
+ return NULL;
+
+ for (iter =3D iface_list; iter !=3D NULL; iter =3D iter->next) {
+ if (strcmp (iter->data, interface) =3D=3D 0)
+ return interface;
+ }
+
+ return NULL;
+}
+
static void
netdaemon_disconnect_all (void)
{
@@ -462,7 +486,11 @@
static void
netdaemon_do_change_active (GIOChannel *channel G_GNUC_UNUSED, char **args)
{
- if (!args[1])
+ const char *interface;
+
+ /* Is this interface valid ? */
+ interface =3D verify_interface (args[1]);
+ if (!interface)
return;
=20
/*
@@ -477,14 +505,15 @@
* a static IP from sharing earlier, reset it to Managed mode with
* a dynamic IP now.
*/
- if (! strcmp (get_network_type (args[1]), TYPE_WIRELESS))
- modify_interface_config (args[1], "dhcp", NULL, NULL,
"Managed", NULL, N=
ULL);
+ if (!strcmp (get_network_type (interface), TYPE_WIRELESS))
+ modify_interface_config (interface, "dhcp", NULL, NULL,
+ "Managed", NULL, NULL);
=20
/* Bring the interface up */
- if (ifup (args[1])) {
- netcommon_send_message (channel, "active", args[1], NULL);
+ if (ifup (interface)) {
+ netcommon_send_message (channel, "active", interface, NULL);
g_free (active_iface);
- active_iface =3D g_strdup (args[1]);
+ active_iface =3D g_strdup (interface);
}
=20
/*=20
@@ -511,7 +540,7 @@
const char *type;
=20
if (active_iface !=3D NULL &&
- strcmp (active_iface, interface) =3D=3D 0)
+ strcmp (active_iface, interface) =3D=3D 0)
found_active =3D TRUE;
=20
type =3D get_network_type (interface);
@@ -884,10 +913,14 @@
static void
netdaemon_do_get_accesspoints (GIOChannel *channel, char **args)
{
- const char *interface =3D args[1];
+ const char *interface;
struct iwreq wrq;
int fd;
=20
+ interface =3D verify_interface (args[1]);
+ if (!interface)
+ return;
+
fd =3D iw_sockets_open ();
if (fd < 0)
return;
@@ -993,20 +1026,32 @@
static void
netdaemon_do_change_essid (GIOChannel *channel, char **args)
{
- if (modify_interface_config (args[1],
- "dhcp", /* bootproto */
- NULL, /* ip address */
- NULL, /* netmask */
- "Managed", /* Wireless mode */
- args[2], /* essid */
- args[3])) /* key */
+ const char *interface, *essid, *key;
+
+ interface =3D verify_interface (args[1]);
+ if (!interface)
+ return;
+ essid =3D verify_string (args[2]);
+ if (!essid)
+ return;
+ key =3D verify_string (args[3]);
+ if (!key)
+ return;
+
+ if (modify_interface_config (interface, /* interface */
+ "dhcp", /* bootproto */
+ NULL, /* ip address */
+ NULL, /* netmask */
+ "Managed", /* Wireless mode */
+ essid, /* essid */
+ key)) /* key */
netdaemon_do_change_active (channel, args);
}
=20
static void
netdaemon_do_get_wireless (GIOChannel *channel, char **args)
{
- const char *interface =3D args[1];
+ const char *interface;
int skfd;
struct iwreq wrq;
char essid[IW_ESSID_MAX_SIZE + 1];
@@ -1015,6 +1060,10 @@
char *escaped_essid, *msg;
float quality;
=20
+ interface =3D verify_interface (args[1]);
+ if (!interface)
+ return;
+
skfd =3D iw_sockets_open ();
if (skfd < 0)
return;
--32u276st3Jlj2kUU--
--2Z2K0IlrPCVsbNpk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFClZzfDecnbV4Fd/IRAmg8AKCEsObTPE0ljTgTXTucQOIpz8u2XwCfZSxN
3eq79l0cIa+ErXjq2t4dtQo=
=sc/t
-----END PGP SIGNATURE-----
--2Z2K0IlrPCVsbNpk--
---------------------------------------
Received: (at 310833-done) by bugs.debian.org; 29 May 2005 07:54:09 +0000
>From [EMAIL PROTECTED] Sun May 29 00:54:09 2005
Return-path: <[EMAIL PROTECTED]>
Received: from cavan.codon.org.uk [213.162.118.85] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DcIca-0003ZE-00; Sun, 29 May 2005 00:54:08 -0700
Received: from mjg59 by cavan.codon.org.uk with local (Exim 4.43)
id 1DcIcO-0005ZQ-OL; Sun, 29 May 2005 08:53:56 +0100
Date: Sun, 29 May 2005 08:53:56 +0100
From: Matthew Garrett <[EMAIL PROTECTED]>
To: Martin Pitt <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#310833: [CAN-2005-1040] local root privilege escalation
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.6+20040907i
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-4.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
I've checked the code and confirmed this - under Suse, the essid is
passed to a network configuration shell script. Under Debian, it's
passed to g_spawn_sync() as a single argument, so shell metacharacters
aren't an issue. rml (upstream) confirms this.
--
Matthew Garrett | [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
