Your message dated Wed, 16 Mar 2011 00:47:37 +0000 with message-id <e1pzetl-0004cn...@franck.debian.org> and subject line Bug#618476: fixed in wims 4.01e-1 has caused the Debian Bug report #618476, regarding wims: abusive use of dpkg-statoverride and security issue to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 618476: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618476 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: wims Version: 4.01c Severity: serious Tags: security Hello Georges, wims.postinst do: dpkg-statoverride --update --force --add root root 6755 $rootwrapper 2>/dev/null See policy 10.9.1. The use of `dpkg-statoverride' There is one type of situation, though, where calls to `dpkg-statoverride' would be needed in the maintainer scripts, and that involves packages which use dynamically allocated user or group ids. This is clearly not the case here: root is statically allocated, so you should instead ship the program suid in the .deb. But I really wonder if this file is necessary at all and whether this does not create security issues. the source code is in wims/src/Misc/chroot.c it does fun stuff like int execuid=15999; int execgid=15999; ... if(setregid(execgid,execgid)<0) goto abandon; if(setreuid(execuid,execuid)<0) goto abandon; without any regard for the existence of an account with UID/GID 15999 and seems riddled with security issues. Cheers, -- Bill. <ballo...@debian.org> Imagine a large red swirl here.
--- End Message ---
--- Begin Message ---Source: wims Source-Version: 4.01e-1 We believe that the bug you reported is fixed in the latest version of wims, which is due to be installed in the Debian FTP archive: flydraw_4.01e-1_amd64.deb to main/w/wims/flydraw_4.01e-1_amd64.deb wims-modules_4.01e-1_all.deb to main/w/wims/wims-modules_4.01e-1_all.deb wims_4.01e-1.debian.tar.gz to main/w/wims/wims_4.01e-1.debian.tar.gz wims_4.01e-1.dsc to main/w/wims/wims_4.01e-1.dsc wims_4.01e-1_amd64.deb to main/w/wims/wims_4.01e-1_amd64.deb wims_4.01e.orig.tar.gz to main/w/wims/wims_4.01e.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 618...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Georges Khaznadar <georg...@ofset.org> (supplier of updated wims package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 16 Mar 2011 01:19:24 +0100 Source: wims Binary: wims wims-modules flydraw Architecture: source amd64 all Version: 4.01e-1 Distribution: unstable Urgency: low Maintainer: Georges Khaznadar <georg...@ofset.org> Changed-By: Georges Khaznadar <georg...@ofset.org> Description: flydraw - Inline drawing tool wims - server for educative contents as courses, exercises, exams wims-modules - modules used by the WIMS server Closes: 613545 618472 618474 618476 618479 Changes: wims (4.01e-1) unstable; urgency=low . * added a new user/group pair nowims/nowims to allow to ovveride the owners of a few scripts which should be as low privileged as possible. Closes: #618474 * revoked the suid root privilege for the script bin/ch..root, as it is not useful when the feature known as "wims_chroot" is not necessary (this feature is very seldom asked for). Closes: #618476 * upgraded to the newest upstream version * replaced the command useradd by the command adduser in wims.preinst Closes: #618472 * modified the invokations of dpkg-statoverride to respect user's overrides Closes: #618479 * removed quilt-related stuff from debian/rules Closes: #613545 Checksums-Sha1: fbf191775bfe266fe998289198b01f2e72a8e2d1 1118 wims_4.01e-1.dsc b468be7f280438cc1a90264e4463a4e5fa7aef7b 30059263 wims_4.01e.orig.tar.gz 85ba230cc6333e71d95790642b7ebe568cab79b0 186813 wims_4.01e-1.debian.tar.gz bb1e98bdf38a6d61a476a1140065bb5509ee88db 16371736 wims_4.01e-1_amd64.deb 727b585e25ac0b527da2c5fee140a265ccd9ae27 57312 flydraw_4.01e-1_amd64.deb 81a9f50433d33840f9ff04848ce5133e9a395aae 1739824 wims-modules_4.01e-1_all.deb Checksums-Sha256: e2b1df848fbdf7dad7d622d73cb5ca2ac485aced65ac77cae09ffc3f649c5787 1118 wims_4.01e-1.dsc 28bd4924768711f1416c41a860c7ff4d38fca200993072c8d6a35a89c2b18f5d 30059263 wims_4.01e.orig.tar.gz 9da1c3fc57226a501d362b6545ac0af8bb25e1aa7f1209072e34a8842e8db04e 186813 wims_4.01e-1.debian.tar.gz a1f02e2abd3cf4cdac9e4b64a20ec08b66204239d2b6e37221e32c7b9750660c 16371736 wims_4.01e-1_amd64.deb a0531ea6eb01c7d4f246a0d3f13147c73d6cbcd600628b3c4a4aa6c8020d8e6e 57312 flydraw_4.01e-1_amd64.deb 790a7c12c195e421efaa41b4624cd9520b11fbeaebb4bbf474ec12ebf176ad87 1739824 wims-modules_4.01e-1_all.deb Files: 468e569fd4953e66b90b74489b71b001 1118 web optional wims_4.01e-1.dsc 66e2b0da3e444eb3bb7911ea93b4b56a 30059263 web optional wims_4.01e.orig.tar.gz 6bbfadeb826e1eadec97f84279cf6923 186813 web optional wims_4.01e-1.debian.tar.gz 3e3e866942ed851a35084d9dbdee38ce 16371736 web optional wims_4.01e-1_amd64.deb f9916ec4d33105ce48394c9359b0fe3e 57312 graphics optional flydraw_4.01e-1_amd64.deb 3f051af34fa1d10a81b339ac063f2c19 1739824 web optional wims-modules_4.01e-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNgAOInfmb2hFpETARAmvXAJ9xjqfXCVXbtBZR6aFl8h36TaFURACfS6v2 4n/pSfjLQorcO3AfuThDfjw= =uAwc -----END PGP SIGNATURE-----
--- End Message ---
