Your message dated Sat, 25 Sep 2010 15:32:18 +0000 with message-id <e1ozwja-0004o0...@franck.debian.org> and subject line Bug#597382: fixed in mingetty 1.07-3 has caused the Debian Bug report #597382, regarding unsafe chroot() call to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 597382: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597382 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mingetty Version: 1.07-1 Severity: critical Tags: security patch Hi, mingetty doesn't change current directory after chroot() call. It allows an attacker to call chdir("../") many times and get root directory. Also chdir(), chroot() and nice() are not checked for error return values. It allows an attacker to avoid local policy restriction in some cases. -- System Information: Debian Release: squeeze/sid APT prefers lucid-updates APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid-proposed'), (500, 'lucid-backports'), (500, 'lucid') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-25-generic (SMP w/2 CPU cores) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mingetty depends on: ii libc6 2.11.1-0ubuntu7.3 Embedded GNU C Library: Shared lib mingetty recommends no packages. mingetty suggests no packages. -- no debconf information--- mingetty.c.orig 2010-09-19 07:51:59.000000000 +0000 +++ mingetty.c 2010-09-19 08:00:09.000000000 +0000 @@ -431,12 +431,20 @@ int main (int argc, char **argv) while ((logname = get_logname ()) == 0) /* do nothing */ ; - if (ch_root) - chroot (ch_root); - if (ch_dir) - chdir (ch_dir); - if (priority) - nice (priority); + if (ch_root) { + if (chroot (ch_root)) + error ("chroot(): %s", strerror (errno)); + if (chdir("/")) + error ("chdir(\"/\"): %s", strerror (errno)); + } + if (ch_dir) { + if (chdir (ch_dir)) + error ("chdir(): %s", strerror (errno)); + } + if (priority) { + if (nice (priority)) + error ("nice(): %s", strerror (errno)); + } execl (loginprog, loginprog, autologin? "-f" : "--", logname, NULL); error ("%s: can't exec %s: %s", tty, loginprog, strerror (errno));
--- End Message ---
--- Begin Message ---Source: mingetty Source-Version: 1.07-3 We believe that the bug you reported is fixed in the latest version of mingetty, which is due to be installed in the Debian FTP archive: mingetty_1.07-3.diff.gz to main/m/mingetty/mingetty_1.07-3.diff.gz mingetty_1.07-3.dsc to main/m/mingetty/mingetty_1.07-3.dsc mingetty_1.07-3_i386.deb to main/m/mingetty/mingetty_1.07-3_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 597...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Martin <p...@debian.org> (supplier of updated mingetty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 Sep 2010 16:12:51 +0100 Source: mingetty Binary: mingetty Architecture: source i386 Version: 1.07-3 Distribution: unstable Urgency: high Maintainer: Paul Martin <p...@debian.org> Changed-By: Paul Martin <p...@debian.org> Description: mingetty - Console-only getty Closes: 597382 Changes: mingetty (1.07-3) unstable; urgency=high . * Fix bug introduced by patch from #597382: the return value of nice() is the new nice value. (Closes: #597382) Checksums-Sha1: d7d8be453c01ad1e217dfc6082ec44bfc390a29a 1566 mingetty_1.07-3.dsc 679a50301bab5aeebfdcdd2dbcad379d2be03e0c 4298 mingetty_1.07-3.diff.gz 0eb0a72dba6faa5ff73b2a84343bf7bb010e2b69 10550 mingetty_1.07-3_i386.deb Checksums-Sha256: 624d609bbb43e6a5087e6bb4c3f60ecab9c31a175e33197bf7bfa3668d3373bf 1566 mingetty_1.07-3.dsc 01a54a621786516cce47fa90c7c82482d312037b173c0e2e7c0ecc1882398715 4298 mingetty_1.07-3.diff.gz e54e92e112cb4f82310fe84b27a6a9b21d1a7f47c1e0b6e9a2bd8bfb90a7b18c 10550 mingetty_1.07-3_i386.deb Files: 4d7bdc989e25dce8d40d99f9f54767ab 1566 admin optional mingetty_1.07-3.dsc a9455b84700066392bc25dec0e112d4c 4298 admin optional mingetty_1.07-3.diff.gz f14831d46e9eb398b77e8fa822670acc 10550 admin optional mingetty_1.07-3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIVAwUBTJ4SVGA7gyZh+cpTAQiVxw//TwNBbStk9UTIVk2gaR64JygfLlMzcJjL 1GU2q3HwMnu1X8oo9enB7NEJahyte1pCWzOXY5Gtw/3EXvH9CvXrrdheqpmICEMo jgJ0ol+smolMi/Bsup2Gnk2JdwuYJQ24V4E8yy9MvmwQhnp+4WizG9/b6P6E2aaG eHa6E/SyE/Y6+Be+UbBM3K3p5lpm7LaFb1bUTp5CjP4/PfbaItHw7pD8eG9Ht+qe ak0qArcqNwZjrMUfn3wDmVLNGL+cnj/e3YwOqr0KjXKcWrX+6Ri0YmlQ1I7utJBh WjYFjlR6a/mL3syRMkBkWS9RjK1jJTz3Z8UX9c6EMcbJ6PG6wLYDvrhDa+RNNgUJ ngQTtmz1AaTTrUYaycPuMN+7IUdu6fGcaMWo/gQuP2anxsTLvOVLgh4tTbkHlipv 9IXHScL3TsLqtYlhLThN0QufjXdIJHeB7wBg3DXOCHxp+VXLZb3acldvyThkfEV3 nxGLby4YRTFcPR6lfzJ6AyqChtsXLLcFpfOstYfF5YWNPH74vGcgPjUQufO7Wd37 g+b1YdpJ0VBWonrOs5hEPaxpjEG+hdqEI/KfUDTEekexTpk2oTgVEYxNqDuHs3ui mbNeMvolydCtZuTRi3pxnsKO5RNLt6RnY/U1ET56YVlHKJgwFX2sNAY8zGjDKMor EzxileyHPxg= =kjU2 -----END PGP SIGNATURE-----
--- End Message ---
